Changeset 199525 in webkit


Ignore:
Timestamp:
Apr 13, 2016, 7:29:55 PM (9 years ago)
Author:
dbates@webkit.org
Message:

CSP: Remove experimental directive reflected-xss
https://bugs.webkit.org/show_bug.cgi?id=156554

Reviewed by Brent Fulgham.

Source/WebCore:

The Content Security Policy directive reflected-xss was removed from the Content Security
Policy Level 2 spec., <https://w3c.github.io/webappsec-csp/2/> (Editor's Draft, 29 August 2015).
This directive was considered experimental and was guarded by a run-time flag that was never
enabled by default. We should remove support for this directive.

  • html/parser/XSSAuditor.cpp:

(WebCore::XSSAuditor::XSSAuditor): Initialize m_xssProtection to XSSProtectionDisposition::Enabled.
(WebCore::XSSAuditor::init): Write logic in terms of enum class XSSProtectionDisposition.
(WebCore::XSSAuditor::filterToken): Ditto.
(WebCore::combineXSSProtectionHeaderAndCSP): Deleted.

  • html/parser/XSSAuditor.h: Change data type of m_xssProtection from ContentSecurityPolicy::ReflectedXSSDisposition

to XSSProtectionDisposition.

  • html/parser/XSSAuditorDelegate.cpp: Ditto.

(WebCore::buildConsoleError): Remove logic to emit a remarks in the console error when a XSS is
blocked because of the directive reflected-xss. Also substituted "because" for "as" in the remark
added to the error message when the XSS Auditor is enabled because the server did not send HTTP
header X-XSS-Protection.

  • html/parser/XSSAuditorDelegate.h:

(WebCore::XSSInfo::XSSInfo): Removed argument didSendCSPHeader as we are removing support for the
directive reflected-xss.

  • page/csp/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::reflectedXSSDisposition): Deleted.
(WebCore::ContentSecurityPolicy::reportInvalidReflectedXSS): Deleted.

  • page/csp/ContentSecurityPolicy.h:
  • page/csp/ContentSecurityPolicyDirectiveList.cpp:

(WebCore::ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList): Remove initialization
of m_reflectedXSSDisposition as we are removing support for the directive reflected-xss.
(WebCore::ContentSecurityPolicyDirectiveList::parseReflectedXSS): Deleted.
(WebCore::ContentSecurityPolicyDirectiveList::addDirective): Remove logic to parse directive reflected-xss.

  • page/csp/ContentSecurityPolicyDirectiveList.h:

(WebCore::ContentSecurityPolicyDirectiveList::reflectedXSSDisposition): Deleted.

  • page/csp/ContentSecurityPolicyDirectiveNames.cpp:
  • page/csp/ContentSecurityPolicyDirectiveNames.h:
  • page/csp/ContentSecurityPolicySourceList.cpp:

(WebCore::isCSPDirectiveName):
(WebCore::isExperimentalDirectiveName): Deleted.

  • platform/network/HTTPParsers.cpp:

(WebCore::parseXSSProtectionHeader): Write it terms of enum class XSSProtectionDisposition.

  • platform/network/HTTPParsers.h: Define enum class XSSProtectionDisposition. Change return type

of parseXSSProtectionHeader() from ContentSecurityPolicy::ReflectedXSSDisposition to XSSProtectionDisposition
as we are removing the former.

LayoutTests:

Remove tests for directive reflected-xss and update the expected results of existing XSS Auditor tests
to reflect the change made to the wording of the error message emitted when an XSS attack is blocked.

