EVIL-ATTACKER.EXAMPLE — cross-origin MIO data theft

This page is served from a DIFFERENT origin than dice.fm.

It runs a credentialed fetch to https://p-api.staging.dice.fm/graphql.

The victim's browser holds the SameSite=None _kim_key cookie.


running...