yep! in the early days, new web clients were spawning everywhere and many people quickly figured out you could do elementary (script kiddie) xss injection and steal cookies

however in this phase, web clients are more mindful of this and things like alby helps a lot