Re: APIs not to blame
"The APIs used in this case aren't the vulnerability, they just expose it"
No they expose the attack vector, the process of exposing that attack vector is the vulnerability and in this case the API implementation within the browser is the vulnerability.