Security researcher Abdulrahman Alqabandi reported that
the fetch()
API did not correctly implement the Cross-Origin
Resource Sharing (CORS) specification, allowing a malicious page to access
private data from other origins. Mozilla developer Ben Kelly
independently reported the same issue.