This page (
/xss) is vulnerable to XSS based on the contents of the
value parameter. However, on browsers supporting Fetch Metadata this endpoint is only accessible via same-origin navigation. Specifically, requests in violation of the Navigation Isolation Policy will be rejected with a 403 error.
You win if you exploit the XSS and execute an alert() on this page on a browser with Fetch Metadata enabled.
data:text/html,<a href="https://secmetadata.appspot.com/xss?value=<script> alert(1)</script>" >Test XSS</a>