Cross-site leaks (XS-Leaks)

Cross-site leaks (also called XS-Leaks) are a class of attack in which an attacker's site can derive information about the target site, or about the user's relationship with the target site, by using web platform APIs that enable sites to interact with one another. The information leaked could include, for example:

Whether the user has visited the target site.
Whether the user is logged into the target site.
What the user's ID on the site is.
What the user has recently searched for on the site.

This might seem to be a much less damaging problem than, for example, a cross-site scripting attack, but it can still have serious consequences for users. For example:

A user might have accounts on websites that they don't want to make public. Leaking this information to an attacker could expose them to extortion or retaliation from an oppressive government (for example, against a user seeking information about specific medical procedures).
Knowing a user has an account on a site, especially if their user ID can be determined, can make a subsequent phishing attack much more convincing.

Unlike other attacks such as XSS or Clickjacking, cross-site leaks are not a single technique. Instead, they are a term for a whole class of attack which exploit weaknesses in the ways that browsers isolate websites from each other.

In this guide we will not attempt to describe every cross-site leak attack and defense. Instead, we'll start by describing a few example attacks, then outline the common underlying weaknesses that enable them, then describe some general defenses that can work against many known attacks.

Sample cross-site leaks

In this section we'll describe three different cross-site leaks, to give an idea of how they work.

const target = document.querySelector("iframe").contentWindow;
const frames = target.length;

const target = document.querySelector(\"iframe\").contentWindow;\nconst frames = target.length;\n"}},{"type":"prose","value":{"id":"leaking_redirects_with_a_csp","title":"Leaking redirects with a CSP","isH3":true,"content":"In some websites, the server will redirect a request, or not, based on whether the user is signed in (or has some special status on the site). For example, imagine a site which shows administrators a page at https://admin.example.org/. If the user is not signed in, and requests this page, then the server might redirect them to https://login.example.org/.\nThis means that if an attacker could determine whether an attempt to load https://admin.example.org/ led to a redirect, then they know whether the user is an administrator on the site.\n

In the attack described here, the attacker uses the Content Security Policy (CSP) feature to detect whether a cross-site request was redirected.\n

