Changeset 145503 in webkit


Ignore:
Timestamp:
Mar 12, 2013 2:28:12 AM (11 years ago)
Author:
mkwst@chromium.org
Message:

XSSAuditor should send only one console error when blocking a page.
https://bugs.webkit.org/show_bug.cgi?id=110733

Reviewed by Daniel Bates.

Source/WebCore:

Currently, we send two console errors when XSSAuditor blocks a page:
"Refused to execute a JavaScript script. Source code of script found
within request.\n", and "Entire page will be blocked.".

We should only send one message, tuning it properly for the context, and
including the URL of the page effected by the XSSAuditor's work.

Covered by rebaselines of all the XSSAuditor and 'reflected-xss' tests.

  • html/parser/XSSAuditor.cpp:
  • html/parser/XSSAuditor.h:

(WebCore::XSSAuditor::XSSAuditor):

Add two booleans to track the headers used to set the XSSAuditor state.

(WebCore::XSSAuditor::init):
(WebCore::XSSAuditor::filterToken):

Add detail about the header status to the constructed XSSInfo object.

  • html/parser/XSSAuditorDelegate.cpp:

(WebCore::buildConsoleError):

Move message construction out into a separate inlined function, as
it's becoming complex.

(WebCore::XSSAuditorDelegate::didBlockScript):

Fold the "Entire page will be blocked" message into the main console
error.

  • html/parser/XSSAuditorDelegate.h:

(WebCore::XSSInfo::create):
(WebCore::XSSInfo::XSSInfo):

Add detail about header status to XSSInfo in order to correctly
construct the console error.

LayoutTests:

