TL;DR The main browsers share their cache between Fetch requests and normal navigation. This means that any request that can be made with Fetch, which produces a cacheable response, can also be used to poison the browser navigation too. Given the right set of circumstances, this approach can unlock a raft of unexploitable vulnerabilities, and make them practical.
Exploiting Cacheable Responses
Exploiting Cacheable Responses
Exploiting Cacheable Responses
TL;DR The main browsers share their cache between Fetch requests and normal navigation. This means that any request that can be made with Fetch, which produces a cacheable response, can also be used to poison the browser navigation too. Given the right set of circumstances, this approach can unlock a raft of unexploitable vulnerabilities, and make them practical.