we need the attacker domain in the referer header in the last step so because of that here I use window.open to achieve that