  • fast/frames/xss-auditor-handles-file-urls-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid.html: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing.html: Removed.
  • http/tests/security/contentSecurityPolicy/resources/reflected-xss-and-xss-protection.js: Removed.
  • http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt:
  • http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt:
  • http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt:
  • http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt:
  • http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt:
  • http/tests/security/xssAuditor/base-href-control-char-expected.txt:
  • http/tests/security/xssAuditor/base-href-expected.txt:
  • http/tests/security/xssAuditor/base-href-null-char-expected.txt:
  • http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
  • http/tests/security/xssAuditor/cookie-injection-expected.txt:
  • http/tests/security/xssAuditor/dom-write-URL-expected.txt:
  • http/tests/security/xssAuditor/dom-write-location-expected.txt:
  • http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt:
  • http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt:
  • http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt:
  • http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt:
  • http/tests/security/xssAuditor/embed-tag-control-char-expected.txt:
  • http/tests/security/xssAuditor/embed-tag-expected.txt:
  • http/tests/security/xssAuditor/embed-tag-in-path-unterminated-expected.txt:
  • http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt:
  • http/tests/security/xssAuditor/embed-tag-null-char-expected.txt:
  • http/tests/security/xssAuditor/form-action-expected.txt:
  • http/tests/security/xssAuditor/formaction-on-button-expected.txt:
  • http/tests/security/xssAuditor/formaction-on-input-expected.txt:
  • http/tests/security/xssAuditor/frameset-injection-expected.txt:
  • http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt:
  • http/tests/security/xssAuditor/get-from-iframe-expected.txt:
  • http/tests/security/xssAuditor/iframe-injection-expected.txt:
  • http/tests/security/xssAuditor/iframe-javascript-url-expected.txt:
  • http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt:
  • http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt:
  • http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt:
  • http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt:
  • http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt:
  • http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt:
  • http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt:
  • http/tests/security/xssAuditor/iframe-srcdoc-expected.txt:
  • http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-expected.txt:
  • http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt:
  • http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt:
  • http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt:
  • http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt:
  • http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt:
  • http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt:
  • http/tests/security/xssAuditor/img-tag-with-comma-expected.txt:
  • http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-control-char-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-null-char-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt:
  • http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt:
  • http/tests/security/xssAuditor/link-onclick-control-char-expected.txt:
  • http/tests/security/xssAuditor/link-onclick-entities-expected.txt:
  • http/tests/security/xssAuditor/link-onclick-expected.txt:
  • http/tests/security/xssAuditor/link-onclick-null-char-expected.txt:
  • http/tests/security/xssAuditor/link-opens-new-window-expected.txt:
  • http/tests/security/xssAuditor/malformed-HTML-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt:
  • http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt:
  • http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt:
  • http/tests/security/xssAuditor/object-embed-tag-expected.txt:
  • http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt:
  • http/tests/security/xssAuditor/object-tag-expected.txt:
  • http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt:
  • http/tests/security/xssAuditor/open-attribute-body-expected.txt:
  • http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt:
  • http/tests/security/xssAuditor/open-iframe-src-01-expected.txt:
  • http/tests/security/xssAuditor/open-iframe-src-02-expected.txt:
  • http/tests/security/xssAuditor/open-iframe-src-03-expected.txt:
  • http/tests/security/xssAuditor/open-script-src-01-expected.txt:
  • http/tests/security/xssAuditor/open-script-src-02-expected.txt:
  • http/tests/security/xssAuditor/open-script-src-03-expected.txt:
  • http/tests/security/xssAuditor/open-script-src-04-expected.txt:
  • http/tests/security/xssAuditor/post-from-iframe-expected.txt:
  • http/tests/security/xssAuditor/property-escape-comment-01-expected.txt:
  • http/tests/security/xssAuditor/property-escape-comment-02-expected.txt:
  • http/tests/security/xssAuditor/property-escape-comment-03-expected.txt:
  • http/tests/security/xssAuditor/property-escape-entity-01-expected.txt:
  • http/tests/security/xssAuditor/property-escape-entity-02-expected.txt:
  • http/tests/security/xssAuditor/property-escape-entity-03-expected.txt:
  • http/tests/security/xssAuditor/property-escape-expected.txt:
  • http/tests/security/xssAuditor/property-escape-long-expected.txt:
  • http/tests/security/xssAuditor/property-escape-quote-01-expected.txt:
  • http/tests/security/xssAuditor/property-escape-quote-02-expected.txt:
  • http/tests/security/xssAuditor/property-escape-quote-03-expected.txt:
  • http/tests/security/xssAuditor/reflection-in-path-expected.txt:
  • http/tests/security/xssAuditor/resources/echo-intertag.pl:
  • http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt:
  • http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt:
  • http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt:
  • http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt:
  • http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt:
  • http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt:
  • http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt:
  • http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt:
  • http/tests/security/xssAuditor/script-tag-control-char-expected.txt:
  • http/tests/security/xssAuditor/script-tag-convoluted-expected.txt:
  • http/tests/security/xssAuditor/script-tag-entities-expected.txt:
  • http/tests/security/xssAuditor/script-tag-expected.txt:
  • http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt:
  • http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt:
  • http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt:
  • http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt:
  • http/tests/security/xssAuditor/script-tag-near-start-expected.txt:
  • http/tests/security/xssAuditor/script-tag-null-char-expected.txt:
  • http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt:
  • http/tests/security/xssAuditor/script-tag-post-expected.txt:
  • http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-trailing-script-and-urlencode-expected.txt:
  • http/tests/security/xssAuditor/svg-animate-expected.txt:
  • http/tests/security/xssAuditor/svg-script-tag-expected.txt:
  • http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt:
  • http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt:
  • http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt:
Location:
trunk
Files:
63 deleted
179 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r199523 r199525  
     12016-04-13  Daniel Bates  <dabates@apple.com>
     2
     3        CSP: Remove experimental directive reflected-xss
     4        https://bugs.webkit.org/show_bug.cgi?id=156554
     5
     6        Reviewed by Brent Fulgham.
     7
     8        Remove tests for directive reflected-xss and update the expected results of existing XSS Auditor tests
     9        to reflect the change made to the wording of the error message emitted when an XSS attack is blocked.
     10
     11        * fast/frames/xss-auditor-handles-file-urls-expected.txt:
     12        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow-expected.txt: Removed.
     13        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow.html: Removed.
     14        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow-expected.txt: Removed.
     15        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow.html: Removed.
     16        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt: Removed.
     17        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html: Removed.
     18        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt: Removed.
     19        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter.html: Removed.
     20        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt: Removed.
     21        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid.html: Removed.
     22        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset-expected.txt: Removed.
     23        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset.html: Removed.
     24        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt: Removed.
     25        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html: Removed.
     26        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt: Removed.
     27        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html: Removed.
     28        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt: Removed.
     29        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html: Removed.
     30        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt: Removed.
     31        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html: Removed.
     32        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt: Removed.
     33        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html: Removed.
     34        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt: Removed.
     35        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow.html: Removed.
     36        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt: Removed.
     37        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html: Removed.
     38        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt: Removed.
     39        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter.html: Removed.
     40        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt: Removed.
     41        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid.html: Removed.
     42        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt: Removed.
     43        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset.html: Removed.
     44        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt: Removed.
     45        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow.html: Removed.
     46        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt: Removed.
     47        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html: Removed.
     48        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt: Removed.
     49        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter.html: Removed.
     50        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt: Removed.
     51        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid.html: Removed.
     52        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt: Removed.
     53        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset.html: Removed.
     54        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow-expected.txt: Removed.
     55        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow.html: Removed.
     56        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt: Removed.
     57        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html: Removed.
     58        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt: Removed.
     59        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter.html: Removed.
     60        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt: Removed.
     61        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid.html: Removed.
     62        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt: Removed.
     63        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset.html: Removed.
     64        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt: Removed.
     65        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block.html: Removed.
     66        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt: Removed.
     67        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty.html: Removed.
     68        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt: Removed.
     69        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter.html: Removed.
     70        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt: Removed.
     71        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid.html: Removed.
     72        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing-expected.txt: Removed.
     73        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing.html: Removed.
     74        * http/tests/security/contentSecurityPolicy/resources/reflected-xss-and-xss-protection.js: Removed.
     75        * http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt:
     76        * http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt:
     77        * http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt:
     78        * http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt:
     79        * http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt:
     80        * http/tests/security/xssAuditor/base-href-control-char-expected.txt:
     81        * http/tests/security/xssAuditor/base-href-expected.txt:
     82        * http/tests/security/xssAuditor/base-href-null-char-expected.txt:
     83        * http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
     84        * http/tests/security/xssAuditor/cookie-injection-expected.txt:
     85        * http/tests/security/xssAuditor/dom-write-URL-expected.txt:
     86        * http/tests/security/xssAuditor/dom-write-location-expected.txt:
     87        * http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt:
     88        * http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt:
     89        * http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt:
     90        * http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt:
     91        * http/tests/security/xssAuditor/embed-tag-control-char-expected.txt:
     92        * http/tests/security/xssAuditor/embed-tag-expected.txt:
     93        * http/tests/security/xssAuditor/embed-tag-in-path-unterminated-expected.txt:
     94        * http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt:
     95        * http/tests/security/xssAuditor/embed-tag-null-char-expected.txt:
     96        * http/tests/security/xssAuditor/form-action-expected.txt:
     97        * http/tests/security/xssAuditor/formaction-on-button-expected.txt:
     98        * http/tests/security/xssAuditor/formaction-on-input-expected.txt:
     99        * http/tests/security/xssAuditor/frameset-injection-expected.txt:
     100        * http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt:
     101        * http/tests/security/xssAuditor/get-from-iframe-expected.txt:
     102        * http/tests/security/xssAuditor/iframe-injection-expected.txt:
     103        * http/tests/security/xssAuditor/iframe-javascript-url-expected.txt:
     104        * http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt:
     105        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt:
     106        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt:
     107        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt:
     108        * http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt:
     109        * http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt:
     110        * http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt:
     111        * http/tests/security/xssAuditor/iframe-srcdoc-expected.txt:
     112        * http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-expected.txt:
     113        * http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt:
     114        * http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt:
     115        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt:
     116        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt:
     117        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt:
     118        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt:
     119        * http/tests/security/xssAuditor/img-tag-with-comma-expected.txt:
     120        * http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt:
     121        * http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt:
     122        * http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt:
     123        * http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt:
     124        * http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt:
     125        * http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt:
     126        * http/tests/security/xssAuditor/javascript-link-control-char-expected.txt:
     127        * http/tests/security/xssAuditor/javascript-link-expected.txt:
     128        * http/tests/security/xssAuditor/javascript-link-null-char-expected.txt:
     129        * http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt:
     130        * http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt:
     131        * http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt:
     132        * http/tests/security/xssAuditor/link-onclick-control-char-expected.txt:
     133        * http/tests/security/xssAuditor/link-onclick-entities-expected.txt:
     134        * http/tests/security/xssAuditor/link-onclick-expected.txt:
     135        * http/tests/security/xssAuditor/link-onclick-null-char-expected.txt:
     136        * http/tests/security/xssAuditor/link-opens-new-window-expected.txt:
     137        * http/tests/security/xssAuditor/malformed-HTML-expected.txt:
     138        * http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt:
     139        * http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt:
     140        * http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt:
     141        * http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt:
     142        * http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt:
     143        * http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt:
     144        * http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt:
     145        * http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt:
     146        * http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt:
     147        * http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt:
     148        * http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt:
     149        * http/tests/security/xssAuditor/object-embed-tag-expected.txt:
     150        * http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt:
     151        * http/tests/security/xssAuditor/object-tag-expected.txt:
     152        * http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt:
     153        * http/tests/security/xssAuditor/open-attribute-body-expected.txt:
     154        * http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt:
     155        * http/tests/security/xssAuditor/open-iframe-src-01-expected.txt:
     156        * http/tests/security/xssAuditor/open-iframe-src-02-expected.txt:
     157        * http/tests/security/xssAuditor/open-iframe-src-03-expected.txt:
     158        * http/tests/security/xssAuditor/open-script-src-01-expected.txt:
     159        * http/tests/security/xssAuditor/open-script-src-02-expected.txt:
     160        * http/tests/security/xssAuditor/open-script-src-03-expected.txt:
     161        * http/tests/security/xssAuditor/open-script-src-04-expected.txt:
     162        * http/tests/security/xssAuditor/post-from-iframe-expected.txt:
     163        * http/tests/security/xssAuditor/property-escape-comment-01-expected.txt:
     164        * http/tests/security/xssAuditor/property-escape-comment-02-expected.txt:
     165        * http/tests/security/xssAuditor/property-escape-comment-03-expected.txt:
     166        * http/tests/security/xssAuditor/property-escape-entity-01-expected.txt:
     167        * http/tests/security/xssAuditor/property-escape-entity-02-expected.txt:
     168        * http/tests/security/xssAuditor/property-escape-entity-03-expected.txt:
     169        * http/tests/security/xssAuditor/property-escape-expected.txt:
     170        * http/tests/security/xssAuditor/property-escape-long-expected.txt:
     171        * http/tests/security/xssAuditor/property-escape-quote-01-expected.txt:
     172        * http/tests/security/xssAuditor/property-escape-quote-02-expected.txt:
     173        * http/tests/security/xssAuditor/property-escape-quote-03-expected.txt:
     174        * http/tests/security/xssAuditor/reflection-in-path-expected.txt:
     175        * http/tests/security/xssAuditor/resources/echo-intertag.pl:
     176        * http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt:
     177        * http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt:
     178        * http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt:
     179        * http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt:
     180        * http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt:
     181        * http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt:
     182        * http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt:
     183        * http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt:
     184        * http/tests/security/xssAuditor/script-tag-control-char-expected.txt:
     185        * http/tests/security/xssAuditor/script-tag-convoluted-expected.txt:
     186        * http/tests/security/xssAuditor/script-tag-entities-expected.txt:
     187        * http/tests/security/xssAuditor/script-tag-expected.txt:
     188        * http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt:
     189        * http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt:
     190        * http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt:
     191        * http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt:
     192        * http/tests/security/xssAuditor/script-tag-near-start-expected.txt:
     193        * http/tests/security/xssAuditor/script-tag-null-char-expected.txt:
     194        * http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt:
     195        * http/tests/security/xssAuditor/script-tag-post-expected.txt:
     196        * http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt:
     197        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt:
     198        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt:
     199        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt:
     200        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt:
     201        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt:
     202        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt:
     203        * http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt:
     204        * http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt:
     205        * http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt:
     206        * http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt:
     207        * http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt:
     208        * http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt:
     209        * http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt:
     210        * http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt:
     211        * http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt:
     212        * http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt:
     213        * http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt:
     214        * http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt:
     215        * http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt:
     216        * http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt:
     217        * http/tests/security/xssAuditor/script-tag-with-source-expected.txt:
     218        * http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt:
     219        * http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt:
     220        * http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt:
     221        * http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt:
     222        * http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt:
     223        * http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt:
     224        * http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt:
     225        * http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt:
     226        * http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt:
     227        * http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt:
     228        * http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt:
     229        * http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt:
     230        * http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt:
     231        * http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt:
     232        * http/tests/security/xssAuditor/script-tag-with-trailing-script-and-urlencode-expected.txt:
     233        * http/tests/security/xssAuditor/svg-animate-expected.txt:
     234        * http/tests/security/xssAuditor/svg-script-tag-expected.txt:
     235        * http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt:
     236        * http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt:
     237        * http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt:
     238
    12392016-04-13  Michael Saboff  <msaboff@apple.com>
    2240

