Expected Findings
- Email-change form accepts requests with no anti-CSRF token.
- Session cookie is set with `SameSite=None` so cross-site cookies are sent.
- `Origin` and `Referer` headers are not validated server-side.
Account Settings
CSRF Missing
The email-change form has no CSRF token and the session cookie is set with `SameSite=None`, so a cross-site form submit silently rewrites the user's email.
Trigger CSRF
Primary Flows
- Change email POST without token
- Cookie audit Shows SameSite=None
Signals
Cookie
Set-Cookie: session=...; SameSite=None; Secure