Comment 7 for bug 1407092

Adam, lets reiterate in this bug and another similar one - https://bugs.launchpad.net/mos/+bug/1407093

So, for Cinder and Neutron APIs it is true that if user sends request containing javascript, he will receive response containing the same javascipt. There is no victim in that scenario. So, how that could be exploited?