meta

Overview

The <meta> tag represents metadata that can not be represented by other HTML meta-related elements. Some <meta> tags are informational, like:

<meta name="name" content="content">

However, part of them affect the page in some way, like:

<meta http-equiv="content-security-policy" content="default-src 'none'; base-uri 'self'">

Content Security Policy does not regulate <meta> elements.

<meta http-equiv=...> is a tag on the page that may emulate a subset of functions normally reserved for page headers. The dangerous functions that can be performed by <meta http-equiv=...> include:

set-cookie:
- set-cookie instruction was removed from the standard and is no longer supported at all in Firefox 68 and Chrome 65.
refresh:
- redirect to any regular URL.
- redirect to any data: URL.

Using the data: scheme to execute arbitrary JavaScript

The <meta> tag with the content = "0; data: " URI can be used to execute arbitrary JavaScript code, for example:

<meta name="language" content="0;data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" http-equiv="refresh"/>

It works only on Safari. Firefox and Chrome will block this:

Firefox does not allow navigation of the top frame to a data URL.
Chrome does not allow navigation to the top level data: URI.

Open redirect

It is possible to redirect a user to an arbitrary page using the following payload:

<meta name="language" content="5;http://malicious-website.com" http-equiv="refresh"/>

References

<meta> and <iframe> tags chained to SSRF

Previouslink Nexttarget attribute

Last updated 2 years ago