TL;DR: Browser misinterprets a path as relative; injected content loaded as CSS / JS from the same origin.

Stub — to be filled in.

What it is

TODO

Preconditions / where it applies

TODO

Technique

TODO

Detection and defence

TODO

References

• https://blog.innerht.ml/rpo-gadgets/