@SeanWrightSec Only if I can access that page directly *and* I know the creds. If you visit my site iamevil.invalid and I embed an image/iframe with url router.home/login then your browser goes to that. If you've an active session on it (or a remember me cookie) then you'll end up 1/