\n\nFirst, they create a page governed by a CSP that only allows elements to contain content from <code>https://admin.example.org/.\n\n<li>\n<p>Next, they add an event listener in the page that listens for the <a href=\"/en-US/docs/Web/API/Document/securitypolicyviolation_event\" title=\"securitypolicyviolation\"><code>securitypolicyviolation event.\n\n<li>\n<p>Finally, they create an <a href=\"/en-US/docs/Web/HTML/Reference/Elements/iframe\"><code><iframe> element and set its <code>src attribute to <code>https://admin.example.org/.\n\n\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">html<pre class=\"brush: html notranslate\"><code><!DOCTYPE html>\n<html>\n <head>\n <meta\n http-equiv=\"Content-Security-Policy\"\n content=\"frame-src https://admin.example.org/\" />\n </head>\n <body>\n <script>\n document.addEventListener(\"securitypolicyviolation\", () => {\n console.log(\"Page was redirected\");\n });\n const frame = document.createElement(\"iframe\");\n document.body.appendChild(frame);\n frame.src = \"https://admin.example.org/\";\n </script>\n </body>\n</html>\n\n<ul>\n<li>If the user is logged in as an admin, then the <code><iframe> will load, and the browser will not fire <code>securitypolicyviolation.\n<li>If the user is not logged in as admin, the server redirects to <code>https://login.example.org/. Because this URL is not allowed by the attacker's CSP, the browser will block the <code><iframe> and fire the <code>securitypolicyviolation event, and the attacker's event handler will run.\n\n<p>Note that this attack works even if the target site disallows embedding using a mechanism such as <a href=\"/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/frame-ancestors\"><code>frame-ancestors."}},{"type":"prose","value":{"id":"defenses_against_cross-site_leaks","title":"Defenses against cross-site leaks","isH3":false,"content":"<p>Cross-site leaks exploit mechanisms in the web platform which enables websites to interact with each other. Correspondingly, the defenses against cross-site leaks usually involve <em>isolating the target website from potential attackers, by disabling or controlling these cross-site interactions.\n<p>Since cross-site leaks can work in many different ways, there isn't a single defense that will work against all of them. However, there are several practices that will work against many of them, and we will summarize them here."}},{"type":"prose","value":{"id":"fetch_metadata","title":"Fetch metadata","isH3":true,"content":"<p><a href=\"/en-US/docs/Glossary/Fetch_metadata_request_header\">Fetch metadata is the term used for a collection of HTTP request headers which provide information about the context of an HTTP request, including:\n<ul>\n<li><a href=\"/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Site\"><code>Sec-Fetch-Site: Whether the request is same-origin, same-site, or cross-site.\n<li><a href=\"/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Mode\"><code>Sec-Fetch-Mode: The request's <a href=\"/en-US/docs/Web/API/Request/mode\" title=\"mode\"><code>mode.\n<li><a href=\"/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-User\"><code>Sec-Fetch-User: Whether the request is a user-initiated navigation.\n<li><a href=\"/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Dest\"><code>Sec-Fetch-Dest: The request's <a href=\"/en-US/docs/Web/API/Request/destination\" title=\"destination\"><code>destination.\n\n<p>Fetch metadata headers are not a defense mechanism on their own, but enable a server to implement a policy which will deny requests that are used in cross-site leaks as well as other attacks such as <a href=\"/en-US/docs/Web/Security/Attacks/CSRF\">Cross-Site Request Forgery (CSRF) attacks.\n<p>For example, the <a href=\"#leaking_page_existence_using_error_events\">Leaking page existence using error events attack depends on the attacker being able to make cross-site requests to load, as resources, pages that belong to the target:\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">js<pre class=\"brush: js notranslate\"><code>// Attempt to load a page in the target as a resource\nconst script = document.createElement(\"script\");\nscript.src = \"https://example.org/admin\";\ndocument.head.appendChild(script);\n\n<p>A server can use Fetch metadata to deny these requests, as in the following <a href=\"/en-US/docs/Learn_web_development/Extensions/Server-side/Express_Nodejs\">Express code:\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">js<pre class=\"brush: js notranslate\"><code>function isAllowed(req) {\n // Allow same-origin, same-site, and user-initiated requests\n const secFetchSite = req.headers[\"sec-fetch-site\"];\n if (\n secFetchSite === \"same-origin\" ||\n secFetchSite === \"same-site\" ||\n secFetchSite === \"none\"\n ) {\n return true;\n }\n\n // Allow cross-site navigations, such as clicking links\n const secFetchMode = req.headers[\"sec-fetch-mode\"];\n if (secFetchMode === \"navigate\" && req.method === \"GET\") {\n return true;\n }\n\n // Deny everything else\n return false;\n}\n\napp.get(\"/admin\", (req, res) => {\n res.setHeader(\"Vary\", \"sec-fetch-site, sec-fetch-mode\");\n if (isAllowed(req)) {\n // Respond with the admin page if the user is admin\n getAdminPage(req, res);\n } else {\n res.status(404).send(\"Not found.\");\n }\n});\n\n<p>Since the attacker's request is cross-site and is not a navigation, then this server always returns an error for it, whether the user is signed in or not.