Submits POSTs from this page to a sibling caesium subdomain so tungsten can apply
a distinct policy (isolate, block, allow) to the target hostname. Exercises both top-level form
navigation (sec-fetch-mode: navigate) and programmatic fetch/XHR POSTs
(sec-fetch-mode: cors). Use the preset buttons below to switch between policy
targets; target hostnames inherit the current page's protocol and port so the same page works
locally and in prod.
Page origin: . caesium serves identical content on every
hostname; all policy routing happens in tungsten based on the target URL below.
Real browser form submission to the target hostname. This is the canonical POST isolation case: tungsten sees a navigation-kind POST and (if policy says so) rewrites it through safeview. Response renders in the iframe or a new tab depending on the target frame.
Programmatic cross-origin POST. For application/json the browser
sends a CORS preflight (OPTIONS) first; caesium responds permissively. text/plain and
multipart/form-data are CORS-simple and skip preflight. Response shown inline.