Description
If an attacker could extract content from https://hackerone.com, they could perform CSRF attacks due to the fact that:
Attacker being allowed to read content but not execute JS could happen if:
Currently, some mitigations are in place. _method isn’t allowed in GET and the Origin header is checked. This isn’t enough since FireFox and IE doesn’t send Origin header when submitting forms.
Attack scenario
The most recent (to my knowledge) SOP bypass was the re-implementation of the IE UXSS bug (https://blog.innerht.ml/ie-uxss/). This was working November 28th 2015. However, the bug required framing at least one resource, and HackerOne sends X-Frame-Options on all resources. Sadly, HackerOne uses CloudFlare so the URL https://hackerone.com/cdn-cgi/trace could be used (doesn’t send X-Frame-Options).
So to sum up:
Fix
This could be mitigated by storing the token in JavaScript and adding the token to the form after the page is loaded.