Cross-site Request Leak Report
Google Chrome v59 (default settings)

To evaluate whether your current browser instance's cookie policies can be bypassed with one of the request mechanisms, simply click on the specific instance you want to test. This will open a new tab, where the test is set up and executed: the test will try to initiate a cross-site request to cross-site.com. After a few seconds, you will be redirected back to this page, showing the results of the test.

To analyze the correctness of your browser extension, make sure to mark the checkbox underneath.

Test with cross-site request that should be blocked by easylist.txt:

Request Mechanism

HTML elements

link-prerender

Redirects

form-GET, meta-refresh, redirect-winloc, status-301, status-302, status-303, status-307, status-308

CSS

after-content, background-image, before-content, border-image-source, cursor, escape-url, import-string, import-url, list-style-image, variables

Response headers

link-prefetch, link-preload, link-preload-as-font, link-preload-as-image, link-preload-as-script, link-preload-as-style

Service worker

fetch-credentials-include, fetch-GET-credentials-include, fetch-HEAD-credentials-include, fetch-POST-credentials-include, import-scripts, refetch-through-innocent-script

HTML elements

audio-source-src, body-background, embed-src, iframe-src, iframe-src-data-svg-image-href, iframe-src-javascript-atob-img-src, iframe-src-javascript-img-src, iframe-srcdoc-img-src, image-src, img-src, img-srcset, input-src, link-alternate-stylesheet, link-prefetch, link-preload, link-preload-as-font, link-preload-as-image, link-preload-as-script, link-preload-as-style, link-stylesheet, object-data, object-x-scriptlet-data, picture-img-srcset, script-src, svg-feimage, svg-image-href, svg-image-xlink-href, svg-rect-cursor, svg-script-href, svg-script-xlink-href, table-background, td-background, video-poster, video-source-src, video-src

JavaScript

event-source-credentials-include, fetch-credentials-include, fetch-GET-credentials-include, fetch-HEAD-credentials-include, fetch-POST-credentials-include, send-beacon, websocket-wss, xhr-get-withCredentials, xhr-head-withCredentials, xhr-post-withCredentials

AppCache

appcache

PDF

pdf-iframe-submitForm, pdf-redirect-submitForm

Redirects

form-POST

CSS

font-face, font-face-fallback, shape-outside

Response headers

csp-report-uri

Service worker

event-source, fetch, fetch-GET, fetch-HEAD, fetch-POST

HTML elements

link-import

JavaScript

event-source, fetch, fetch-GET, fetch-HEAD, fetch-POST, xhr-delete, xhr-delete-withCredentials, xhr-get, xhr-head, xhr-post, xhr-put, xhr-put-withCredentials