Showcasing the trick described in the page below in a vulnerable application: https://book.jorianwoltjer.com/languages/javascript/postmessage-exploitation#bypassing-window.origin-using-null-origin
2024-04-29.15-17-07.mp4
Host the application quickly using the following command:
php -S 0.0.0.0:8000
Then visit the vulnerable domain at http://localhost:8000, and the attacker's domain at http://127.0.0.1:8000/exploit.html.
These domains point to the same PHP server but are considered different origins.