Author writeup. In short: two injections + meta-redirect + CSRF + weird user activation behavior with extension postMessage + scroll to text fragment + lazy-loading image.