  • trunk/LayoutTests/fast/frames/xss-auditor-handles-file-urls-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt

    r178527 r199525  
    1 CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.html?#<script>alert(String.fromCharCode(0x58,0x53,0x53))</script>' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.html?#<script>alert(String.fromCharCode(0x58,0x53,0x53))</script>' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt

    r178527 r199525  
    1 CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt

    r178527 r199525  
    1 CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22al%00ert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22al%00ert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt

    r178527 r199525  
    1 CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt

    r178527 r199525  
    1 CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-unescaped-location.html?#<script>alert('XS%41S')</script>' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-unescaped-location.html?#<script>alert('XS%41S')</script>' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%01urity/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%01urity/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22ALERT: This is a safe script.
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22ALERT: This is a safe script.
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22ALERT: This is a safe script.
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='//127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='//127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22ALERT: This is a safe script.
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/cookie-injection.html&alert-cookie=1&q=%3Cmeta%20http-equiv=%22Set-Cookie%22%20content=%22xssAuditorTestCookie=FAIL%22%20/%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/cookie-injection.html&alert-cookie=1&q=%3Cmeta%20http-equiv=%22Set-Cookie%22%20content=%22xssAuditorTestCookie=FAIL%22%20/%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22ALERT: PASS
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-URL-expected.txt

    r178527 r199525  
    1 CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-URL.html?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-URL.html?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-expected.txt

    r178527 r199525  
    1 CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.html?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.html?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt

    r178527 r199525  
    1 CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html?%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html?%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt

    r178527 r199525  
    1 CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html?%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html?%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-code-attribute-2.html&q=%3Cembed%20code=//localhost:8000/fictional.swf%20allowscriptaccess=always%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-code-attribute-2.html&q=%3Cembed%20code=//localhost:8000/fictional.swf%20allowscriptaccess=always%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-code-attribute.html&q=%3Cembed%20code=data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-code-attribute.html&q=%3Cembed%20code=data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-control-char.html&q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-control-char.html&q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag.html&q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag.html&q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-in-path-unterminated-expected.txt

    r195073 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/intercept/echo-intertag.pl/%3Cembed%20height=%22500%22src=%22https://127.0.0.1:8443/security/xssAuditor/resources/dummy.swf%22.xml&clutter=%3Cp%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/intercept/echo-intertag.pl/%3Cembed%20height=%22500%22src=%22https://127.0.0.1:8443/security/xssAuditor/resources/dummy.swf%22.xml&clutter=%3Cp%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22Check that the XSSAuditor catches reflected tags in path components
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-javascript-url.html&q=%3Cembed%20src='javascript:alert(document.domain)'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-javascript-url.html&q=%3Cembed%20src='javascript:alert(document.domain)'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-null-char.html&q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-null-char.html&q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/form-action.html&q=%3Cform%20action=http://127.0.0.1:8000/%20method=x%3E%3Cinput%20type=submit%3E%3Cinput%20name=x%20value='Please%20type%20your%20PIN.'%3E&notifyDone=1&showAction=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/form-action.html&q=%3Cform%20action=http://127.0.0.1:8000/%20method=x%3E%3Cinput%20type=submit%3E%3Cinput%20name=x%20value='Please%20type%20your%20PIN.'%3E&notifyDone=1&showAction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22ALERT: Form action set to about:blank
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/formaction-on-button.html&q=%3Cform%3E%3Cbutton%20formaction='http://example.com/'%3E&notifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/formaction-on-button.html&q=%3Cform%3E%3Cbutton%20formaction='http://example.com/'%3E&notifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22ALERT: formaction present on BUTTON with value of about:blank
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/formaction-on-input.html&q=%3Cform%3E%3Cinput%20formaction='http://example.com/'%3E&notifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/formaction-on-input.html&q=%3Cform%3E%3Cinput%20formaction='http://example.com/'%3E&notifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22ALERT: formaction present on INPUT with value of about:blank
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/frameset-injection-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/frameset-injection.html&inHead=1&q=%3Cframeset%3E%3Cframe%20src='data:text/html,%3Cscript%3Ealert(0)%3C/script%3E'%3E%3C/frameset%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/frameset-injection.html&inHead=1&q=%3Cframeset%3E%3Cframe%20src='data:text/html,%3Cscript%3Ealert(0)%3C/script%3E'%3E%3C/frameset%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-iframe-no-inherit.html&q=%3Cscript%3Ealert(/XSS/)%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-iframe-no-inherit.html&q=%3Cscript%3Ealert(/XSS/)%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22This tests that the header X-XSS-Protection is not inherited by the iframe below:
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/get-from-iframe-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=%2Fsecurity%2FxssAuditor%2Fget-from-iframe.html&notifyDone=1&q=%3Cscript%3Ealert%28String.fromCharCode%280x58%2C0x53%2C0x53%29%29%3C%2Fscript%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=%2Fsecurity%2FxssAuditor%2Fget-from-iframe.html&notifyDone=1&q=%3Cscript%3Ealert%28String.fromCharCode%280x58%2C0x53%2C0x53%29%29%3C%2Fscript%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-injection.html&q=%3Ciframe%20src='http://127.0.0.1:8000/'%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-injection.html&q=%3Ciframe%20src='http://127.0.0.1:8000/'%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url.html&q=%3Ciframe%20src=javascript:alert(document.domain)%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url.html&q=%3Ciframe%20src=javascript:alert(document.domain)%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-more-encoding.html&q=%3CIFRAME%20src='javascript:alert%26%23x25%3B281)'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-more-encoding.html&q=%3CIFRAME%20src='javascript:alert%26%23x25%3B281)'%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-twice-url-encode.html&q=%3Ciframe%20src=%22javascript:%20%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-twice-url-encode.html&q=%3Ciframe%20src=%22javascript:%20%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-twice-url-encode2.html&q=%3Ciframe%20src=%22javascript:%20//%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-twice-url-encode2.html&q=%3Ciframe%20src=%22javascript:%20//%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-twice-url-encode3.html&q=%3Ciframe%20src=%22javascript://%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-twice-url-encode3.html&q=%3Ciframe%20src=%22javascript://%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-url-encoded.html&q=%3Ciframe%20src=javascript%3A%271%2525251%27%3Balert%28document.domain%29%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-url-encoded.html&q=%3Ciframe%20src=javascript%3A%271%2525251%27%3Balert%28document.domain%29%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-onload-GBK-char.html&charset=GBK&q=%3Ciframe%20onload=%C7Ojavascript:alert(document.domain)%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-onload-GBK-char.html&charset=GBK&q=%3Ciframe%20onload=%C7Ojavascript:alert(document.domain)%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-onload-in-svg-tag.html&q=%3Csvg%3E%3Cscript%3E%3Ciframe%20onload=alert(0)%3E%3C/iframe%3E%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-onload-in-svg-tag.html&q=%3Csvg%3E%3Cscript%3E%3Ciframe%20onload=alert(0)%3E%3C/iframe%3E%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22 Test that dangerous attributes are still filtered in netsted script contexts.

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-srcdoc.html&q=%3Ciframe%20srcdoc=%3Cscript%3Ealert(/FAIL/)%3C/script%3E%20%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-srcdoc.html&q=%3Ciframe%20srcdoc=%3Cscript%3Ealert(/FAIL/)%3C/script%3E%20%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-expected.txt

    r158676 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-frame-src.pl?q=%22srcdoc=%22%3Cscript%3Ealert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-frame-src.pl?q=%22srcdoc=%22%3Cscript%3Ealert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22Catch injected srcdoc properties when there is punctuation enabling the auditor
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-GBK-char.html&charset=GBK&q=%3Cimg%20src=%201%20onerror=%C7Ojavascript:alert(document.domain)%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-GBK-char.html&charset=GBK&q=%3Cimg%20src=%201%20onerror=%C7Ojavascript:alert(document.domain)%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-accented-char.html&q=%3Cimg%20src=%C3%A4%20onerror=alert(%27%C3%A4%27)%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-accented-char.html&q=%3Cimg%20src=%C3%A4%20onerror=alert(%27%C3%A4%27)%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-non-ASCII-char.html&q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-non-ASCII-char.html&q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src=%220%22+onerror=%22/%80/%3Balert(document.domain)%22%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src=%220%22+onerror=%22/%80/%3Balert(document.domain)%22%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-non-ASCII-char2.html&q=%3Cimg+src=%220%22+onerror=%22/%80/%3Balert(document.domain)%22%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-non-ASCII-char2.html&q=%3Cimg+src=%220%22+onerror=%22/%80/%3Balert(document.domain)%22%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/img-tag-with-comma-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-tag-with-comma.html&clutter=,&q=%3cimg%20src=x%20onerror=%22[]&q2=alert(1)%22%3c' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-tag-with-comma.html&clutter=,&q=%3cimg%20src=x%20onerror=%22[]&q2=alert(1)%22%3c' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22
    33Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test passes if the XSSAuditor logs console messages and no alerts fire.

