HackerOne: CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain
Background - There has been at least one case where an attacker was able to insert arbitrary HTML into a submitted report - HackerOne uses a very strict Content Security Policy that prevents inline script and script from other origins - HackerOne uses an authenticitytoken in its POSTs to guard...