Changeset 145503 in webkit
- Timestamp:
- Mar 12, 2013 2:28:12 AM (11 years ago)
- Location:
- trunk
- Files:
-
- 208 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r145498 r145503 1 2013-03-12 Mike West <mkwst@chromium.org> 2 3 XSSAuditor should send only one console error when blocking a page. 4 https://bugs.webkit.org/show_bug.cgi?id=110733 5 6 Reviewed by Daniel Bates. 7 8 * fast/frames/xss-auditor-handles-file-urls-expected.txt: 9 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt: 10 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt: 11 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt: 12 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt: 13 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt: 14 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt: 15 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt: 16 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt: 17 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt: 18 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt: 19 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt: 20 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt: 21 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt: 22 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt: 23 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt: 24 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt: 25 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt: 26 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt: 27 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt: 28 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt: 29 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt: 30 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt: 31 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt: 32 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt: 33 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt: 34 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt: 35 * http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt: 36 * http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt: 37 * http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt: 38 * http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt: 39 * http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt: 40 * http/tests/security/xssAuditor/base-href-control-char-expected.txt: 41 * http/tests/security/xssAuditor/base-href-expected.txt: 42 * http/tests/security/xssAuditor/base-href-null-char-expected.txt: 43 * http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt: 44 * http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt: 45 * http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt: 46 * http/tests/security/xssAuditor/cached-frame-expected.txt: 47 * http/tests/security/xssAuditor/cookie-injection-expected.txt: 48 * http/tests/security/xssAuditor/dom-write-URL-expected.txt: 49 * http/tests/security/xssAuditor/dom-write-location-expected.txt: 50 * http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt: 51 * http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt: 52 * http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt: 53 * http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt: 54 * http/tests/security/xssAuditor/embed-tag-control-char-expected.txt: 55 * http/tests/security/xssAuditor/embed-tag-expected.txt: 56 * http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt: 57 * http/tests/security/xssAuditor/embed-tag-null-char-expected.txt: 58 * http/tests/security/xssAuditor/formaction-on-button-expected.txt: 59 * http/tests/security/xssAuditor/formaction-on-input-expected.txt: 60 * http/tests/security/xssAuditor/form-action-expected.txt: 61 * http/tests/security/xssAuditor/full-block-base-href-expected.txt: 62 * http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt: 63 * http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt: 64 * http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt: 65 * http/tests/security/xssAuditor/full-block-javascript-link-expected.txt: 66 * http/tests/security/xssAuditor/full-block-link-onclick-expected.txt: 67 * http/tests/security/xssAuditor/full-block-object-tag-expected.txt: 68 * http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt: 69 * http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt: 70 * http/tests/security/xssAuditor/full-block-script-tag-expected.txt: 71 * http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt: 72 * http/tests/security/xssAuditor/get-from-iframe-expected.txt: 73 * http/tests/security/xssAuditor/iframe-injection-expected.txt: 74 * http/tests/security/xssAuditor/iframe-javascript-url-expected.txt: 75 * http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt: 76 * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt: 77 * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt: 78 * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt: 79 * http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt: 80 * http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt: 81 * http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt: 82 * http/tests/security/xssAuditor/iframe-srcdoc-expected.txt: 83 * http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt: 84 * http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt: 85 * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt: 86 * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt: 87 * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt: 88 * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt: 89 * http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt: 90 * http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt: 91 * http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt: 92 * http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt: 93 * http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt: 94 * http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt: 95 * http/tests/security/xssAuditor/javascript-link-control-char-expected.txt: 96 * http/tests/security/xssAuditor/javascript-link-expected.txt: 97 * http/tests/security/xssAuditor/javascript-link-null-char-expected.txt: 98 * http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt: 99 * http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt: 100 * http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt: 101 * http/tests/security/xssAuditor/link-onclick-control-char-expected.txt: 102 * http/tests/security/xssAuditor/link-onclick-entities-expected.txt: 103 * http/tests/security/xssAuditor/link-onclick-expected.txt: 104 * http/tests/security/xssAuditor/link-onclick-null-char-expected.txt: 105 * http/tests/security/xssAuditor/link-opens-new-window-expected.txt: 106 * http/tests/security/xssAuditor/malformed-HTML-expected.txt: 107 * http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt: 108 * http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt: 109 * http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt: 110 * http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt: 111 * http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt: 112 * http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt: 113 * http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt: 114 * http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt: 115 * http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt: 116 * http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt: 117 * http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt: 118 * http/tests/security/xssAuditor/object-embed-tag-expected.txt: 119 * http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt: 120 * http/tests/security/xssAuditor/object-tag-expected.txt: 121 * http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt: 122 * http/tests/security/xssAuditor/open-attribute-body-expected.txt: 123 * http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt: 124 * http/tests/security/xssAuditor/open-iframe-src-01-expected.txt: 125 * http/tests/security/xssAuditor/open-iframe-src-02-expected.txt: 126 * http/tests/security/xssAuditor/open-script-src-01-expected.txt: 127 * http/tests/security/xssAuditor/open-script-src-02-expected.txt: 128 * http/tests/security/xssAuditor/open-script-src-03-expected.txt: 129 * http/tests/security/xssAuditor/open-script-src-04-expected.txt: 130 * http/tests/security/xssAuditor/post-from-iframe-expected.txt: 131 * http/tests/security/xssAuditor/property-escape-comment-01-expected.txt: 132 * http/tests/security/xssAuditor/property-escape-comment-02-expected.txt: 133 * http/tests/security/xssAuditor/property-escape-comment-03-expected.txt: 134 * http/tests/security/xssAuditor/property-escape-entity-01-expected.txt: 135 * http/tests/security/xssAuditor/property-escape-entity-02-expected.txt: 136 * http/tests/security/xssAuditor/property-escape-entity-03-expected.txt: 137 * http/tests/security/xssAuditor/property-escape-expected.txt: 138 * http/tests/security/xssAuditor/property-escape-long-expected.txt: 139 * http/tests/security/xssAuditor/property-escape-quote-01-expected.txt: 140 * http/tests/security/xssAuditor/property-escape-quote-02-expected.txt: 141 * http/tests/security/xssAuditor/property-escape-quote-03-expected.txt: 142 * http/tests/security/xssAuditor/report-script-tag-expected.txt: 143 * http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt: 144 * http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt: 145 * http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt: 146 * http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt: 147 * http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt: 148 * http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt: 149 * http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt: 150 * http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt: 151 * http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt: 152 * http/tests/security/xssAuditor/script-tag-control-char-expected.txt: 153 * http/tests/security/xssAuditor/script-tag-convoluted-expected.txt: 154 * http/tests/security/xssAuditor/script-tag-entities-expected.txt: 155 * http/tests/security/xssAuditor/script-tag-expected.txt: 156 * http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt: 157 * http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt: 158 * http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt: 159 * http/tests/security/xssAuditor/script-tag-null-char-expected.txt: 160 * http/tests/security/xssAuditor/script-tag-open-redirect-expected.txt: 161 * http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt: 162 * http/tests/security/xssAuditor/script-tag-post-expected.txt: 163 * http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt: 164 * http/tests/security/xssAuditor/script-tag-redirect-expected.txt: 165 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt: 166 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt: 167 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt: 168 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt: 169 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt: 170 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt: 171 * http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt: 172 * http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt: 173 * http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt: 174 * http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt: 175 * http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt: 176 * http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt: 177 * http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt: 178 * http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt: 179 * http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt: 180 * http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt: 181 * http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt: 182 * http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt: 183 * http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt: 184 * http/tests/security/xssAuditor/script-tag-with-source-expected.txt: 185 * http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt: 186 * http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt: 187 * http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt: 188 * http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt: 189 * http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt: 190 * http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt: 191 * http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt: 192 * http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt: 193 * http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt: 194 * http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt: 195 * http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt: 196 * http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt: 197 * http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt: 198 * http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt: 199 * http/tests/security/xssAuditor/svg-script-tag-expected.txt: 200 * http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt: 201 * http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt: 202 * http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt: 203 * http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt: 204 * http/tests/security/xssAuditor/xss-protection-parsing-02-expected.txt: 205 * http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt: 206 * http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt: 207 * platform/chromium/http/tests/security/xssAuditor/javascript-link-control-char2-expected.txt: 208 1 209 2013-03-12 Vsevolod Vlasov <vsevik@chromium.org> 2 210 -
trunk/LayoutTests/fast/frames/xss-auditor-handles-file-urls-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&enable-full-block=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&valid-header=2' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior. 3 2 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&valid-header=2 into the IFrame. 4 3 Testing behavior when "reflected-xss" is set to allow, and "X-XSS-Protection" is set to filter. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied. 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&malformed-header=1' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior. 4 3 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&malformed-header=1 into the IFrame. 5 4 Testing behavior when "reflected-xss" is set to allow, and "X-XSS-Protection" is set to invalid. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&disable-protection=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&enable-full-block=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&valid-header=2' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied. 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 4 CONSOLE MESSAGE: Entire page will be blocked. 2 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&malformed-header=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior. 5 3 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 6 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&disable-protection=1' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior. 3 2 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&disable-protection=1 into the IFrame. 4 3 Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to allow. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&enable-full-block=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&valid-header=2' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior. 3 2 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&valid-header=2 into the IFrame. 4 3 Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to filter. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied. 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&malformed-header=1' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior. 4 3 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&malformed-header=1 into the IFrame. 5 4 Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to invalid. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior. 3 2 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter into the IFrame. 4 3 Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to unset. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block". 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&disable-protection=1' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 3 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&disable-protection=1 into the IFrame. 5 4 Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to allow. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block". 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 4 CONSOLE MESSAGE: Entire page will be blocked. 2 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&enable-full-block=1' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 5 3 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 6 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block". 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&valid-header=2' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 3 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&valid-header=2 into the IFrame. 5 4 Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to filter. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block". 2 2 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied. 3 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 4 3 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&malformed-header=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 5 4 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&malformed-header=1 into the IFrame. 6 5 Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to invalid. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block". 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 4 3 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid into the IFrame. 5 4 Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to unset. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&enable-full-block=1' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&valid-header=2' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 3 2 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&valid-header=2 into the IFrame. 4 3 Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to filter. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied. 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&malformed-header=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 4 3 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&malformed-header=1 into the IFrame. 5 4 Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to invalid. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E into the IFrame. 4 3 Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to unset. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=block&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "". Value values are "allow", "filter", and "block". 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=_empty_&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 4 3 Tests that 'X-WebKit-CSP: reflected-xss' enables the XSSAuditor. This test passes if a console message is generated, and the script is blocked. 5 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=filter&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior. 3 2 Tests that 'X-WebKit-CSP: reflected-xss filter;' enables the XSSAuditor. This test passes if a console message is generated, and the script is blocked. 4 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block". 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=invalid&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 4 3 Tests that 'X-WebKit-CSP: reflected-xss invalid' enables the XSSAuditor. This test passes if a console message is generated, and the script is allowed. 5 4 -
trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.html?#<script>alert(String.fromCharCode(0x58,0x53,0x53))</script>' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22al%00ert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-unescaped-location.html?#<script>alert('XS%41S')</script>' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%01urity/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 ALERT: This is a safe script. 4 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 ALERT: This is a safe script. 4 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 ALERT: This is a safe script. 4 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='//127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 ALERT: This is a safe script. 4 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 7: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 7: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53));%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/block-does-not-leak-location.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/block-does-not-leak-referrer.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/cached-frame-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request. 4 1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3ealert(/XSS/);%3c/script%3e' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 2 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3ealert(/XSS/);%3c/script%3e' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 5 3 Check that an X-XSS-Protection header added by a 304 response does not override one from the original request. 6 4 -
trunk/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?alert-cookie=1&q=%3Cmeta%20http-equiv=%22Set-Cookie%22%20content=%22xssAuditorTestCookie=FAIL%22%20/%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 ALERT: PASS 4 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-URL-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-URL.html?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.html?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html?%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html?%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20code=//localhost:8000/fictional.swf%20allowscriptaccess=always%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20code=data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20src='javascript:alert(document.domain)'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cform%20action=http://127.0.0.1:8000/%20method=x%3E%3Cinput%20type=submit%3E%3Cinput%20name=x%20value='Please%20type%20your%20PIN.'%3E¬ifyDone=1&showAction=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 ALERT: Form action set to about:blank 4 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cform%3E%3Cbutton%20formaction='http://example.com/'%3E¬ifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 ALERT: formaction present on BUTTON with value of about:blank 4 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cform%3E%3Cinput%20formaction='http://example.com/'%3E¬ifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 ALERT: formaction present on INPUT with value of about:blank 4 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-head-base-href.pl?enable-full-block=1&q=%3Cbase%20href='http://localhost:8000/security/xssAuditor/resources/base-href/'%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-base-href.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert%28String.fromCharCode%280x58%2C0x53%2C0x53%29%29%3C%2Fscript%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 5 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ciframe%20src=javascript:alert(document.domain)%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-iframe-javascript-url.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(/XSS/)%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 This tests that the header X-XSS-Protection is not inherited by the iframe below: 4 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 14: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?enable-full-block=1&elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-javascript-link.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-link-onclick.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cobject%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://localhost:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-object-tag.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 5 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag-cross-domain.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%20src='http://localhost:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag-with-source.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/get-from-iframe-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&q=%3Cscript%3Ealert%28String.fromCharCode%280x58%2C0x53%2C0x53%29%29%3C%2Fscript%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src='http://127.0.0.1:8000/'%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=javascript:alert(document.domain)%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3CIFRAME%20src='javascript:alert%26%23x25%3B281)'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=%22javascript:%20%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=%22javascript:%20//%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=%22javascript://%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=javascript%3A%271%2525251%27%3Balert%28document.domain%29%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=GBK&q=%3Ciframe%20onload=%C7Ojavascript:alert(document.domain)%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Csvg%3E%3Cscript%3E%3Ciframe%20onload=alert(0)%3E%3C/iframe%3E%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 Test that dangerous attributes are still filtered in netsted script contexts. -
