. . "This is bad because an attacker could get cookie or other information returned by using a carefully crafted request." . .