  • trunk/LayoutTests/http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/inline-event-HTML-entities.html&q=%3Cimg%20src=1%20onerror=%26%2397%26%23108%26%23101%26%23114%26%23116%26%2340%26%2349%26%2341%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/inline-event-HTML-entities.html&q=%3Cimg%20src=1%20onerror=%26%2397%26%23108%26%23101%26%23114%26%23116%26%2340%26%2349%26%2341%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x05%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x05%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2397%26%23108%26%23101%26%23114%26%23116%26%2340%26%2339%26copy%26%2339%26%2341%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2397%26%23108%26%23101%26%23114%26%23116%26%2340%26%2339%26copy%26%2339%26%2341%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x00%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x00%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/%26XSS/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/%26XSS/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/XSS%05/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/XSS%05/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-null-char-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aal%00ert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aal%00ert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3A%271%2525251%27%3Balert%28/%26XSS/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3A%271%2525251%27%3Balert%28/%26XSS/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-ampersand.html&q=%3Ca%20onclick='alert(1%261)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-ampersand.html&q=%3Ca%20onclick='alert(1%261)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-control-char.html&q=%3Ca%20onclick='al%05ert(0)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-control-char.html&q=%3Ca%20onclick='al%05ert(0)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-entities-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-entities.html&q=%3Ca%20href='about:blank'%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-entities.html&q=%3Ca%20href='about:blank'%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick.html&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick.html&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-null-char.html&q=%3Ca%20onclick='al%00ert(0)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-null-char.html&q=%3Ca%20onclick='al%00ert(0)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/link-opens-new-window-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-opens-new-window.html&notifyDone=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-opens-new-window.html&notifyDone=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22Click me

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-HTML-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-HTML.html&q=%3Ca%3Cimg/src/onerror=alert(1)//%3C' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-HTML.html&q=%3Ca%3Cimg/src/onerror=alert(1)//%3C' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt

    r176413 r199525  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-1.html&notifyDone=1&malformed-header=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-1.html&notifyDone=1&malformed-header=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    33This tests that a malformed X-XSS-Protection header is not ignored when the length of its value exceeds 16 characters, and that an error is reported.
    44

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt

    r176413 r199525  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: red: expected 0 or 1 at character position 0. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-2.html&notifyDone=1&malformed-header=2&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-2.html&notifyDone=1&malformed-header=2&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    33This tests that the X-XSS-Protection header is not ignored when the first character is not 0 or 1, and that we issue an error.
    44

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt

    r176413 r199525  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=purple: invalid mode directive at character position 8. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-3.html&notifyDone=1&malformed-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-3.html&notifyDone=1&malformed-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    33This tests that a malformed X-XSS-Protection header is not ignored and an error is reported when the mode= token is invalid.
    44

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt

    r176413 r199525  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block-a-block-block: expected semicolon at character position 14. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-4.html&notifyDone=1&malformed-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-4.html&notifyDone=1&malformed-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    33This tests that the X-XSS-Protection header is not ignored when there is a trailing garbage after mode=block, and we issue an error
    44

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt

    r176413 r199525  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report: expected equals sign at character position 21. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-5.html&notifyDone=1&malformed-header=5&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-5.html&notifyDone=1&malformed-header=5&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    33This tests that the X-XSS-Protection header is not ignored when there is an incomplete report url following mode=block, and we issue an error
    44

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt

    r176413 r199525  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; report= ;: invalid report directive at character position 11. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-6.html&notifyDone=1&malformed-header=6&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-6.html&notifyDone=1&malformed-header=6&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    33This tests that the X-XSS-Protection header is not ignored when there is an incomplete report directive, and we issue an error
    44

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt

    r176413 r199525  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; red: unrecognized directive at character position 3. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-7.html&notifyDone=1&malformed-header=7&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-7.html&notifyDone=1&malformed-header=7&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    33This tests that the X-XSS-Protection header is not ignored when there is an invalid directive, and we issue an error
    44

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt

    r176413 r199525  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report=/fail; mode=block;: duplicate mode directive at character position 33. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-8.html&notifyDone=1&malformed-header=8&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-8.html&notifyDone=1&malformed-header=8&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    33This tests that the X-XSS-Protection header is not ignored when there is an duplicate mode directive, and we issue an error
    44

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt

    r176413 r199525  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report=/fail; report=/fail;: duplicate report directive at character position 35. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-9.html&notifyDone=1&malformed-header=9&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-9.html&notifyDone=1&malformed-header=9&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    33This tests that the X-XSS-Protection header is not ignored when there is a duplicate report directive, and we issue an error
    44

  • trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head.pl?q=%3Cmeta+http-equiv%3D%22refresh%22+content%3D%220%3B+url%3Djavascript%3Aalert%28document.domain%29%22%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head.pl?q=%3Cmeta+http-equiv%3D%22refresh%22+content%3D%220%3B+url%3Djavascript%3Aalert%28document.domain%29%22%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    2 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    3 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
     2CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
     3CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    44

  • trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    2 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    3 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
     2CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
     3CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    44

  • trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    2 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    3 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
     2CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
     3CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    44

  • trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    2 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
     2CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag-javascript-url.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20data='javascript:alert(document.domain)'%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag-javascript-url.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20data='javascript:alert(document.domain)'%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-attribute-body-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=alert(String.fromCharCode(0x58,0x53,0x53))//' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=alert(String.fromCharCode(0x58,0x53,0x53))//' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/open-event-handler-iframe.html&q=%3Ciframe%20onload=alert(String.fromCharCode(0x58,0x53,0x53))//' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/open-event-handler-iframe.html&q=%3Ciframe%20onload=alert(String.fromCharCode(0x58,0x53,0x53))//' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-01-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Ciframe%20src=javascript:alert(1)%3B//%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Ciframe%20src=javascript:alert(1)%3B//%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-02-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Ciframe%20src=javascript:alert(1)%3B//' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Ciframe%20src=javascript:alert(1)%3B//' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-03-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/open-iframe-src-03.html&q=%3Ciframe%20src=%22javascript:alert(1)%3B%e2%80%a8--%3E&clutter=xxx%22%3E%3C/iframe%3E&notifyDone=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/open-iframe-src-03.html&q=%3Ciframe%20src=%22javascript:alert(1)%3B%e2%80%a8--%3E&clutter=xxx%22%3E%3C/iframe%3E&notifyDone=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-01-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-02-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-03-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cobject%20data=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cobject%20data=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-04-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cobject%20data=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cobject%20data=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/post-from-iframe-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-01-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=%22alert(1)//' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=%22alert(1)//' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-02-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(2)/' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(2)/' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-03-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=%3cdiv%3e&q=%22%20%22%20onload=alert(3)%3C!--' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=%3cdiv%3e&q=%22%20%22%20onload=alert(3)%3C!--' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-01-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))%26%23x2f%26%2347' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))%26%23x2f%26%2347' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-02-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=alert(String.fromCharCode(0x58,0x53,0x53))-%26quot' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=alert(String.fromCharCode(0x58,0x53,0x53))-%26quot' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-03-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))-%26' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))-%26' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-long-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(111%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532)' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(111%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532)' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-01-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(1)-%22' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(1)-%22' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-02-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(2)-%27' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(2)-%27' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-03-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(3)-%27%22%27%22' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(3)-%27%22%27%22' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/reflection-in-path-expected.txt

    r194978 r199525  
    1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/intercept/echo-form-action.pl/%22%20onmouseover=%22JavaScript:alert(document.domain)%22%20name=%22?m=login' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/intercept/echo-form-action.pl/%22%20onmouseover=%22JavaScript:alert(document.domain)%22%20name=%22?m=login' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl

    r176413 r199525  
    6363    if ($cgi->param('malformed-header') == 9) {
    6464        print "X-XSS-Protection: 1; mode=block; report=/fail; report=/fail;\n";
    65     }
    66 }
    67 
    68 if (defined($cgi->param('csp'))) {
    69     if ($cgi->param('csp') eq '_empty_') {
    70         print "X-WebKit-CSP: reflected-xss\n";
    71     } else {
    72         print "X-WebKit-CSP: reflected-xss " . $cgi->param('csp') . "\n";
    7365    }
    7466}

