The /api/frame endpoint is vulnerable to clickjacking. The endpoint contains a button which will trigger sensitive functionality when clicked.

Requests in violation of the Navigation Isolation Policy will be rejected with a 403 error.

You win if you execute a successful clickjacking attack against /api/frame and manage to get the user to delete their account on a browser with Fetch Metadata enabled.

data:text/html,<iframe src="">