XSS in Google Finance

On July 11 2013, I reported to Google Security a XSS vulnerability I discovered in google.commain domain, which required no user interaction.

It is due to a glitch in Google Finance, which is hosted on google.com/finance, that allows to trick the Javascript application for plotting charts (in particular, sourcefile /finance/f/sfe-opt.js) to load a file hosted on an external domain and eval()