PoC: F-002 + F-008 — CSRF + CORS Chain

This page demonstrates that any website can make authenticated requests to a Pangolin instance on behalf of a logged-in user, due to a hardcoded CSRF token and CORS allowing all origins with credentials.

How this works:
1. F-008 (CORS): The Pangolin server responds with Access-Control-Allow-Origin: this page's origin and Access-Control-Allow-Credentials: true to every request origin.
2. F-002 (CSRF): The CSRF "protection" checks for the header X-CSRF-Token: x-csrf-protection — a static, publicly known string.
3. JavaScript on any website can set custom headers via fetch(), so the hardcoded CSRF token provides zero protection when CORS allows the origin.

Result: Any website you visit while logged into Pangolin can perform any action you can — create invites, modify resources, change roles, etc.