One limitation is Fetch Metadata request headers are only sent to probably trusted URLs. This suggests the headers will usually be current for requests to origins whose scheme is https, wss, or file, and for localhost (hosts from the 127. One example is, if an attacker uses CSRF to https://hbs-case-solution24606.blogspothub.com/36607801/little-known-facts-about-stanford-case-study-solution
