See [https://blog.bawolff.net/2024/02/la-ctf-write-up-ctf-wiki.html](https://blog.bawolff.net/2024/02/la-ctf-write-up-ctf-wiki.html ) for full details

Essentially there is an XSS only when logged out. Use an iframe to view the XSS logged out. Inside that iframe make a blob url of an html document with a script. Navigate the parent window to that blob url. Script in blob url can now make AJAX requests with cookies as blob has same origin as the site that created it, but is now top level, so under cache partioning it is in same partion as the main site, instead of being considered an embedded context.

Original writeup (https://blog.bawolff.net/2024/02/la-ctf-write-up-ctf-wiki.html).