trunk/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20srcdoc=%3Cscript%3Ealert(/FAIL/)%3C/script%3E%20%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=GBK&q=%3Cimg%20src=%201%20onerror=%C7Ojavascript:alert(document.domain)%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cimg%20src=%C3%A4%20onerror=alert(%27%C3%A4%27)%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src=%220%22+onerror=%22/%80/%3Balert(document.domain)%22%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cimg+src=%220%22+onerror=%22/%80/%3Balert(document.domain)%22%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cimg%20src=1%20onerror=%26%2397%26%23108%26%23101%26%23114%26%23116%26%2340%26%2349%26%2341%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x05%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2397%26%23108%26%23101%26%23114%26%23116%26%2340%26%2339%26copy%26%2339%26%2341%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x00%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/%26XSS/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/XSS%05/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-null-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aal%00ert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3A%271%2525251%27%3Balert%28/%26XSS/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20onclick='alert(1%261)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20onclick='al%05ert(0)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-entities-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20href='about:blank'%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20onclick='al%00ert(0)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/link-opens-new-window-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 Click me -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-HTML-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%3Cimg/src/onerror=alert(1)//%3C' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 4 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied. 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 4 3 This tests that a malformed X-XSS-Protection header is not ignored when the length of its value exceeds 16 characters, and that an error is reported. 5 4 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: red: expected 0 or 1 at character position 0. The default protections will be applied. 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=2&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 4 3 This tests that the X-XSS-Protection header is not ignored when the first character is not 0 or 1, and that we issue an error. 5 4 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=purple: invalid mode directive at character position 8. The default protections will be applied. 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 4 3 This tests that a malformed X-XSS-Protection header is not ignored and an error is reported when the mode= token is invalid. 5 4 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block-a-block-block: expected semicolon at character position 14. The default protections will be applied. 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 4 3 This tests that the X-XSS-Protection header is not ignored when there is a trailing garbage after mode=block, and we issue an error 5 4 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report: expected equals sign at character position 21. The default protections will be applied. 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=5&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 4 3 This tests that the X-XSS-Protection header is not ignored when there is an incomplete report url following mode=block, and we issue an error 5 4 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; report= ;: invalid report directive at character position 11. The default protections will be applied. 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=6&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 4 3 This tests that the X-XSS-Protection header is not ignored when there is an incomplete report directive, and we issue an error 5 4 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; red: unrecognized directive at character position 3. The default protections will be applied. 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=7&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 4 3 This tests that the X-XSS-Protection header is not ignored when there is an invalid directive, and we issue an error 5 4 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report=/fail; mode=block;: duplicate mode directive at character position 33. The default protections will be applied. 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=8&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 4 3 This tests that the X-XSS-Protection header is not ignored when there is an duplicate mode directive, and we issue an error 5 4 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt
r145115 r145503 1 1 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report=/fail; report=/fail;: duplicate report directive at character position 35. The default protections will be applied. 2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 3 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=9&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 4 3 This tests that the X-XSS-Protection header is not ignored when there is a duplicate report directive, and we issue an error 5 4 -
trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head.pl?q=%3Cmeta+http-equiv%3D%22refresh%22+content%3D%220%3B+url%3Djavascript%3Aalert%28document.domain%29%22%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request. 1 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 4 3 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.4 5 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.6 7 -
trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request. 1 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 4 3 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.4 5 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.6 7 -
trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request. 1 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 4 3 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.4 5 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.6 7 -
trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request. 1 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 3 3 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.4 5 -
trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20data='javascript:alert(document.domain)'%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/open-attribute-body-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=alert(String.fromCharCode(0x58,0x53,0x53))//' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20onload=alert(String.fromCharCode(0x58,0x53,0x53))//' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-01-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Ciframe%20src=javascript:alert(1)%3B//%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-02-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Ciframe%20src=javascript:alert(1)%3B//' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-03-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=%22javascript:alert(1)%3B%e2%80%a8--%3E&clutter=xxx%22%3E%3C/iframe%3E¬ifyDone=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-01-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-02-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-03-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cobject%20data=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-04-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cobject%20data=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/post-from-iframe-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-01-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=%22alert(1)//' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-02-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(2)/' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-03-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=%3cdiv%3e&q=%22%20%22%20onload=alert(3)%3C!--' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-01-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))%26%23x2f%26%2347' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-02-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=alert(String.fromCharCode(0x58,0x53,0x53))-%26quot' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-03-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))-%26' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-long-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(111%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532)' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-01-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(1)-%22' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-02-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(2)-%27' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-03-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(3)-%27%22%27%22' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?echo-report=1&enable-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 3 2 This tests that the X-XSS-Protection reports are sent out properly 4 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 CSP report received: 5 3 CONTENT_TYPE: application/json -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=Big5&q=%3Cscript%20%89g%3Ealert(location)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?charset=Big5&q=%3Cscript%3Ealert(/XS%u00252581SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=Big5&q=%3Cscript%3Ealert(/XS%2581SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=Big5&q=%3Cscript%3Ealert(/XS%81SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%5C/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%22/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%00/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%27/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-control-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))//h%01%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-convoluted-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Edocument.write(%22scri%22)%3C/script%3Ept%20src=%22xss.js%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-entities-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscraaa%3E%3Cscriaa%3E%3Cscripa%3E%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Csvg%3E%3Cscript%3E%2f%2f%26%23x0a%3balert%26%23x28%3bString.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed. -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cdiv%3E%3Ci%3Ex%3C/i%3E%3C/div%3E&q=%3Csvg%3E%3Cscript%3E%3C!--&q2=--%3E%26%23x0a%3balert%26%23x28%3bString.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed even with <!-- comments -->. -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 4 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cscript%3Ealert(1)%3C/script%3E&q=%3Csvg%3E%3Cscript%3E&q2=alert(0)%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cscript%3Ealert(1)%3C/script%3E&q=%3Csvg%3E%3Cscript%3E&q2=alert(0)%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 5 3 Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed even with nested script blocks. -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-null-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Eal%00ert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-open-redirect-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 3 4 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 3 4 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 3 4 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-redirect-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%25u0061%25u006c%25u0065%25u0072%25u0074%25u0028%25u002f%25u0058%25u0053%25u0053%25u002f%25u0029%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(/XS%uD834%uDD1E/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert(/XS%u002525u0053/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%25u0061%25u006c%25u0065%25u0072%25u0074%25u0028%25u002f%25u0058%25u0053%25u0053%25u2620%25u002f%25u0029%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E/**/0,0/*,*/-alert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 4 3 Test that the XSSAuditor's tolerance for the IIS webserver's comma concatenation doesn't open holes when the reflected argument contains an actual comma. The test passes if the XSSAuditor logs console messages and no alerts fire. -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt
