This page contains two
callbackis the value of the query parameter called "callback".
srcattribute of the
scripttag supplies a query parameter
callback=funcwhich may trick some scanners into thinking that the endpoint is vulnerable (as the response begins with the value of a query parameter).