CORS vulnerable page

This page is vulnerable to cross-origin resource sharing (CORS) attacks.

When this page is requested, the response’s Access-Control-Allow-Origin header is set to the value of the request’s Origin header, or "*" if none is specified.

You can see this by inspecting the page’s headers in your browser's Developer Tools, or by sending a customised request using Burp Suite, Postman or online in ReqBin.