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-Big5-char.html&charset=Big5&q=%3Cscript%20%89g%3Ealert(location)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-Big5-char.html&charset=Big5&q=%3Cscript%20%89g%3Ealert(location)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?charset=Big5&q=%3Cscript%3Ealert(/XS%u00252581SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?charset=Big5&q=%3Cscript%3Ealert(/XS%u00252581SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-Big5-char-twice-url-encode.html&charset=Big5&q=%3Cscript%3Ealert(/XS%2581SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-Big5-char-twice-url-encode.html&charset=Big5&q=%3Cscript%3Ealert(/XS%2581SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-Big5-char2.html&charset=Big5&q=%3Cscript%3Ealert(/XS%81SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-Big5-char2.html&charset=Big5&q=%3Cscript%3Ealert(/XS%81SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%5C/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%5C/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%22/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%22/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%00/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%00/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%27/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%27/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-control-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-control-char.html&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))//h%01%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-control-char.html&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))//h%01%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-convoluted-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-convoluted.html&q=%3Cscript%3Edocument.write(%22scri%22)%3C/script%3Ept%20src=%22xss.js%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-convoluted.html&q=%3Cscript%3Edocument.write(%22scri%22)%3C/script%3Ept%20src=%22xss.js%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-entities-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-entities.html&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-entities.html&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag.html&q=%3Cscraaa%3E%3Cscriaa%3E%3Cscripa%3E%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag.html&q=%3Cscraaa%3E%3Cscriaa%3E%3Cscripa%3E%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-expression-follows.html&script-expression-follows=1&q=%3Cscript%3Ealert('XSS')' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-expression-follows.html&script-expression-follows=1&q=%3Cscript%3Ealert('XSS')' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-inside-svg-tag.html&q=%3Csvg%3E%3Cscript%3E%2f%2f%26%23x0a%3balert%26%23x28%3bString.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-inside-svg-tag.html&q=%3Csvg%3E%3Cscript%3E%2f%2f%26%23x0a%3balert%26%23x28%3bString.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22 Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed.

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-inside-svg-tag2.html&clutter=%3Cdiv%3E%3Ci%3Ex%3C/i%3E%3C/div%3E&q=%3Csvg%3E%3Cscript%3E%3C!--&q2=--%3E%26%23x0a%3balert%26%23x28%3bString.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-inside-svg-tag2.html&clutter=%3Cdiv%3E%3Ci%3Ex%3C/i%3E%3C/div%3E&q=%3Csvg%3E%3Cscript%3E%3C!--&q2=--%3E%26%23x0a%3balert%26%23x28%3bString.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22 Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed even with <!-- comments -->.

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-inside-svg-tag3.html&clutter=%3Cscript%3Ealert(1)%3C/script%3E&q=%3Csvg%3E%3Cscript%3E&q2=alert(0)%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-inside-svg-tag3.html&clutter=%3Cscript%3Ealert(1)%3C/script%3E&q=%3Csvg%3E%3Cscript%3E&q2=alert(0)%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-inside-svg-tag3.html&clutter=%3Cscript%3Ealert(1)%3C/script%3E&q=%3Csvg%3E%3Cscript%3E&q2=alert(0)%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-inside-svg-tag3.html&clutter=%3Cscript%3Ealert(1)%3C/script%3E&q=%3Csvg%3E%3Cscript%3E&q2=alert(0)%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    33 Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed even with nested script blocks.

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-near-start-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-near-start.html&script-expression-follows=1&q=%3Cscript%3E%22%3Cscript%3E%22-alert(/XSS/)' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-near-start.html&script-expression-follows=1&q=%3Cscript%3E%22%3Cscript%3E%22-alert(/XSS/)' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-null-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-null-char.html&q=%3Cscript%3Eal%00ert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-null-char.html&q=%3Cscript%3Eal%00ert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-post-control-char.html' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-post-control-char.html' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-post.html' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-post.html' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-post-null-char.html' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-post-null-char.html' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%25u0061%25u006c%25u0065%25u0072%25u0074%25u0028%25u002f%25u0058%25u0053%25u0053%25u002f%25u0029%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%25u0061%25u006c%25u0065%25u0072%25u0074%25u0028%25u002f%25u0058%25u0053%25u0053%25u002f%25u0029%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair.html&q=%3Cscript%3Ealert(/XS%uD834%uDD1E/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair.html&q=%3Cscript%3Ealert(/XS%uD834%uDD1E/)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert(/XS%u002525u0053/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert(/XS%u002525u0053/)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%25u0061%25u006c%25u0065%25u0072%25u0074%25u0028%25u002f%25u0058%25u0053%25u0053%25u2620%25u002f%25u0029%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%25u0061%25u006c%25u0065%25u0072%25u0074%25u0028%25u002f%25u0058%25u0053%25u0053%25u2620%25u002f%25u0029%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-16bit-unicode5.html&q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-16bit-unicode5.html&q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-actual-comma.html&q=%3Cscript%3E/**/0,0/*,*/-alert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-actual-comma.html&q=%3Cscript%3E/**/0,0/*,*/-alert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22
    33Test that the XSSAuditor's tolerance for the IIS webserver's comma concatenation doesn't open holes when the reflected argument contains an actual comma. The test passes if the XSSAuditor logs console messages and no alerts fire.

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt

    r176413 r199525  
    22main frame - didFinishDocumentLoadForFrame
    33frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
    4 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-callbacks.html&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     4CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-callbacks.html&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    55didDetectXSS
    66frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-comma-01.html&clutter=,&q=%3Cscript%20x='1&%3E&q2=1'%3Ealert(String.fromCharCode(0x58,0x53,0x53,0x31))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-comma-01.html&clutter=,&q=%3Cscript%20x='1&%3E&q2=1'%3Ealert(String.fromCharCode(0x58,0x53,0x53,0x31))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22
    33Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test passes if the XSSAuditor logs console messages and no alerts fire.

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-comma-02.html&clutter=,&q=%3Cscript%3Ealert(String.fromCharCode(0x58&q2=0x53,0x53,0x32))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-comma-02.html&clutter=,&q=%3Cscript%3Ealert(String.fromCharCode(0x58&q2=0x53,0x53,0x32))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22
    33Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test passes if the XSSAuditor logs console messages and no alerts fire.

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-fancy-unicode.html&q=%3Cscript%3E%u0061lert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-fancy-unicode.html&q=%3Cscript%3E%u0061lert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt

    r194979 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=/*]]%3E*/&q=%3Cscript%3E/*%3C!CDATA[*/alert(/XSS/)&q2=%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=/*]]%3E*/&q=%3Cscript%3E/*%3C!CDATA[*/alert(/XSS/)&q2=%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-invalid-closing-tag.html&clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-invalid-closing-tag.html&clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-invalid-url-encoding.html&q=%3Cscript%3Ealert(1%1)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-invalid-url-encoding.html&q=%3Cscript%3Ealert(1%1)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-control-char.html&q=%3Cscript%20src='http://127.0.0.1:8000/sec%02urity/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-control-char.html&q=%3Cscript%20src='http://127.0.0.1:8000/sec%02urity/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-data-url.html&q=%3Cscript%20src=%22data:,alert(1)%22' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-data-url.html&q=%3Cscript%20src=%22data:,alert(1)%22' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-data-url2.html&clutter=%3Cb%3E***%3C/b%3E&q=%3Cscript%20src=%22data:,alert(1)//&q2=%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-data-url2.html&clutter=%3Cb%3E***%3C/b%3E&q=%3Cscript%20src=%22data:,alert(1)//&q2=%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-data-url3.html&clutter=%3Cb%3E***%3C/b%3E&q=%3Cscript%20src=%22data:,alert(1)%3C!----&q2=%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-data-url3.html&clutter=%3Cb%3E***%3C/b%3E&q=%3Cscript%20src=%22data:,alert(1)%3C!----&q2=%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-double-quote.html&q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-double-quote.html&q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-entities.html&q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%26amp%3Bcopy%3B'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-entities.html&q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%26amp%3Bcopy%3B'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source.html&q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source.html&q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-no-quote.html&q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-no-quote.html&q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-null-char.html&q=%3Cscript%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-null-char.html&q=%3Cscript%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-relative-scheme.html&q=%3Cscript+src%3D//127.0.0.1%3A8000/security/xssAuditor/resources/xss.js%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-relative-scheme.html&q=%3Cscript+src%3D//127.0.0.1%3A8000/security/xssAuditor/resources/xss.js%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-same-host-with-query.html&q=%3Cscript%20src='xss.js?maybe+dangerous+query+string'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-same-host-with-query.html&q=%3Cscript%20src='xss.js?maybe+dangerous+query+string'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-unterminated-01.html&q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?&q2=%22%3E%3C/script%3E&clutter=blah' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-unterminated-01.html&q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?&q2=%22%3E%3C/script%3E&clutter=blah' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-unterminated-02.html&q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%23&q2=%22%3E%3C/script%3E&clutter=blah' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-unterminated-02.html&q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%23&q2=%22%3E%3C/script%3E&clutter=blah' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-unterminated-03.html&q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/&q2=%22%3E%3C/script%3E&clutter=xss.js?' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-unterminated-03.html&q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/&q2=%22%3E%3C/script%3E&clutter=xss.js?' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode.html&q=%3Cscript%3E%252525u0061lert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode.html&q=%3Cscript%3E%252525u0061lert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment-U2028.html&q=%3Cscript%3E//%e2%80%a8alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment-U2028.html&q=%3Cscript%3E//%e2%80%a8alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment.html&clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3E/*&q2=*/alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment.html&clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3E/*&q2=*/alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment2.html&clutter=%3Ci%3E%3Cb%3E&q=%3Cscript%3E//&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment2.html&clutter=%3Ci%3E%3Cb%3E&q=%3Cscript%3E//&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment3.html&clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3E%20%0a%3C!--&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))//--%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment3.html&clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3E%20%0a%3C!--&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))//--%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment4.html&q=%3Cscript%3E/*///*/alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment4.html&q=%3Cscript%3E/*///*/alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment5.html&clutter=%3Ci%3E%3Cb%3E&q=%3Cscript%3Ex=1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1//&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment5.html&clutter=%3Ci%3E%3Cb%3E&q=%3Cscript%3Ex=1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1//&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-script-and-urlencode-expected.txt