r145115 r145503 2 2 main frame - didFinishDocumentLoadForFrame 3 3 frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame 4 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 5 4 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 6 5 didDetectXSS 7 6 frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=,&q=%3Cscript%20x='1&%3E&q2=1'%3Ealert(String.fromCharCode(0x58,0x53,0x53,0x31))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 4 3 Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test passes if the XSSAuditor logs console messages and no alerts fire. -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=,&q=%3Cscript%3Ealert(String.fromCharCode(0x58&q2=0x53,0x53,0x32))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 4 3 Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test passes if the XSSAuditor logs console messages and no alerts fire. -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E%u0061lert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(1%1)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='http://127.0.0.1:8000/sec%02urity/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22data:,alert(1)%22' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cb%3E***%3C/b%3E&q=%3Cscript%20src=%22data:,alert(1)//&q2=%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cb%3E***%3C/b%3E&q=%3Cscript%20src=%22data:,alert(1)%3C!----&q2=%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%26amp%3Bcopy%3B'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript+src%3D//127.0.0.1%3A8000/security/xssAuditor/resources/xss.js%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='xss.js?maybe+dangerous+query+string'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?&q2=%22%3E%3C/script%3E&clutter=blah' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%23&q2=%22%3E%3C/script%3E&clutter=blah' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/&q2=%22%3E%3C/script%3E&clutter=xss.js?' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E%252525u0061lert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E//%e2%80%a8alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3E/*&q2=*/alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Ci%3E%3Cb%3E&q=%3Cscript%3E//&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 6: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3E%20%0a%3C!--&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))//--%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E/*///*/alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Ci%3E%3Cb%3E&q=%3Cscript%3Ex=1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1//&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/svg-animate-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Csvg%20xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Ca%3E%3Ccircle%20r=100%20/%3E%3Canimate%20attributeName=xlink:href%20values=%3Bjavascript%3Aalert(1)%20begin=0s%20end=0.1s%20fill=freeze%20/%3E%3C/a%3E%3C/svg%3E¬ifyDone=1&dumpElementBySelector=animate' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 3 2 This test passes if the element displayed in the frame below has a 'values' attribute containing only 'javascript:void(0)'. 4 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3csvg%3e%3cscript%20XLinK:href='data:text/html,alert(0)'%3e%3c/script%3e%3c/svg%3e' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert('%b4%5f')%3C/script%3E&charset=big5¬ifyDone=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 79: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 79: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/xss-filter-bypass-long-string-reply.html' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 3 4 -
trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert('%8f%5f')%3C/script%3E&charset=shift_jis¬ifyDone=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 5 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-02-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=2&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 3 2 This tests that the X-XSS-Protection header is not ignored when there is a trailing semicolon. Although theoretically malformed, we tolerate this case without issuing an error. 4 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/xss-protection-parsing-03.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request. 2 3 CONSOLE MESSAGE: Entire page will be blocked. 1 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. 4 2 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/xss-protection-parsing-04.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match. 5 3 -
trunk/LayoutTests/platform/chromium/http/tests/security/xssAuditor/javascript-link-control-char2-expected.txt
r145115 r145503 1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.1 CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%22%26%23x1javasc%09ript%3Aalert%28/XSS%05/%29%22%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 2 2 3 -
trunk/Source/WebCore/ChangeLog
r145502 r145503 1 2013-03-12 Mike West <mkwst@chromium.org> 2 3 XSSAuditor should send only one console error when blocking a page. 4 https://bugs.webkit.org/show_bug.cgi?id=110733 5 6 Reviewed by Daniel Bates. 7 8 Currently, we send two console errors when XSSAuditor blocks a page: 9 "Refused to execute a JavaScript script. Source code of script found 10 within request.\n", and "Entire page will be blocked.". 11 12 We should only send one message, tuning it properly for the context, and 13 including the URL of the page effected by the XSSAuditor's work. 14 15 Covered by rebaselines of all the XSSAuditor and 'reflected-xss' tests. 16 17 * html/parser/XSSAuditor.cpp: 18 * html/parser/XSSAuditor.h: 19 (WebCore::XSSAuditor::XSSAuditor): 20 Add two booleans to track the headers used to set the XSSAuditor state. 21 (WebCore::XSSAuditor::init): 22 (WebCore::XSSAuditor::filterToken): 23 Add detail about the header status to the constructed XSSInfo object. 24 * html/parser/XSSAuditorDelegate.cpp: 25 (WebCore::buildConsoleError): 26 Move message construction out into a separate inlined function, as 27 it's becoming complex. 28 (WebCore::XSSAuditorDelegate::didBlockScript): 29 Fold the "Entire page will be blocked" message into the main console 30 error. 31 * html/parser/XSSAuditorDelegate.h: 32 (WebCore::XSSInfo::create): 33 (WebCore::XSSInfo::XSSInfo): 34 Add detail about header status to XSSInfo in order to correctly 35 construct the console error. 36 1 37 2013-03-12 Sheriff Bot <webkit.review.bot@gmail.com> 2 38 -
