Fetch Metadata与跨站泄露（XS-Leaks）防护最佳实践

Fetch Metadata与跨站泄露（XS-Leaks）防护最佳实践概述XS-Leaks利用跨站行为与浏览器特性泄露信息。通过读取Fetch Metadata请求头并在服务器执行拒绝策略，可显著降低风险。服务器策略示例type Req = { headers: Record<string, string>; method: string; path: string }

function isDangerousCrossSite(req: Req): boolean {

const site = (req.headers['sec-fetch-site'] || '').toLowerCase()

const mode = (req.headers['sec-fetch-mode'] || '').toLowerCase()

const dest = (req.headers['sec-fetch-dest'] || '').toLowerCase()

// 拒绝跨站对敏感端点的导航或不简单请求

const sensitive = req.path.startsWith('/account') || req.path.startsWith('/admin')

const cross = site === 'cross-site'

const notSimple = mode !== 'cors' && mode !== 'navigate' && mode !== 'same-origin'

return sensitive && cross && (mode === 'navigate' || notSimple || dest === 'document')

}

function enforceFetchMetadata(req: Req): { allowed: boolean; status: number } {

if (isDangerousCrossSite(req)) return { allowed: false, status: 403 }

return { allowed: true, status: 200 }

}

结合COOP/COEP与CSPCross-Origin-Opener-Policy: same-origin

Cross-Origin-Embedder-Policy: require-corp

Content-Security-Policy: frame-ancestors 'none'; base-uri 'self'

运维要点对敏感接口启用Fetch Metadata策略与白名单例外与COOP/COEP、CSP协同，降低跨站泄露攻击面在日志中记录 `Sec-Fetch-*` 以审计跨站访问模式通过服务器策略与浏览器隔离策略的组合，可在复杂场景下实现可靠的XS-Leaks防护。