    r198377 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(/xss/)-1%2502%3Cscript%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(/xss/)-1%2502%3Cscript%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/svg-animate-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/svg-animate.html&q=%3Csvg%20xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Ca%3E%3Ccircle%20r=100%20/%3E%3Canimate%20attributeName=xlink:href%20values=%3Bjavascript%3Aalert(1)%20begin=0s%20end=0.1s%20fill=freeze%20/%3E%3C/a%3E%3C/svg%3E&notifyDone=1&dumpElementBySelector=animate' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/svg-animate.html&q=%3Csvg%20xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Ca%3E%3Ccircle%20r=100%20/%3E%3Canimate%20attributeName=xlink:href%20values=%3Bjavascript%3Aalert(1)%20begin=0s%20end=0.1s%20fill=freeze%20/%3E%3C/a%3E%3C/svg%3E&notifyDone=1&dumpElementBySelector=animate' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22This test passes if the element displayed in the frame below has a 'values' attribute containing only 'javascript:void(0)'.
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/svg-script-tag.html&q=%3csvg%3e%3cscript%20XLinK:href='data:text/html,alert(0)'%3e%3c/script%3e%3c/svg%3e' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/svg-script-tag.html&q=%3csvg%3e%3cscript%20XLinK:href='data:text/html,alert(0)'%3e%3c/script%3e%3c/svg%3e' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-filter-bypass-big5.html&q=%3Cscript%3Ealert('%b4%5f')%3C/script%3E&charset=big5&notifyDone=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-filter-bypass-big5.html&q=%3Cscript%3Ealert('%b4%5f')%3C/script%3E&charset=big5&notifyDone=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt

    r145503 r199525  
    1 CONSOLE MESSAGE: line 79: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/xss-filter-bypass-long-string-reply.html' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 79: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/xss-filter-bypass-long-string-reply.html' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22
    33

  • trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt

    r176413 r199525  
    1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-filter-bypass-sjis.html&q=%3Cscript%3Ealert('%8f%5f')%3C/script%3E&charset=shift_jis&notifyDone=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-filter-bypass-sjis.html&q=%3Cscript%3Ealert('%8f%5f')%3C/script%3E&charset=shift_jis&notifyDone=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
    22

  • trunk/Source/WebCore/ChangeLog

    r199524 r199525  
     12016-04-13  Daniel Bates  <dabates@apple.com>
     2
     3        CSP: Remove experimental directive reflected-xss
     4        https://bugs.webkit.org/show_bug.cgi?id=156554
     5
     6        Reviewed by Brent Fulgham.
     7
     8        The Content Security Policy directive reflected-xss was removed from the Content Security
     9        Policy Level 2 spec., <https://w3c.github.io/webappsec-csp/2/> (Editor's Draft, 29 August 2015).
     10        This directive was considered experimental and was guarded by a run-time flag that was never
     11        enabled by default. We should remove support for this directive.
     12
     13        * html/parser/XSSAuditor.cpp:
     14        (WebCore::XSSAuditor::XSSAuditor): Initialize m_xssProtection to XSSProtectionDisposition::Enabled.
     15        (WebCore::XSSAuditor::init): Write logic in terms of enum class XSSProtectionDisposition.
     16        (WebCore::XSSAuditor::filterToken): Ditto.
     17        (WebCore::combineXSSProtectionHeaderAndCSP): Deleted.
     18        * html/parser/XSSAuditor.h: Change data type of m_xssProtection from ContentSecurityPolicy::ReflectedXSSDisposition
     19        to XSSProtectionDisposition.
     20        * html/parser/XSSAuditorDelegate.cpp: Ditto.
     21        (WebCore::buildConsoleError): Remove logic to emit a remarks in the console error when a XSS is
     22        blocked because of the directive reflected-xss. Also substituted "because" for "as" in the remark
     23        added to the error message when the XSS Auditor is enabled because the server did not send HTTP
     24        header X-XSS-Protection.
     25        * html/parser/XSSAuditorDelegate.h:
     26        (WebCore::XSSInfo::XSSInfo): Removed argument didSendCSPHeader as we are removing support for the
     27        directive reflected-xss.
     28        * page/csp/ContentSecurityPolicy.cpp:
     29        (WebCore::ContentSecurityPolicy::reflectedXSSDisposition): Deleted.
     30        (WebCore::ContentSecurityPolicy::reportInvalidReflectedXSS): Deleted.
     31        * page/csp/ContentSecurityPolicy.h:
     32        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
     33        (WebCore::ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList): Remove initialization
     34        of m_reflectedXSSDisposition as we are removing support for the directive reflected-xss.
     35        (WebCore::ContentSecurityPolicyDirectiveList::parseReflectedXSS): Deleted.
     36        (WebCore::ContentSecurityPolicyDirectiveList::addDirective): Remove logic to parse directive reflected-xss.
     37        * page/csp/ContentSecurityPolicyDirectiveList.h:
     38        (WebCore::ContentSecurityPolicyDirectiveList::reflectedXSSDisposition): Deleted.
     39        * page/csp/ContentSecurityPolicyDirectiveNames.cpp:
     40        * page/csp/ContentSecurityPolicyDirectiveNames.h:
     41        * page/csp/ContentSecurityPolicySourceList.cpp:
     42        (WebCore::isCSPDirectiveName):
     43        (WebCore::isExperimentalDirectiveName): Deleted.
     44        * platform/network/HTTPParsers.cpp:
     45        (WebCore::parseXSSProtectionHeader): Write it terms of enum class XSSProtectionDisposition.
     46        * platform/network/HTTPParsers.h: Define enum class XSSProtectionDisposition. Change return type
     47        of parseXSSProtectionHeader() from ContentSecurityPolicy::ReflectedXSSDisposition to XSSProtectionDisposition
     48        as we are removing the former.
     49
    1502016-04-13  Brady Eidson  <beidson@apple.com>
    251

  • trunk/Source/WebCore/html/parser/XSSAuditor.cpp

    r198377 r199525  
    2828#include "XSSAuditor.h"
    2929
    30 #include "ContentSecurityPolicy.h"
    3130#include "DecodeEscapeSequences.h"
    3231#include "Document.h"
     
    227226}
    228227
    229 static ContentSecurityPolicy::ReflectedXSSDisposition combineXSSProtectionHeaderAndCSP(ContentSecurityPolicy::ReflectedXSSDisposition xssProtection, ContentSecurityPolicy::ReflectedXSSDisposition reflectedXSS)
    230 {
    231     ContentSecurityPolicy::ReflectedXSSDisposition result = std::max(xssProtection, reflectedXSS);
    232 
    233     if (result == ContentSecurityPolicy::ReflectedXSSInvalid || result == ContentSecurityPolicy::FilterReflectedXSS || result == ContentSecurityPolicy::ReflectedXSSUnset)
    234         return ContentSecurityPolicy::FilterReflectedXSS;
    235 
    236     return result;
    237 }
    238 
    239228static bool isSemicolonSeparatedAttribute(const HTMLToken::Attribute& attribute)
    240229{
     
    255244XSSAuditor::XSSAuditor()
    256245    : m_isEnabled(false)
    257     , m_xssProtection(ContentSecurityPolicy::FilterReflectedXSS)
    258     , m_didSendValidCSPHeader(false)
     246    , m_xssProtection(XSSProtectionDisposition::Enabled)
    259247    , m_didSendValidXSSProtectionHeader(false)
    260248    , m_state(Uninitialized)
     
