This page (/xss
) is vulnerable to XSS based on the contents of the value
parameter. However, on browsers supporting Fetch Metadata this endpoint is only accessible via same-origin navigation. Specifically, requests in violation of the Navigation Isolation Policy will be rejected with a 403 error.
Note: This is a speculative use of Fetch Metadata which is less likely to be used in practice than the other restrictions which focus on preventing cross-origin subresource loads. It may be bypassable via some common patterns such as exposing sanitized HTML in the same origin, or JavaScript-based open redirects.
You win if you exploit the XSS and execute an alert() on this page on a browser with Fetch Metadata enabled.
data:text/html,<a href="https://secmetadata.appspot.com/xss?value=<script> alert(1)</script>" >Test XSS</a>