Some clients were designed without XSS protection. I believe Coracle sent nsecs to an analytics providers for a while by accident. And a lot of other stuff.