I have patched my site to prevent JSON hijacking. During this process, I was interested to see if I could actually exploit this vulnerability.
So I created a foo.html, added a script tag which source attribute referenced my site which I was logged into. I was unable to exploit the vulnerability. I took a look at the network traffic, and I could not see my authentication cookie being passed in the request.
Does this mean that most browsers have fixed the vulnerability? Is there some table that will let me know which browsers have fixed it? Or have I completely misunderstood the vulnerability?