/api/xssi endpoint is vulnerable to XSSI. The endpoint returns an
var secret = "s3cr3t".
Requests in violation of the Resource Isolation Policy will be rejected with a 403 error.
You win if you exploit the XSSI bug and read the contents of the secret variable from a cross-origin attack page on a browser with Fetch Metadata enabled.
data:text/html,<script src="https://secmetadata.appspot.com/api/xssi"> </script>