This page is served from origin — an origin that is not id1.app.anaplan.com.
It opens a victim's Springboard board designer (top-level navigation, so the victim's SameSite=Lax Anaplan session cookies flow and the board loads authenticated), then sends cross-window postMessage tool calls to it.
Because the designer's message listener performs no event.origin check, the calls are executed in the victim's authenticated session. Success = a toast reading CROSS-ORIGIN-CSRF-PROOF appears on the victim's board.
This page collects and stores nothing. It only calls window.open() and postMessage() against the URL above.