I've recently read Ned Batchelders article on UTF-7 XSS-attacks. I tested his examples, but could not get any UTF-7 attack to work in modern browsers. I tried recent versions of Firefox, Chrome and Safari so far.
I know that Chrome has some XSS-attack prevention mechanisms but to my experience, Firefox has a more "generous" mechanism of executing javascript, even when it's broken - however, none of these browsers seems to select the UTF-7 charset by default if the site is using (but not explicitly declaring) it.
So: Does anybody know why this is not working anymore? It seems that the UTF-7 detection mechanism has changed, maybe even for security reasons? Can UTF-7 attacks still target modern browsers if there is no way to change charset declaration within the document or manipulate the headers?