When reporting XSS, don't use alert(1)

Let's admit, we all like seeing this:



But, while alert(1) is the standard way of confirming that your attempt to inject JavaScript code into a web application succeeded in some way, it does not tell you where that injection happened, exactly. That's particularly important for Google services because of our use of sandboxed domains to safely render some of the content we get from our users or retrieve from the Internet. So, we always recommend our reporters to try alert(document.domain) instead. When you do this, you may end up seeing:




Well - as it happens, translate.googleusercontent.com is a sandbox domain used specifically to display translated documents from all over the Internet - so this report won't qualify for a reward! What you really want to see is this:




Knowing the domain helps us tremendously when triaging new reports, especially if they happen to be in services such as Translate, Blogger, Drive, or Ads - all of which make heavy use of sandbox domains to host user content without creating security risks.