\n<p>Note that we also send the <a href=\"/en-US/docs/Web/HTTP/Reference/Headers/Vary\"><code>Vary response header. This ensures that if the response is cached, the cached response will only be given to requests with the same values for the Fetch metadata headers we are using.\n<p>A policy like this is called a <em>Resource Isolation Policy. To learn much more about implementing isolation policies with Fetch metadata, see <a href=\"https://web.dev/articles/fetch-metadata\" class=\"external\" target=\"_blank\">Protect your resources from web attacks with Fetch Metadata and <a href=\"https://xsleaks.dev/docs/defenses/isolation-policies/\" class=\"external\" target=\"_blank\">Isolation Policies."}},{"type":"prose","value":{"id":"samesite_cookies","title":"SameSite cookies","isH3":true,"content":"<p>The <a href=\"/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value\"><code>SameSite cookie attribute determines whether or not the cookie will be sent in requests originating from a different site.\n<p>The <code>Lax value of <code>SameSite means that cross-site requests will only include the cookie if the request is a top-level navigation (meaning, essentially, that the value in the browser's address bar changes to the target site) and uses a <a href=\"/en-US/docs/Glossary/Safe/HTTP\">safe method (most notably, this excludes <a href=\"/en-US/docs/Web/HTTP/Reference/Methods/POST\"><code>POST requests).\n<p>This can protect against some cross-site leaks. For example, the <a href=\"#leaking_page_existence_using_error_events\">Leaking page existence using error events attack depends on the attacker making cross-site resource requests that include the user's session cookies. Setting <code>SameSite to <code>Lax on the user's session cookie would prevent this attack, because the cookie would not be included in the attacker's request, and no pages that require a login would ever be returned.\n<p>As a rule, <code>SameSite should be treated as a defense in depth measure, and should be deployed as well as a more explicit isolation policy such as one based on Fetch metadata."}},{"type":"prose","value":{"id":"framing_protection","title":"Framing protection","isH3":true,"content":"<p>Many cross-site leaks rely on the attacking site being able to embed the target as an <a href=\"/en-US/docs/Web/HTML/Reference/Elements/iframe\"><code><iframe>. For example, this is one method an attacker can use to get a reference to the target's <a href=\"/en-US/docs/Web/API/Window\" title=\"window\"><code>window, to enable a <a href=\"#frame_counting_using_window_references\">frame-counting attack.\n<p>This means it is a good practice to prevent a site from being embeddable unless you need to allow embedding, and if you do need to allow embedding, restrict it as far as you can.\n<p>There are two relevant tools here:\n<ul>\n<li>The <a href=\"/en-US/docs/Web/HTTP/Guides/CSP#clickjacking_protection\"><code>frame-ancestors directive in a <a href=\"/en-US/docs/Web/HTTP/Guides/CSP\">content security policy.\n<li>The <a href=\"/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options\"><code>X-Frame-Options response header.\n\n<p>The <code>frame-ancestors directive is a replacement for <code>X-Frame-Options. Although <a href=\"/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/frame-ancestors#browser_compatibility\">browser support for <code>frame-ancestors is very good, some very old browsers, notably Internet Explorer, don't support <code>frame-ancestors.\n<p>If <code>frame-ancestors and <code>X-Frame-Options are both set, then browsers that support <code>frame-ancestors will ignore <code>X-Frame-Options. This means that there's no reason not to set <code>X-Frame-Options as well as <code>frame-ancestors, and thus prevent embedding even in browsers that don't support <code>frame-ancestors."}},{"type":"prose","value":{"id":"cross-origin_opener_policy_coop","title":"Cross-Origin Opener Policy (COOP)","isH3":true,"content":"<p>As we saw in the <a href=\"#frame_counting_using_window_references\">frame-counting attack, another way to get a reference to the target's <a href=\"/en-US/docs/Web/API/Window\" title=\"window\"><code>window is as the return value of a call to <a href=\"/en-US/docs/Web/API/Window/open\" title=\"window.open()\"><code>window.open():\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">js<pre class=\"brush: js notranslate\"><code>const target = window.open(\"https://example.com\");\n\n<p>The <a href=\"/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy\"><code>Cross-Origin-Opener-Policy response header determines whether a document will be opened in the same <a href=\"/en-US/docs/Glossary/Browsing_context\">browsing context group as the document that opened it.\n<p>If your server sends this header and sets it to any value except the default of <code>\"unsafe-none\", then if a document from a different origin tries to open your page using <code>window.open(), your page will be loaded into a different browsing context group. Among other things, this means that the opener will not get a reference to the <code>window object for your page, and will therefore not be able to use it in a frame counting attack."}},{"type":"prose","value":{"id":"defense_summary_checklist","title":"Defense summary checklist","isH3":true,"content":"<p>As we've seen, cross-site leaks include a range of attacks targeting different parts of the web platform: a single defense doesn't work against any of them. Indeed, some leaks, such as the one that exploits CSP to leak redirects, don't have any defenses yet.\n<p>In this guide we've outlined a few defenses that help to isolate your site from potential attackers, and we recommend implementing all of them:\n<ul>\n<li>Use Fetch metadata to implement a resource isolation policy.