/api/cors-open reflects the request's Origin back in Access-Control-Allow-Origin and sets Access-Control-Allow-Credentials: true. That combination lets any website read this response with the victim's cookies.
Trigger: host an attacker page that runs the same credentials:'include' fetch cross-origin and reads the JSON.
Detected by: browser_cdp_cors_test