The /api/csrf endpoint is vulnerable to CSRF. The Subtract and Add buttons below send POST requests to this endpoint. Successful requests will update the account balance.
Requests in violation of the Resource Isolation Policy will be rejected with a 403 error.
You win if you execute a successful CSRF attack against /api/csrf and update the account balance from a cross-origin attack page on a browser with Fetch Metadata enabled.
data:text/html,<form action="https://secmetadata.appspot.com/api/csrf?amount=10&action=withdraw" method="POST"><input type="submit"/></form>data:text/html,<form action="https://secmetadata.appspot.com/api/csrf?amount=10&action=add" method="POST"><input type="submit"/></form>