Cross-Site Request Forgery from another origin

I’m trying to solve one of the challange of owasp juice shop. After some attempts, I started looking for a solution (this) and it’s exactly what I did, but it doesn’t work.

I’m running on a local docker the app (tried also online, but same problem).

On the console I get

Uncaught DOMException: Permission denied to access property "document" on cross-origin object

and it’s ok since that’s what I’m expecting to see, but when I go in the user profile the username didn’t change. In the network panel of the console I can see the packet being send (for the SOP I can’t see the response), so I don’t know what the problem can be.

What I’m doing wrong?Is my understanding of the attack wrong or is just a problem with the implementation of the webapp?