1. 9

  2. 2

    This kind of attack isn’t possible (AFAIK) on Google Cloud, because you need to set a Metadata-Flavor header or it won’t respond with any data. https://cloud.google.com/compute/docs/storing-retrieving-metadata#querying. Obviously there’s lots of other things that can go wrong with reflected XSS, but defense in depth is always good. I suspect it might be well too late for AWS to switch to a method like this though.