Brave iOS has two weaknesses described below. By combining them, XSS can be achieved on the privileged origin internal://local. First issue - Exposure of uuidKey through REFERER header Reader mode in Brave has two HTML templates, Reader.html and ReaderViewLoading.html. The former template defines <meta name="referrer" content="never"> header for preventing referrer leakage, but the latter template does not. Therefore, by opening an external page through ReaderViewLoading.html, the uuidKey contained in the Reader mode page URL is leaked. Second issue - XSS in SessionRestoreHandler SessionRestoreHandler is used to restore a previously used tab, but it does not validate an URL to be restored. Therefore, if a javascript: URL is provided, the code is executed on the internal: domain.