XS-Leak (Cross-Site Leak) is a class of vulnerabilities that allow attackers to infer sensitive information about users by exploiting browser side-channel behaviors, timing differences, or observable events across origins.
While Same-Origin Policy prevents direct reading of cross-origin responses, attackers can still detect characteristics like response size, load timing, redirect behavior, or error conditions. These side channels can leak information about a user's state or data on other sites.
// Count iframes in cross-origin page to detect state
const win = window.open('https://target.com/search?q=secret');
setTimeout(() => {
if (win.frames.length > 0) {
// Search returned results
}
}, 1000);// Measure response time to infer data
const start = performance.now();
fetch('https://target.com/api/check?email=victim@example.com', {
mode: 'no-cors',
credentials: 'include'
}).then(() => {
const time = performance.now() - start;
// Longer time may indicate user exists
});// Detect resource existence via load/error events
const img = new Image();
img.onload = () => { /* Resource exists */ };
img.onerror = () => { /* Resource doesn't exist or error */ };
img.src = 'https://target.com/profile/picture?id=123';same-origin prevents cross-origin windows from retaining referencessame-origin or same-site prevents cross-origin embeddingrequire-corp enforces CORP on all subresourcesSameSite=Strict prevents cookies from being sent on cross-site requestsSec-Fetch-Site, Sec-Fetch-Mode to reject suspicious requests server-sideno-store on sensitive responses prevents cache-based leaksX-Frame-Options: DENY or CSP frame-ancestors 'none'