    326314        String errorDetails;
    327315        unsigned errorPosition = 0;
    328         String reportURL;
    329         URL xssProtectionReportURL;
    330 
    331         // Process the X-XSS-Protection header, then mix in the CSP header's value.
    332         ContentSecurityPolicy::ReflectedXSSDisposition xssProtectionHeader = parseXSSProtectionHeader(headerValue, errorDetails, errorPosition, reportURL);
    333         m_didSendValidXSSProtectionHeader = xssProtectionHeader != ContentSecurityPolicy::ReflectedXSSUnset && xssProtectionHeader != ContentSecurityPolicy::ReflectedXSSInvalid;
    334         if ((xssProtectionHeader == ContentSecurityPolicy::FilterReflectedXSS || xssProtectionHeader == ContentSecurityPolicy::BlockReflectedXSS) && !reportURL.isEmpty()) {
    335             xssProtectionReportURL = document->completeURL(reportURL);
    336             if (MixedContentChecker::isMixedContent(document->securityOrigin(), xssProtectionReportURL)) {
     316        String parsedReportURL;
     317        URL reportURL;
     318        m_xssProtection = parseXSSProtectionHeader(headerValue, errorDetails, errorPosition, parsedReportURL);
     319        m_didSendValidXSSProtectionHeader = !headerValue.isNull() && m_xssProtection != XSSProtectionDisposition::Invalid;
     320
     321        if ((m_xssProtection == XSSProtectionDisposition::Enabled || m_xssProtection == XSSProtectionDisposition::BlockEnabled) && !parsedReportURL.isEmpty()) {
     322            reportURL = document->completeURL(parsedReportURL);
     323            if (MixedContentChecker::isMixedContent(document->securityOrigin(), reportURL)) {
    337324                errorDetails = "insecure reporting URL for secure page";
    338                 xssProtectionHeader = ContentSecurityPolicy::ReflectedXSSInvalid;
    339                 xssProtectionReportURL = URL();
     325                m_xssProtection = XSSProtectionDisposition::Invalid;
     326                reportURL = URL();
     327                m_didSendValidXSSProtectionHeader = false;
    340328            }
    341329        }
    342         if (xssProtectionHeader == ContentSecurityPolicy::ReflectedXSSInvalid)
     330        if (m_xssProtection == XSSProtectionDisposition::Invalid) {
    343331            document->addConsoleMessage(MessageSource::Security, MessageLevel::Error, "Error parsing header X-XSS-Protection: " + headerValue + ": "  + errorDetails + " at character position " + String::format("%u", errorPosition) + ". The default protections will be applied.");
    344 
    345         ContentSecurityPolicy::ReflectedXSSDisposition cspHeader = document->contentSecurityPolicy()->reflectedXSSDisposition();
    346         m_didSendValidCSPHeader = cspHeader != ContentSecurityPolicy::ReflectedXSSUnset && cspHeader != ContentSecurityPolicy::ReflectedXSSInvalid;
    347 
    348         m_xssProtection = combineXSSProtectionHeaderAndCSP(xssProtectionHeader, cspHeader);
    349         // FIXME: Combine the two report URLs in some reasonable way.
     332            m_xssProtection = XSSProtectionDisposition::Enabled;
     333        }
     334
    350335        if (auditorDelegate)
    351             auditorDelegate->setReportURL(xssProtectionReportURL.isolatedCopy());
     336            auditorDelegate->setReportURL(reportURL.isolatedCopy());
    352337        FormData* httpBody = documentLoader->originalRequest().httpBody();
    353338        if (httpBody && !httpBody->isEmpty()) {
     
    372357{
    373358    ASSERT(m_state == Initialized);
    374     if (!m_isEnabled || m_xssProtection == ContentSecurityPolicy::AllowReflectedXSS)
     359    if (!m_isEnabled || m_xssProtection == XSSProtectionDisposition::Disabled)
    375360        return nullptr;
    376361
     
    388373        return nullptr;
    389374
    390     bool didBlockEntirePage = (m_xssProtection == ContentSecurityPolicy::BlockReflectedXSS);
    391     return std::make_unique<XSSInfo>(m_documentURL, didBlockEntirePage, m_didSendValidXSSProtectionHeader, m_didSendValidCSPHeader);
     375    bool didBlockEntirePage = m_xssProtection == XSSProtectionDisposition::BlockEnabled;
     376    return std::make_unique<XSSInfo>(m_documentURL, didBlockEntirePage, m_didSendValidXSSProtectionHeader);
    392377}
    393378

  • trunk/Source/WebCore/html/parser/XSSAuditor.h

    r195074 r199525  
    107107    bool m_isEnabled;
    108108
    109     ContentSecurityPolicy::ReflectedXSSDisposition m_xssProtection;
    110     bool m_didSendValidCSPHeader;
     109    XSSProtectionDisposition m_xssProtection;
    111110    bool m_didSendValidXSSProtectionHeader;
    112111

  • trunk/Source/WebCore/html/parser/XSSAuditorDelegate.cpp

    r196664 r199525  
    6262    message.appendLiteral(" was found within the request.");
    6363
    64     if (xssInfo.m_didSendCSPHeader)
    65         message.appendLiteral(" The server sent a 'Content-Security-Policy' header requesting this behavior.");
    66     else if (xssInfo.m_didSendXSSProtectionHeader)
     64    if (xssInfo.m_didSendXSSProtectionHeader)
    6765        message.appendLiteral(" The server sent an 'X-XSS-Protection' header requesting this behavior.");
    6866    else
    69         message.appendLiteral(" The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.");
     67        message.appendLiteral(" The auditor was enabled because the server did not send an 'X-XSS-Protection' header.");
    7068
    7169    return message.toString();

  • trunk/Source/WebCore/html/parser/XSSAuditorDelegate.h

    r165986 r199525  
    3939class XSSInfo {
    4040public:
    41     XSSInfo(const String& originalURL, bool didBlockEntirePage, bool didSendXSSProtectionHeader, bool didSendCSPHeader)
     41    XSSInfo(const String& originalURL, bool didBlockEntirePage, bool didSendXSSProtectionHeader)
    4242        : m_originalURL(originalURL.isolatedCopy())
    4343        , m_didBlockEntirePage(didBlockEntirePage)
    4444        , m_didSendXSSProtectionHeader(didSendXSSProtectionHeader)
    45         , m_didSendCSPHeader(didSendCSPHeader)
    4645    {
    4746    }
     
    5049    bool m_didBlockEntirePage;
    5150    bool m_didSendXSSProtectionHeader;
    52     bool m_didSendCSPHeader;
    5351    TextPosition m_textPosition;
    5452};

  • trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp

    r198951 r199525  
    524524}
    525525
    526 ContentSecurityPolicy::ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const
    527 {
    528     ReflectedXSSDisposition disposition = ReflectedXSSUnset;
    529     for (auto& policy : m_policies) {
    530         if (policy->reflectedXSSDisposition() > disposition)
    531             disposition = std::max(disposition, policy->reflectedXSSDisposition());
    532     }
    533     return disposition;
    534 }
    535 
    536526static String stripURLForUseInReport(Document& document, const URL& url)
    537527{
     
    678668}
    679669
    680 void ContentSecurityPolicy::reportInvalidReflectedXSS(const String& invalidValue) const
    681 {
    682     logToConsole("The 'reflected-xss' Content Security Policy directive has the invalid value \"" + invalidValue + "\". Value values are \"allow\", \"filter\", and \"block\".");
    683 }
    684 
    685670void ContentSecurityPolicy::reportInvalidDirectiveInReportOnlyMode(const String& directiveName) const
    686671{

  • trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h

    r198657 r199525  
    6666    void didCreateWindowShell(JSDOMWindowShell&) const;
    6767
    68     // Be sure to update the behavior of XSSAuditor::combineXSSProtectionHeaderAndCSP whenever you change this enum's content or ordering.
    69     enum ReflectedXSSDisposition {
    70         ReflectedXSSUnset = 0,
    71         AllowReflectedXSS,
    72         ReflectedXSSInvalid,
    73         FilterReflectedXSS,
    74         BlockReflectedXSS
    75     };
    76     ReflectedXSSDisposition reflectedXSSDisposition() const;
    77 
    7868    enum class PolicyFrom {
    7969        HTTPEquivMeta,
     
    131121    void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
    132122    void reportInvalidSandboxFlags(const String&) const;
    133     void reportInvalidReflectedXSS(const String&) const;
    134123    void reportInvalidDirectiveInReportOnlyMode(const String&) const;
    135124    void reportInvalidDirectiveInHTTPEquivMeta(const String&) const;

  • trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

    r198936 r199525  
    102102    , m_reportOnly(false)
    103103    , m_haveSandboxPolicy(false)
    104     , m_reflectedXSSDisposition(ContentSecurityPolicy::ReflectedXSSUnset)
    105104{
    106105    m_reportOnly = (type == ContentSecurityPolicyHeaderType::Report || type == ContentSecurityPolicyHeaderType::PrefixedReport);
     