trunk/Source/WebCore/html/parser/XSSAuditor.cpp
r145348 r145503 217 217 : m_isEnabled(false) 218 218 , m_xssProtection(ContentSecurityPolicy::FilterReflectedXSS) 219 , m_didSendValidCSPHeader(false) 220 , m_didSendValidXSSProtectionHeader(false) 219 221 , m_state(Uninitialized) 220 222 , m_scriptTagNestingLevel(0) … … 281 283 // Process the X-XSS-Protection header, then mix in the CSP header's value. 282 284 ContentSecurityPolicy::ReflectedXSSDisposition xssProtectionHeader = parseXSSProtectionHeader(headerValue, errorDetails, errorPosition, reportURL); 285 m_didSendValidXSSProtectionHeader = xssProtectionHeader != ContentSecurityPolicy::ReflectedXSSUnset && xssProtectionHeader != ContentSecurityPolicy::ReflectedXSSInvalid; 283 286 if ((xssProtectionHeader == ContentSecurityPolicy::FilterReflectedXSS || xssProtectionHeader == ContentSecurityPolicy::BlockReflectedXSS) && !reportURL.isEmpty()) { 284 287 xssProtectionReportURL = document->completeURL(reportURL); … … 292 295 document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, "Error parsing header X-XSS-Protection: " + headerValue + ": " + errorDetails + " at character position " + String::format("%u", errorPosition) + ". The default protections will be applied."); 293 296 294 m_xssProtection = combineXSSProtectionHeaderAndCSP(xssProtectionHeader, document->contentSecurityPolicy()->reflectedXSSDisposition()); 297 ContentSecurityPolicy::ReflectedXSSDisposition cspHeader = document->contentSecurityPolicy()->reflectedXSSDisposition(); 298 m_didSendValidCSPHeader = cspHeader != ContentSecurityPolicy::ReflectedXSSUnset && cspHeader != ContentSecurityPolicy::ReflectedXSSInvalid; 299 300 m_xssProtection = combineXSSProtectionHeaderAndCSP(xssProtectionHeader, cspHeader); 295 301 m_reportURL = xssProtectionReportURL; // FIXME: Combine the two report URLs in some reasonable way. 296 297 302 FormData* httpBody = documentLoader->originalRequest().httpBody(); 298 303 if (httpBody && !httpBody->isEmpty()) { … … 332 337 if (didBlockScript) { 333 338 bool didBlockEntirePage = (m_xssProtection == ContentSecurityPolicy::BlockReflectedXSS); 334 OwnPtr<XSSInfo> xssInfo = XSSInfo::create(m_reportURL, didBlockEntirePage );339 OwnPtr<XSSInfo> xssInfo = XSSInfo::create(m_reportURL, didBlockEntirePage, m_didSendValidXSSProtectionHeader, m_didSendValidCSPHeader); 335 340 m_reportURL = KURL(); 336 341 return xssInfo.release(); -
trunk/Source/WebCore/html/parser/XSSAuditor.h
r145348 r145503 104 104 KURL m_documentURL; 105 105 bool m_isEnabled; 106 106 107 ContentSecurityPolicy::ReflectedXSSDisposition m_xssProtection; 108 bool m_didSendValidCSPHeader; 109 bool m_didSendValidXSSProtectionHeader; 107 110 108 111 String m_decodedURL; -
trunk/Source/WebCore/html/parser/XSSAuditorDelegate.cpp
r145348 r145503 55 55 } 56 56 57 static inline String buildConsoleError(const XSSInfo& xssInfo, const String& url) 58 { 59 StringBuilder message; 60 message.append("The XSS Auditor "); 61 message.append(xssInfo.m_didBlockEntirePage ? "blocked access to" : "refused to execute a script in"); 62 message.append(" '"); 63 message.append(url); 64 message.append("' because "); 65 message.append(xssInfo.m_didBlockEntirePage ? "the source code of a script" : "its source code"); 66 message.append(" was found within the request."); 67 68 if (xssInfo.m_didSendCSPHeader) 69 message.append(" The server sent a 'Content-Security-Policy' header requesting this behavior."); 70 else if (xssInfo.m_didSendXSSProtectionHeader) 71 message.append(" The server sent an 'X-XSS-Protection' header requesting this behavior."); 72 else 73 message.append(" The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header."); 74 75 return message.toString(); 76 } 77 57 78 void XSSAuditorDelegate::didBlockScript(const XSSInfo& xssInfo) 58 79 { 59 80 ASSERT(isMainThread()); 60 81 61 // FIXME: Consider using a more helpful console message. 62 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute a JavaScript script. Source code of script found within request.\n"))); 63 m_document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, consoleMessage); 82 m_document->addConsoleMessage(JSMessageSource, ErrorMessageLevel, buildConsoleError(xssInfo, m_document->url().string())); 64 83 65 84 FrameLoader* frameLoader = m_document->frame()->loader(); … … 91 110 } 92 111 93 if (xssInfo.m_didBlockEntirePage) { 94 m_document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, String("Entire page will be blocked.")); 112 if (xssInfo.m_didBlockEntirePage) 95 113 m_document->frame()->navigationScheduler()->scheduleLocationChange(m_document->securityOrigin(), String("data:text/html,<p></p>"), blankURL()); 96 }97 114 } 98 115 -
trunk/Source/WebCore/html/parser/XSSAuditorDelegate.h
r145348 r145503 40 40 class XSSInfo { 41 41 public: 42 static PassOwnPtr<XSSInfo> create(const KURL& reportURL, bool didBlockEntirePage )42 static PassOwnPtr<XSSInfo> create(const KURL& reportURL, bool didBlockEntirePage, bool didSendXSSProtectionHeader, bool didSendCSPHeader) 43 43 { 44 return adoptPtr(new XSSInfo(reportURL, didBlockEntirePage ));44 return adoptPtr(new XSSInfo(reportURL, didBlockEntirePage, didSendXSSProtectionHeader, didSendCSPHeader)); 45 45 } 46 46 … … 49 49 KURL m_reportURL; 50 50 bool m_didBlockEntirePage; 51 bool m_didSendXSSProtectionHeader; 52 bool m_didSendCSPHeader; 51 53 TextPosition m_textPosition; 52 54 53 55 private: 54 XSSInfo(const KURL& reportURL, bool didBlockEntirePage )56 XSSInfo(const KURL& reportURL, bool didBlockEntirePage, bool didSendXSSProtectionHeader, bool didSendCSPHeader) 55 57 : m_reportURL(reportURL) 56 58 , m_didBlockEntirePage(didBlockEntirePage) 59 , m_didSendXSSProtectionHeader(didSendXSSProtectionHeader) 60 , m_didSendCSPHeader(didSendCSPHeader) 57 61 { } 58 62 };
Note: See TracChangeset
for help on using the changeset viewer.