Fetch Metadata与跨站泄露（XS-Leaks）防护最佳实践

# Fetch Metadata与跨站泄露（XS-Leaks）防护最佳实践 ## 概述 XS-Leaks利用跨站行为与浏览器特性泄露信息。通过读取Fetch Metadata请求头并在服务器执行拒绝策略，可显著降低风险。 ## 服务器策略示例 ```typescript type Req = { headers: Record; method: string; path: string } function isDangerousCrossSite(req: Req): boolean { const site = (req.headers['sec-fetch-site'] || '').toLowerCase() const mode = (req.headers['sec-fetch-mode'] || '').toLowerCase() const dest = (req.headers['sec-fetch-dest'] || '').toLowerCase() // 拒绝跨站对敏感端点的导航或不简单请求 const sensitive = req.path.startsWith('/account') || req.path.startsWith('/admin') const cross = site === 'cross-site' const notSimple = mode !== 'cors' && mode !== 'navigate' && mode !== 'same-origin' return sensitive && cross && (mode === 'navigate' || notSimple || dest === 'document') } function enforceFetchMetadata(req: Req): { allowed: boolean; status: number } { if (isDangerousCrossSite(req)) return { allowed: false, status: 403 } return { allowed: true, status: 200 } } ``` ## 结合COOP/COEP与CSP ```text Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Content-Security-Policy: frame-ancestors 'none'; base-uri 'self' ``` ## 运维要点 - 对敏感接口启用Fetch Metadata策略与白名单例外 - 与COOP/COEP、CSP协同，降低跨站泄露攻击面 - 在日志中记录 `Sec-Fetch-*` 以审计跨站访问模式 通过服务器策略与浏览器隔离策略的组合，可在复杂场景下实现可靠的XS-Leaks防护。