isn't this actually XSRF and worse than XSS?
Also, if users can run arbitrary JS on someone else's server then what stops them from doing CPU-bound work such as crypto miners?
isn't this actually XSRF and worse than XSS?
Also, if users can run arbitrary JS on someone else's server then what stops them from doing CPU-bound work such as crypto miners?
SSRF* sorry typo