An XS-Leak doesn't steal data directly — it asks a logged-in victim's browser a
yes/no question about another site and reads the answer through a side channel the
Same-Origin Policy never covered. Here the secret is: "Is the visitor an admin on
target.example?" Pick an oracle, then toggle the target's defenses and watch the
side channel open or close. Everything is modeled — nothing is fetched.
Tip: not every defense applies to every oracle — that's the lesson. You need the right lock for the right door.