AutoLeak
finding XS-Leaks with DOM Graphs
FAQ
Source
Paper
Filter
Filter Test Cases
Select Test Case Combinations to Show (ctrl+click, ctrl+a)
Inclusionmethods
all
iframe
iframeCSP
iframeCSPHashreload
iframeHashreload
iframeSandbox
object
objectHashreload
embed
embedHashreload
image
stylesheet
script
audio
video
windowOpen
fetch
fetchCORS
fetchCORSCredLess
fetchAll
preloadScript
preloadStyle
prerender
frame
track
favicon
import
importScript
svg
websocket
eventSource
Differences
all
AcceptRangesbytes
AcceptRangesnone
AccessControlAllowOriginStar
AccessControlAllowOriginandCredentials
AllowGETPOSTHEADOPTIONPUT
AltSvcclear
AltSvcHTTP11
AltSvcH2
AuthorizationBasic
CacheControlmustrevalidate
CacheControlnocache
CacheControlnostore
CacheControlnotransform
CacheControlpublic
CacheControlprivate
CacheControlproxyrevalidate
CacheControlimmutable
ClearSiteData
ClearSiteDataAll
ContentDispositioninline
ContentDispositionattachment
ContentLanguage
ContentLocation
ContentMD5
ContentRangebytes
CSPframeancestors
CSPdefaultsrcself
CSPReportOnly
CSPReportOnlyURLLeak
CSPreportUri
CSPreportUriURLLeak
COEPunsafenone
COEPrequirecorp
COOPunsafenone
COOPsameoriginallowpopups
COOPsameorigin
CORPsamesite
CORPsameorigin
CORPcrossorigin
Date
Etag
EtagW
Expect100continue
ExpectCT
Expires
Expires2050
FeaturePolicyNone
FeaturePolicyStar
Iftest
IfMatchStar
IfMatchHash
IfModifiedSince
IfModifiedSince2050
IfNoneMatchStar
IfNoneMatchHash
IfRange
IfRange2050
IfUnmodifiedSince
IfUnmodifiedSince2050
LastModified
LastModified2050
LocationExamplecom
MaxForwards0
MaxForwards1
NEL
P3Ppolicyref
Pragmanocache
Prefersafe
ProxyAuthenticateBasicrealmPro
PublicKeyPins
Refresh1url
Refresh0url
ReferrerPolicynoreferrer
ReferrerPolicynoreferrerwhendo
ReferrerPolicyorigin
ReferrerPolicyoriginwhencrosso
ReferrerPolicysameorigin
ReferrerPolicystrictorigin
ReferrerPolicystrictoriginwhen
ReferrerPolicyunsafeurl
ReportToReport
RetryAfter
SecGPC
Serverservername
ServerTimingcachedescCacheRead
ServiceWorkerAllowed
StrictTransportSecuritymaxage
TimingAllowOriginStar
Title
TrailerMaxForwards
VaryStar
Via
Warning
WWWAuthenticateBasic
WWWAuthenticateDigest
WWWAuthenticateNegotiate
WWWAuthenticateAWS4HMACSHA256
XContentDuration
XContentTypeOptionsnosniff
XDownloadOptionsnoopen
XFrameOptionsALLOW
XFrameOptionsDENY
XPermittedCrossDomainPolicies
XPermittedCrossDomainPoliciesnone
XUACompatibleIE5
XUACompatibleIE7
XUACompatibleIE8
XUACompatibleIE9
XUACompatibleIE10
XUACompatibleIE11
XUACompatibleIEedge
XUACompatibleIEEmulateIE7
XUACompatibleIEEmulateIE8
XUACompatibleIEEmulateIE9
XUACompatibleIEEmulateIE10
XUACompatibleIEEmulateIE11
XXSSProtection1modeblock
XXSSProtection1
XXSSProtection0
CSPsandbox
AcceptCH
XFOvsCSPFA
AllowCSPFrom
StatusCode200vs201
StatusCode200vs204
StatusCode200vs206
StatusCode200vs301
StatusCode200vs302
StatusCode200vs304
StatusCode200vs400
StatusCode200vs401
StatusCode200vs403
StatusCode200vs404
StatusCode200vs500
StatusCode200vs999
StatusCode201vs204
StatusCode201vs206
StatusCode201vs301
StatusCode201vs302
StatusCode201vs304
StatusCode201vs400
StatusCode201vs401
StatusCode201vs403
StatusCode201vs404
StatusCode201vs500
StatusCode201vs999
StatusCode204vs206
StatusCode204vs301
