This page is served from an origin distinct from the Hubble UI origin (different host:port). A real headless browser loading this page and issuing a credentialed cross-origin fetch to the Hubble UI /api endpoint is the exploit harness's job.