{"service":"credentialed CORS API","hint":"GET /login?user=admin, then GET /flag with an Origin and the session cookie","filter":"regex accepts origins that merely start with a URL containing trusted.com"}