navigator.sendBeacon / fetch exfiltration
Check how data collected inside the iframe's own origin and referrer information can be sent out via sendBeacon or fetch.
Behavior by sandbox policy
| Policy | Expected result |
|---|---|
| No sandbox | works |
sandbox="allow-scripts" | works |
sandbox="" (strictest) | blocked |
Embed snippet
This snippet uses the dedicated embed page. Paste it into your own service and check rendering or blocking behavior.
<iframe src="https://xss-playground.com/embed/beacon-exfil?lang=en" title="XSS Playground - navigator.sendBeacon / fetch exfiltration" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Run
document.referrer
-navigator.userAgent
-// no logs
Explanation
- Clicks and keystrokes happening inside the iframe belong to its own origin, so they can be captured freely. A fake input field can harvest the user's typed password and ship it out.
document.referrerexposes the parent page's origin / path (subject to Referrer-Policy). You can tell exactly which document, post, or dashboard the iframe is embedded in.- This is the closest thing to actual data exfiltration. Mitigations:
sandbox=""blocks JS entirely, or restrict iframe src to a trusted host allowlist.