The way it works is by loading a window.onerror handler and then loading a remote site as a <script> tag that will generate a slightly different error when logged in vs. not logged in. That’s pretty clever.
The reason Chris probably chose to add Amazon to this is is because Amazon has a CSRF that will allow you to add any book to the Buy It Now!. Coupled with this script, you can only do it when the attack will actually succeed. Nice.
Hmm, I better check my Amazon account to see if I’ve “accidentally” bought another copy of Chris’s book. 😀