StatusCode204vs302
StatusCode204vs304
StatusCode204vs400
StatusCode204vs401
StatusCode204vs403
StatusCode204vs404
StatusCode204vs500
StatusCode204vs999
StatusCode206vs301
StatusCode206vs302
StatusCode206vs304
StatusCode206vs400
StatusCode206vs401
StatusCode206vs403
StatusCode206vs404
StatusCode206vs500
StatusCode206vs999
StatusCode301vs302
StatusCode301vs304
StatusCode301vs400
StatusCode301vs401
StatusCode301vs403
StatusCode301vs404
StatusCode301vs500
StatusCode301vs999
StatusCode302vs304
StatusCode302vs400
StatusCode302vs401
StatusCode302vs403
StatusCode302vs404
StatusCode302vs500
StatusCode302vs999
StatusCode304vs400
StatusCode304vs401
StatusCode304vs403
StatusCode304vs404
StatusCode304vs500
StatusCode304vs999
StatusCode400vs401
StatusCode400vs403
StatusCode400vs404
StatusCode400vs500
StatusCode400vs999
StatusCode401vs403
StatusCode401vs404
StatusCode401vs500
StatusCode401vs999
StatusCode403vs404
StatusCode403vs500
StatusCode403vs999
StatusCode404vs500
StatusCode404vs999
StatusCode500vs999
RedirectExamplecom
Redirectgooglecom
FileTypeHTML
FileTypeCSS
FileTypeTEXT
FileTypeGIF
FileTypeWAV
FileTypePDF
FileTypeJS
FileTypeJSON
FileTypeEMPTY
FileTypeEMPTYHTML
HTMLwithIframe
HTMLwithInput
Def1AcceptRangesbytes
Def2AcceptRangesbytes
Def1AccessControlAllowOriginStar
Def2AccessControlAllowOriginStar
Def1AccessControlAllowOriginandCredentials
Def2AccessControlAllowOriginandCredentials
Def1AllowCSPFrom
Def2AllowCSPFrom
Def1COOPsameorigin
Def2COOPsameorigin
Def1COOPsameoriginallowpopups
Def2COOPsameoriginallowpopups
Def1CORPsameorigin
Def2CORPsameorigin
Def1CORPsamesite
Def2CORPsamesite
Def1CSPdefaultsrcself
Def2CSPdefaultsrcself
Def1CSPframeancestors
Def2CSPframeancestors
Def1CacheControlnostore
Def2CacheControlnostore
Def1ContentDispositionattachment
Def2ContentDispositionattachment
Def1FileTypeCSS
Def2FileTypeCSS
Def1FileTypeEMPTY
Def2FileTypeEMPTY
Def1FileTypeGIF
Def2FileTypeGIF
Def1FileTypeHTML
Def2FileTypeHTML
Def1FileTypeJS
Def2FileTypeJS
Def1FileTypeJSON
Def2FileTypeJSON
Def1FileTypePDF
Def2FileTypePDF
Def1FileTypeTEXT
Def2FileTypeTEXT
Def1FileTypeWAV
Def2FileTypeWAV
Def1HTMLwithIframe
Def2HTMLwithIframe
Def1HTMLwithInput
Def2HTMLwithInput
Def1RedirectExamplecom
Def2RedirectExamplecom
Def1Redirectgooglecom
Def2Redirectgooglecom
Def1Refresh0url
Def2Refresh0url
Def1Refresh1url
Def2Refresh1url
Def1ServerTimingcachedescCacheRead
Def2ServerTimingcachedescCacheRead
Def1StatusCode200vs201
Def2StatusCode200vs201
Def1StatusCode200vs204
Def2StatusCode200vs204
Def1StatusCode200vs206
Def2StatusCode200vs206
Def1StatusCode200vs301
Def2StatusCode200vs301
Def1StatusCode200vs302
Def2StatusCode200vs302
Def1StatusCode200vs304
Def2StatusCode200vs304
Def1StatusCode200vs400
Def2StatusCode200vs400
Def1StatusCode200vs401
Def2StatusCode200vs401
Def1StatusCode200vs403
Def2StatusCode200vs403
Def1StatusCode200vs404
Def2StatusCode200vs404
Def1StatusCode200vs500
Def2StatusCode200vs500
Def1StatusCode200vs999
Def2StatusCode200vs999
Def1StatusCode201vs204
Def2StatusCode201vs204
Def1StatusCode201vs301
Def2StatusCode201vs301
Def1StatusCode201vs302
Def2StatusCode201vs302
Def1StatusCode201vs304
Def2StatusCode201vs304
Def1StatusCode201vs400
Def2StatusCode201vs400