    434433    if (!invalidTokens.isNull())
    435434        m_policy.reportInvalidSandboxFlags(invalidTokens);
    436 }
    437 
    438 void ContentSecurityPolicyDirectiveList::parseReflectedXSS(const String& name, const String& value)
    439 {
    440     if (m_reflectedXSSDisposition != ContentSecurityPolicy::ReflectedXSSUnset) {
    441         m_policy.reportDuplicateDirective(name);
    442         m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
    443         return;
    444     }
    445 
    446     if (value.isEmpty()) {
    447         m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
    448         m_policy.reportInvalidReflectedXSS(value);
    449         return;
    450     }
    451 
    452     auto characters = StringView(value).upconvertedCharacters();
    453     const UChar* position = characters;
    454     const UChar* end = position + value.length();
    455 
    456     skipWhile<UChar, isASCIISpace>(position, end);
    457     const UChar* begin = position;
    458     skipWhile<UChar, isNotASCIISpace>(position, end);
    459 
    460     // value1
    461     //       ^
    462     if (equalLettersIgnoringASCIICase(begin, position - begin, "allow"))
    463         m_reflectedXSSDisposition = ContentSecurityPolicy::AllowReflectedXSS;
    464     else if (equalLettersIgnoringASCIICase(begin, position - begin, "filter"))
    465         m_reflectedXSSDisposition = ContentSecurityPolicy::FilterReflectedXSS;
    466     else if (equalLettersIgnoringASCIICase(begin, position - begin, "block"))
    467         m_reflectedXSSDisposition = ContentSecurityPolicy::BlockReflectedXSS;
    468     else {
    469         m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
    470         m_policy.reportInvalidReflectedXSS(value);
    471         return;
    472     }
    473 
    474     skipWhile<UChar, isASCIISpace>(position, end);
    475     if (position == end && m_reflectedXSSDisposition != ContentSecurityPolicy::ReflectedXSSUnset)
    476         return;
    477 
    478     // value1 value2
    479     //        ^
    480     m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
    481     m_policy.reportInvalidReflectedXSS(value);
    482435}
    483436
     
    528481    else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::reportURI))
    529482        parseReportURI(name, value);
    530 #if ENABLE(CSP_NEXT)
    531     else if (m_policy.experimentalFeaturesEnabled()) {
    532         if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::reflectedXSS))
    533             parseReflectedXSS(name, value);
    534         else
    535             m_policy.reportUnsupportedDirective(name);
    536     }
    537 #endif
    538483    else
    539484        m_policy.reportUnsupportedDirective(name);

  • trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h

    r198936 r199525  
    7474
    7575    const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
    76     ContentSecurityPolicy::ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflectedXSSDisposition; }
    7776    bool isReportOnly() const { return m_reportOnly; }
    7877    const Vector<String>& reportURIs() const { return m_reportURIs; }
     
    8786    void parseReportURI(const String& name, const String& value);
    8887    void parsePluginTypes(const String& name, const String& value);
    89     void parseReflectedXSS(const String& name, const String& value);
    9088    void addDirective(const String& name, const String& value);
    9189    void applySandboxPolicy(const String& name, const String& sandboxPolicy);
     
    106104    bool m_reportOnly;
    107105    bool m_haveSandboxPolicy;
    108     ContentSecurityPolicy::ReflectedXSSDisposition m_reflectedXSSDisposition;
    109106
    110107    std::unique_ptr<ContentSecurityPolicyMediaListDirective> m_pluginTypes;

  • trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp

    r198657 r199525  
    4747const char* const scriptSrc = "script-src";
    4848const char* const styleSrc = "style-src";
    49 
    50 #if ENABLE(CSP_NEXT)
    51 const char* const reflectedXSS = "reflected-xss";
    52 #endif
    5349   
    5450} // namespace ContentSecurityPolicyDirectiveNames

  • trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h

    r198657 r199525  
    4747extern const char* const styleSrc;
    4848
    49 #if ENABLE(CSP_NEXT)
    50 extern const char* const reflectedXSS;
    51 #endif
    52 
    5349} // namespace ContentSecurityPolicyDirectiveNames
    5450

  • trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp

    r198936 r199525  
    3939namespace WebCore {
    4040
    41 static inline bool isExperimentalDirectiveName(const String& name)
    42 {
    43 #if ENABLE(CSP_NEXT)
    44     return equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::reflectedXSS);
    45 #else
    46     UNUSED_PARAM(name);
    47     return false;
    48 #endif
    49 }
    50 
    5141static bool isCSPDirectiveName(const String& name)
    5242{
     
    6454        || equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::sandbox)
    6555        || equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::scriptSrc)
    66         || equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::styleSrc)
    67         || isExperimentalDirectiveName(name);
     56        || equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::styleSrc);
    6857}
    6958

  • trunk/Source/WebCore/platform/network/HTTPParsers.cpp

    r196223 r199525  
    3434#include "HTTPParsers.h"
    3535
    36 #include "ContentSecurityPolicy.h"
    3736#include <wtf/DateMath.h>
    3837#include <wtf/NeverDestroyed.h>
     
    365364}
    366365
    367 ContentSecurityPolicy::ReflectedXSSDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL)
     366XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL)
    368367{
    369368    static NeverDestroyed<String> failureReasonInvalidToggle(ASCIILiteral("expected 0 or 1"));
     
    379378
    380379    if (!skipWhiteSpace(header, pos, false))
    381         return ContentSecurityPolicy::ReflectedXSSUnset;
     380        return XSSProtectionDisposition::Enabled;
    382381
    383382    if (header[pos] == '0')
    384         return ContentSecurityPolicy::AllowReflectedXSS;
     383        return XSSProtectionDisposition::Disabled;
    385384
    386385    if (header[pos++] != '1') {
    387386        failureReason = failureReasonInvalidToggle;
    388         return ContentSecurityPolicy::ReflectedXSSInvalid;
    389     }
    390 
    391     ContentSecurityPolicy::ReflectedXSSDisposition result = ContentSecurityPolicy::FilterReflectedXSS;
     387        return XSSProtectionDisposition::Invalid;
     388    }
     389
     390    XSSProtectionDisposition result = XSSProtectionDisposition::Enabled;
    392391    bool modeDirectiveSeen = false;
    393392    bool reportDirectiveSeen = false;
     
    401400            failureReason = failureReasonInvalidSeparator;
    402401            failurePosition = pos;
    403             return ContentSecurityPolicy::ReflectedXSSInvalid;
     402            return XSSProtectionDisposition::Invalid;
    404403        }
    405404
     
    412411                failureReason = failureReasonDuplicateMode;
    413412                failurePosition = pos;
    414                 return ContentSecurityPolicy::ReflectedXSSInvalid;
     413                return XSSProtectionDisposition::Invalid;
    415414            }
    416415            modeDirectiveSeen = true;
     
    418417                failureReason = failureReasonInvalidEquals;
    419418                failurePosition = pos;
    420                 return ContentSecurityPolicy::ReflectedXSSInvalid;
     419                return XSSProtectionDisposition::Invalid;
    421420            }
    422421            if (!skipToken(header, pos, "block")) {
    423422                failureReason = failureReasonInvalidMode;
    424423                failurePosition = pos;
    425                 return ContentSecurityPolicy::ReflectedXSSInvalid;
    426             }
    427             result = ContentSecurityPolicy::BlockReflectedXSS;
     424                return XSSProtectionDisposition::Invalid;
     425            }
     426            result = XSSProtectionDisposition::BlockEnabled;
    428427        } else if (skipToken(header, pos, "report")) {
    429428            if (reportDirectiveSeen) {
    430429                failureReason = failureReasonDuplicateReport;
    431430                failurePosition = pos;
    432                 return ContentSecurityPolicy::ReflectedXSSInvalid;
     431                return XSSProtectionDisposition::Invalid;
    433432            }
    434433            reportDirectiveSeen = true;
     
    436435                failureReason = failureReasonInvalidEquals;
    437436                failurePosition = pos;
    438                 return ContentSecurityPolicy::ReflectedXSSInvalid;
     437                return XSSProtectionDisposition::Invalid;
    439438            }
    440439            size_t startPos = pos;
     
    442441                failureReason = failureReasonInvalidReport;
    443442                failurePosition = pos;
    444                 return ContentSecurityPolicy::ReflectedXSSInvalid;
     443                return XSSProtectionDisposition::Invalid;
    445444            }
    446445            reportURL = header.substring(startPos, pos - startPos);
     
    449448            failureReason = failureReasonInvalidDirective;
    450449            failurePosition = pos;
    451             return ContentSecurityPolicy::ReflectedXSSInvalid;
     450            return XSSProtectionDisposition::Invalid;
    452451        }
    453452    }

  • trunk/Source/WebCore/platform/network/HTTPParsers.h

    r188333 r199525  
    3232#define HTTPParsers_h
    3333
    34 #include "ContentSecurityPolicy.h"
    3534#include <wtf/Forward.h>
    3635#include <wtf/Optional.h>
    3736#include <wtf/Vector.h>
     37#include <wtf/text/WTFString.h>
    3838
    3939namespace WebCore {
     40
     41enum class XSSProtectionDisposition {
     42    Invalid,
     43    Disabled,
     44    Enabled,
     45    BlockEnabled,
     46};
    4047
    4148enum ContentDispositionType {
     
    7178String extractCharsetFromMediaType(const String&);
    7279void findCharsetInMediaType(const String& mediaType, unsigned int& charsetPos, unsigned int& charsetLen, unsigned int start = 0);
    73 ContentSecurityPolicy::ReflectedXSSDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL);
     80XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL);
    7481String extractReasonPhraseFromHTTPStatusLine(const String&);
    7582XFrameOptionsDisposition parseXFrameOptionsHeader(const String&);
Note: See TracChangeset for help on using the changeset viewer.