\n<li>Set the <code>SameSite attribute for session cookies to <code>Strict if you can, or <code>Lax if you have to.\n<li>Use the <code>frame-ancestors CSP directive and the <code>X-Frame-Options response header to prevent your site being embedded, or to control which sites can embed your site.\n<li>Send the <code>Cross-Origin-Opener-Policy response header to prevent other sites from accessing your <code>window global object.\n"}},{"type":"prose","value":{"id":"see_also","title":"See also","isH3":false,"content":"<ul>\n<li><a href=\"https://xsleaks.dev/\" class=\"external\" target=\"_blank\">XS-Leaks Wiki (xsleaks.dev)\n<li><a href=\"https://cheatsheetseries.owasp.org/cheatsheets/XS_Leaks_Cheat_Sheet.html\" class=\"external\" target=\"_blank\">Cross-site leaks Cheat Sheet (OWASP)\n"}}],"isActive":true,"isMarkdown":true,"isTranslated":false,"locale":"en-US","mdn_url":"/en-US/docs/Web/Security/Attacks/XS-Leaks","modified":"2025-05-15T09:33:06.000Z","native":"English (US)","noIndexing":false,"other_translations":[{"locale":"de","title":"Cross-Site Leaks (XS-Leaks)","native":"Deutsch"}],"pageTitle":"Cross-site leaks (XS-Leaks) - Security | MDN","parents":[{"uri":"/en-US/docs/Web","title":"References"},{"uri":"/en-US/docs/Web/Security","title":"Security"},{"uri":"/en-US/docs/Web/Security/Attacks","title":"Attacks"},{"uri":"/en-US/docs/Web/Security/Attacks/XS-Leaks","title":"Cross-site leaks (XS-Leaks)"}],"popularity":null,"short_title":"Cross-site leaks (XS-Leaks)","sidebarHTML":"<ol><li class=\"section\"><a href=\"/en-US/docs/Web/Security\">Security<li class=\"section\">Guides<li><a href=\"/en-US/docs/Web/Security/Insecure_passwords\">Insecure passwords<li><a href=\"/en-US/docs/Web/Security/Transport_Layer_Security\">Transport Layer Security<li><a href=\"/en-US/docs/Web/Security/Mixed_content\">Mixed content<li><a href=\"/en-US/docs/Web/Security/Same-origin_policy\">Same-origin policy<li><a href=\"/en-US/docs/Web/Security/Certificate_Transparency\">Certificate Transparency<li><a href=\"/en-US/docs/Web/Security/Subdomain_takeovers\">Subdomain takeovers<li><a href=\"/en-US/docs/Web/Security/Subresource_Integrity\">Subresource Integrity<li><a href=\"/en-US/docs/Web/Security/User_activation\">Features gated by user activation<li><a href=\"/en-US/docs/Web/Security/IFrame_credentialless\">IFrame credentialless<abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental\n<li><a href=\"/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns\">Referer header: Privacy and security concerns<li><a href=\"/en-US/docs/Web/Security/Weak_Signature_Algorithm\">Weak signature algorithms<li><a href=\"/en-US/docs/Web/Security/Firefox_Security_Guidelines\">Firefox security guidelines<li class=\"toggle\"><details open=\"\"><summary><a href=\"/en-US/docs/Web/Security/Attacks\">Attacks<ol><li><a href=\"/en-US/docs/Web/Security/Attacks/Clickjacking\">Clickjacking<li><em><a href=\"/en-US/docs/Web/Security/Attacks/XS-Leaks\" aria-current=\"page\">Cross-site leaks (XS-Leaks)<li><a href=\"/en-US/docs/Web/Security/Attacks/CSRF\">Cross-site request forgery (CSRF)<li><a href=\"/en-US/docs/Web/Security/Attacks/XSS\">Cross-site scripting (XSS)<li><a href=\"/en-US/docs/Web/Security/Attacks/MITM\">Manipulator in the Middle (MITM)<li class=\"toggle\"><details><summary><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides\">Practical implementation guides<ol><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/CSP\">Content Security Policy (CSP)<li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/CORP\">Cross-Origin Resource Policy (CORP)<li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/CORS\">Cross-Origin Resource Sharing (CORS)<li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/Turning_off_form_autocompletion\">How to turn off form autocompletion<li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/MIME_types\">MIME type verification<li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/Referrer_policy\">Referrer policy<li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/Robots_txt\">robots.txt configuration<li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/Cookies\">Secure cookie configuration<li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/SRI\">Subresource integrity (SRI)<li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/TLS\">Transport Layer Security (TLS)<li class=\"toggle\"><details><summary><a href=\"/en-US/docs/Web/Security/Secure_Contexts\">Secure contexts<ol><li><a href=\"/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts\">Restricted features","sidebarMacro":"security","source":{"folder":"en-us/web/security/attacks/xs-leaks","github_url":"https://github.com/mdn/content/blob/main/files/en-us/web/security/attacks/xs-leaks/index.md","last_commit_url":"https://github.com/mdn/content/commit/96f892f4775399675a77864f4afb74f5a399807a","filename":"index.md"},"summary":"Cross-site leaks (also called XS-Leaks) are a class of attack in which an attacker's site can derive information about the target site, or about the user's relationship with the target site, by using web platform APIs that enable sites to interact with one another. The information leaked could include, for example:","title":"Cross-site leaks (XS-Leaks)","toc":[{"text":"Sample cross-site leaks","id":"sample_cross-site_leaks"},{"text":"Defenses against cross-site leaks","id":"defenses_against_cross-site_leaks"},{"text":"See also","id":"see_also"}],"pageType":"guide"}}</script></body></html>