# meta

## Overview

The [\<meta>](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta) tag represents metadata that can not be represented by other HTML meta-related elements. Some `<meta>` tags are informational, like:

```html
<meta name="name" content="content">
```

However, part of them affect the page in some way, like:

```html
<meta http-equiv="content-security-policy" content="default-src 'none'; base-uri 'self'">
```

{% hint style="info" %}
Content Security Policy does not regulate `<meta>` elements.
{% endhint %}

`<meta http-equiv=...>` is a tag on the page that may emulate a subset of functions normally reserved for page headers. The dangerous functions that can be performed by `<meta http-equiv=...>` include:

* `set-cookie`:
  * `set-cookie` instruction was removed from the standard and is no longer supported at all in Firefox 68 and Chrome 65.
* `refresh`:
  * redirect to any regular URL.
  * redirect to any `data:` URL.

## Using the data: scheme to execute arbitrary JavaScript

The `<meta>` tag with the `content = "0; data: "` URI can be used to execute arbitrary JavaScript code, for example:

```html
<meta name="language" content="0;data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" http-equiv="refresh"/>
```

It works only on Safari. Firefox and Chrome will block this:

* Firefox does not allow navigation of the top frame to a data URL.
* Chrome does not allow navigation to the top level `data:` URI.

## Open redirect

It is possible to redirect a user to an arbitrary page using the following payload:

```html
<meta name="language" content="5;http://malicious-website.com" http-equiv="refresh"/>
```

## References

* [\<meta> and \<iframe> tags chained to SSRF](https://medium.com/@know.0nix/hunting-good-bugs-with-only-html-d8fd40d17b38)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xn3va.gitbook.io/cheat-sheets/web-application/html-injection/meta.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.