Rodney Beede 2015-10-27 https://www.rodneybeede.com/ business2008+YouMustAddThisPlusPart@NOSPAM@rodneybeede (add the missing dot here) com
Uses JavaScript JSON loading to send the content via same idea as CSRF. Combination of CSRF and JSON Hijacking.
Requirements
Useful for an attacker who perhaps used to have access to a document but later had it revoked. Think of a business employee no longer with the company.
Mitigation: After removing someone's access to a document make a copy of the existing document, delete (and purge from trash) the original, and reference only the new document's ID. Also try not to visit sites with hidden content (hard in this age).