This page (/xss) is vulnerable to XSS based on the contents of the value parameter. However, on browsers supporting Fetch Metadata this endpoint is only accessible via same-origin navigation. Specifically, requests in violation of the Navigation Isolation Policy will be rejected with a 403 error.

Note: This is a speculative use of Fetch Metadata which is less likely to be used in practice than the other restrictions which focus on preventing cross-origin subresource loads. It may be bypassable via some common patterns such as exposing sanitized HTML in the same origin, or JavaScript-based open redirects.

You win if you exploit the XSS and execute an alert() on this page on a browser with Fetch Metadata enabled.


data:text/html,<a href="https://secmetadata.appspot.com/xss?value=<script> alert(1)</script>" >Test XSS</a>

URL value parameter: