🌐 Two-tab Browser View — BankAPI + attacker.evil

🔒 bankapi.com

Account Dashboard

Logged in as victim_42. Your auth token: secret-token-XYZ.

/api/me CORS headers:
Access-Control-Allow-Origin: (reflects request Origin)
Access-Control-Allow-Credentials: true
⚠ attacker.evil

"Free game cheats!" 🎮

Looks innocent. Behind the scenes, the page can make credentialed cross-origin requests.