Def1StatusCode201vs401
Def2StatusCode201vs401
Def1StatusCode201vs403
Def2StatusCode201vs403
Def1StatusCode201vs404
Def2StatusCode201vs404
Def1StatusCode201vs500
Def2StatusCode201vs500
Def1StatusCode201vs999
Def2StatusCode201vs999
Def1StatusCode204vs206
Def2StatusCode204vs206
Def1StatusCode204vs301
Def2StatusCode204vs301
Def1StatusCode204vs302
Def2StatusCode204vs302
Def1StatusCode204vs304
Def2StatusCode204vs304
Def1StatusCode204vs400
Def2StatusCode204vs400
Def1StatusCode204vs401
Def2StatusCode204vs401
Def1StatusCode204vs403
Def2StatusCode204vs403
Def1StatusCode204vs404
Def2StatusCode204vs404
Def1StatusCode204vs500
Def2StatusCode204vs500
Def1StatusCode204vs999
Def2StatusCode204vs999
Def1StatusCode206vs301
Def2StatusCode206vs301
Def1StatusCode206vs302
Def2StatusCode206vs302
Def1StatusCode206vs304
Def2StatusCode206vs304
Def1StatusCode206vs400
Def2StatusCode206vs400
Def1StatusCode206vs401
Def2StatusCode206vs401
Def1StatusCode206vs403
Def2StatusCode206vs403
Def1StatusCode206vs404
Def2StatusCode206vs404
Def1StatusCode206vs500
Def2StatusCode206vs500
Def1StatusCode206vs999
Def2StatusCode206vs999
Def1StatusCode301vs302
Def2StatusCode301vs302
Def1StatusCode301vs304
Def2StatusCode301vs304
Def1StatusCode301vs400
Def2StatusCode301vs400
Def1StatusCode301vs401
Def2StatusCode301vs401
Def1StatusCode301vs403
Def2StatusCode301vs403
Def1StatusCode301vs404
Def2StatusCode301vs404
Def1StatusCode301vs500
Def2StatusCode301vs500
Def1StatusCode301vs999
Def2StatusCode301vs999
Def1StatusCode302vs304
Def2StatusCode302vs304
Def1StatusCode302vs400
Def2StatusCode302vs400
Def1StatusCode302vs401
Def2StatusCode302vs401
Def1StatusCode302vs403
Def2StatusCode302vs403
Def1StatusCode302vs404
Def2StatusCode302vs404
Def1StatusCode302vs500
Def2StatusCode302vs500
Def1StatusCode302vs999
Def2StatusCode302vs999
Def1StatusCode304vs400
Def2StatusCode304vs400
Def1StatusCode304vs401
Def2StatusCode304vs401
Def1StatusCode304vs403
Def2StatusCode304vs403
Def1StatusCode304vs404
Def2StatusCode304vs404
Def1StatusCode304vs500
Def2StatusCode304vs500
Def1StatusCode304vs999
Def2StatusCode304vs999
Def1StatusCode400vs401
Def2StatusCode400vs401
Def1StatusCode400vs403
Def2StatusCode400vs403
Def1StatusCode400vs404
Def2StatusCode400vs404
Def1StatusCode400vs500
Def2StatusCode400vs500
Def1StatusCode400vs999
Def2StatusCode400vs999
Def1StatusCode401vs403
Def2StatusCode401vs403
Def1StatusCode401vs404
Def2StatusCode401vs404
Def1StatusCode401vs500
Def2StatusCode401vs500
Def1StatusCode401vs999
Def2StatusCode401vs999
Def1StatusCode403vs404
Def2StatusCode403vs404
Def1StatusCode403vs500
Def2StatusCode403vs500
Def1StatusCode403vs999
Def2StatusCode403vs999
Def1StatusCode404vs500
Def2StatusCode404vs500
Def1StatusCode404vs999
Def2StatusCode404vs999
Def1StatusCode500vs999
Def2StatusCode500vs999
Def1TimingAllowOriginStar
Def2TimingAllowOriginStar
Def1XContentTypeOptionsnosniff
Def2XContentTypeOptionsnosniff
Def1XFOvsCSPFA
Def2XFOvsCSPFA
Def1XFrameOptionsDENY
Def2XFrameOptionsDENY
Filetypes
all
html
css
text
gif
wav
pdf
js
json
empty
emptyHTML
Browsers
all
chrome
firefox
webkit
brave
Only Show Findings
Test Cases with length != 0
Number of Tests Cases per Page
more may slow the browser, chrome especially