Rating: 3.0

Author writeup. In short: two injections + meta-redirect + CSRF + weird user activation behavior with extension postMessage + scroll to text fragment + lazy-loading image.

Original writeup (https://dttw.tech/posts/B19RXWzYL).