Safari (13.0.4 and newer) will not log iframe requests in the Performance API list when the iframe page is blocked by the XSS Auditor. So the length of performance.getEntries() can leak the status of the Auditor.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

const check = async(url) => {
    let perfEntries = performance.getEntries().length
    return new Promise(r => {
        let frame = document.createElement('iframe')
        frame.src = url
        frame.onload = (e) => {
            e.target.remove()
            return r(performance.getEntries().length - perfEntries)
        }
        framesdiv.appendChild(frame)
    })
}
// r(0) = XSS auditor triggered
// r(1) = no XSS auditor

XS-Leaks with Performance API

Since the XSS Auditor got removed from Chrome 78+, I was wondering if you could still detect it cross-origin in Safari. In Safari, the current page is just replaced with an empty page instead of changing to an error page like in Chrome. This makes it harder to detect.

When a page has iframes, a block removes them and window.frames.length could be used to detect the auditor cross-origin. Without iframes, it is a bit harder, as other techniques used to detect the Chrome Auditor do not work in Safari.

The Performance API is very interesting for all kinds of timing leaks and terjanq showed how to detect X-Frame-Options headers with it in Chrome, using embeds or iframes.

Safari will also not log iframe requests in certain conditions; these can be used for XS-Leaks:

  • if the XSS Auditor blocked the page
  • if the response has 4XX or 5XX status codes
  • if X-Frame-Options: deny/sameorigin denied the iframe request
  • if the body of the response is empty

Also, in Safari, redirect times can be read for cross-origin performance entries, thus leaking whether a page redirected the user.

Chrome has the same problem with X-Frame-Options; only Firefox seems to get it right (and no XSS Auditor ๐Ÿ™ƒ).

Reddit Post