Scenario: I have a server at home which is listening on port 80 out to the WWW.
I also have a domain name for my webserver. The webserver is not publicly available, not in Google etc. Basically, you have to know either the domain name or IP to get into it.
Well if I were to run a few clientside attack's on my webserver for testing purposes only and someone out of pure curiousity visits my server because he looked over my shoulder when I was on the site, would that be his own fault or me committing a crime?