The goal of this attack POC is to exfiltrate information about a user,
using an attacker-controled website with a crafted Content Security Policy.
This results in disclosing if a targeted user (victim) is logged in on GitHub
You are the victim (no worry: your privacy won't be breached).
You are currently visiting the attacker website (this server is under attacker's control).
This page is the 1st step of the attack. It will redirect the victim to a 2nd step,
adding a token (say, IP) to the URL. This way, attacker can track the user it targets.
Please click the link below, tho a real attack would use an HTTP-header redirection (Location).
step-2.php?ip=97574e377650d15ed150b78d0b5f2306
Note: The token added in this example is a random md5. In practical attack, it could be victim's IP, a session token on attacker's website, or whatever.