The attacker emails a logged-in victim this link. It looks like a stylesheet, but the path before it is a private account page. Toggle how the origin and CDN behave and watch the outcome.
GET https://site.com/account/settings/notreal.css Cookie: session=<victim>