Ok, here is where I am at after reading the first verse...
A1 - CORS Attacks & CSRF
Figure 2 maintains that the redirect to the selling server is HTTP which I suppose is fine.
I guess the thing is that the redirect needs a user ID and passsword (which it can get from the initial connection, also called "visit attackers page")
In figure 2 this is http which is easy to do since nothing is encrypted.
The socket is created, the credentials are already there so no problem, except I think this only works on a local network with a directory service.
After all, I don't think you are going to be able to buy anything from Amazon over a non encrypted connection, right?
So I'm thinking this is an inside attack and you won't see it on the internets.
Comments welcome.
More to come as I continue to read thru.
Edit: Actually it doesn't even require a directory, it's just using logged in credentials to make a non encrypted connection...no problemo.
Edit2:
XHR can allow doing internal port scanning, CORS policy scan and mounting remote web shell. These
vectors are really stealth and silent over the browser
This is only true if usernames and passwords *and* workgroup/domain names are constant throughout the local network.