Cookies are usually scoped to a specific domain. If they are scoped to the parent domain they can be used in any sub domain. This could have security implications if it can be used somewhere it shouldn’t be
HTML
Content Sniffing
Always specify mime type and encoding
Same origin policy
Message handling is rare but is a place to look for bugs
CORS
A good place to get vulns
CSRF
Not very common
Refer headers are unreliable
Apps shouldn’t change state with GET requests - CSRF is broken in that case