  • fast/frames/xss-auditor-handles-file-urls-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt:
  • http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt:
  • http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt:
  • http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt:
  • http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt:
  • http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt:
  • http/tests/security/xssAuditor/base-href-control-char-expected.txt:
  • http/tests/security/xssAuditor/base-href-expected.txt:
  • http/tests/security/xssAuditor/base-href-null-char-expected.txt:
  • http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
  • http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt:
  • http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt:
  • http/tests/security/xssAuditor/cached-frame-expected.txt:
  • http/tests/security/xssAuditor/cookie-injection-expected.txt:
  • http/tests/security/xssAuditor/dom-write-URL-expected.txt:
  • http/tests/security/xssAuditor/dom-write-location-expected.txt:
  • http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt:
  • http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt:
  • http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt:
  • http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt:
  • http/tests/security/xssAuditor/embed-tag-control-char-expected.txt:
  • http/tests/security/xssAuditor/embed-tag-expected.txt:
  • http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt:
  • http/tests/security/xssAuditor/embed-tag-null-char-expected.txt:
  • http/tests/security/xssAuditor/formaction-on-button-expected.txt:
  • http/tests/security/xssAuditor/formaction-on-input-expected.txt:
  • http/tests/security/xssAuditor/form-action-expected.txt:
  • http/tests/security/xssAuditor/full-block-base-href-expected.txt:
  • http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt:
  • http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt:
  • http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt:
  • http/tests/security/xssAuditor/full-block-javascript-link-expected.txt:
  • http/tests/security/xssAuditor/full-block-link-onclick-expected.txt:
  • http/tests/security/xssAuditor/full-block-object-tag-expected.txt:
  • http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt:
  • http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt:
  • http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
  • http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt:
  • http/tests/security/xssAuditor/get-from-iframe-expected.txt:
  • http/tests/security/xssAuditor/iframe-injection-expected.txt:
  • http/tests/security/xssAuditor/iframe-javascript-url-expected.txt:
  • http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt:
  • http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt:
  • http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt:
  • http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt:
  • http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt:
  • http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt:
  • http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt:
  • http/tests/security/xssAuditor/iframe-srcdoc-expected.txt:
  • http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt:
  • http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt:
  • http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt:
  • http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt:
  • http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt:
  • http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt:
  • http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-control-char-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-null-char-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt:
  • http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt:
  • http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt:
  • http/tests/security/xssAuditor/link-onclick-control-char-expected.txt:
  • http/tests/security/xssAuditor/link-onclick-entities-expected.txt:
  • http/tests/security/xssAuditor/link-onclick-expected.txt:
  • http/tests/security/xssAuditor/link-onclick-null-char-expected.txt:
  • http/tests/security/xssAuditor/link-opens-new-window-expected.txt:
  • http/tests/security/xssAuditor/malformed-HTML-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt:
  • http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt:
  • http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt:
  • http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt:
  • http/tests/security/xssAuditor/object-embed-tag-expected.txt:
  • http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt:
  • http/tests/security/xssAuditor/object-tag-expected.txt:
  • http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt:
  • http/tests/security/xssAuditor/open-attribute-body-expected.txt:
  • http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt:
  • http/tests/security/xssAuditor/open-iframe-src-01-expected.txt:
  • http/tests/security/xssAuditor/open-iframe-src-02-expected.txt:
  • http/tests/security/xssAuditor/open-script-src-01-expected.txt:
  • http/tests/security/xssAuditor/open-script-src-02-expected.txt:
  • http/tests/security/xssAuditor/open-script-src-03-expected.txt:
  • http/tests/security/xssAuditor/open-script-src-04-expected.txt:
  • http/tests/security/xssAuditor/post-from-iframe-expected.txt:
  • http/tests/security/xssAuditor/property-escape-comment-01-expected.txt:
  • http/tests/security/xssAuditor/property-escape-comment-02-expected.txt:
  • http/tests/security/xssAuditor/property-escape-comment-03-expected.txt:
  • http/tests/security/xssAuditor/property-escape-entity-01-expected.txt:
  • http/tests/security/xssAuditor/property-escape-entity-02-expected.txt:
  • http/tests/security/xssAuditor/property-escape-entity-03-expected.txt:
  • http/tests/security/xssAuditor/property-escape-expected.txt:
  • http/tests/security/xssAuditor/property-escape-long-expected.txt:
  • http/tests/security/xssAuditor/property-escape-quote-01-expected.txt:
  • http/tests/security/xssAuditor/property-escape-quote-02-expected.txt:
  • http/tests/security/xssAuditor/property-escape-quote-03-expected.txt:
  • http/tests/security/xssAuditor/report-script-tag-expected.txt:
  • http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
  • http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt:
  • http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt:
  • http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt:
  • http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt:
  • http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt:
  • http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt:
  • http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt:
  • http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt:
  • http/tests/security/xssAuditor/script-tag-control-char-expected.txt:
  • http/tests/security/xssAuditor/script-tag-convoluted-expected.txt:
  • http/tests/security/xssAuditor/script-tag-entities-expected.txt:
  • http/tests/security/xssAuditor/script-tag-expected.txt:
  • http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt:
  • http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt:
  • http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt:
  • http/tests/security/xssAuditor/script-tag-null-char-expected.txt:
  • http/tests/security/xssAuditor/script-tag-open-redirect-expected.txt:
  • http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt:
  • http/tests/security/xssAuditor/script-tag-post-expected.txt:
  • http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt:
  • http/tests/security/xssAuditor/script-tag-redirect-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt:
  • http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt:
  • http/tests/security/xssAuditor/svg-script-tag-expected.txt:
  • http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt:
  • http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt:
  • http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt:
  • http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt:
  • http/tests/security/xssAuditor/xss-protection-parsing-02-expected.txt:
  • http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt:
  • http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt:
  • platform/chromium/http/tests/security/xssAuditor/javascript-link-control-char2-expected.txt:
Location:
trunk
Files:
208 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r145498 r145503  
     12013-03-12  Mike West  <mkwst@chromium.org>
     2
     3        XSSAuditor should send only one console error when blocking a page.
     4        https://bugs.webkit.org/show_bug.cgi?id=110733
     5
     6        Reviewed by Daniel Bates.
     7
     8        * fast/frames/xss-auditor-handles-file-urls-expected.txt:
     9        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt:
     10        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt:
     11        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt:
     12        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt:
     13        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt:
     14        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt:
     15        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt:
     16        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt:
     17        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt:
     18        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt:
     19        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt:
     20        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt:
     21        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt:
     22        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt:
     23        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt:
     24        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt:
     25        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt:
     26        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt:
     27        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt:
     28        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt:
     29        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt:
     30        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt:
     31        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt:
     32        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt:
     33        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt:
     34        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt:
     35        * http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt:
     36        * http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt:
     37        * http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt:
     38        * http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt:
     39        * http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt:
     40        * http/tests/security/xssAuditor/base-href-control-char-expected.txt:
     41        * http/tests/security/xssAuditor/base-href-expected.txt:
     42        * http/tests/security/xssAuditor/base-href-null-char-expected.txt:
     43        * http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
     44        * http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt:
     45        * http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt:
     46        * http/tests/security/xssAuditor/cached-frame-expected.txt:
     47        * http/tests/security/xssAuditor/cookie-injection-expected.txt:
     48        * http/tests/security/xssAuditor/dom-write-URL-expected.txt:
     49        * http/tests/security/xssAuditor/dom-write-location-expected.txt:
     50        * http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt:
     51        * http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt:
     52        * http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt:
     53        * http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt:
     54        * http/tests/security/xssAuditor/embed-tag-control-char-expected.txt:
     55        * http/tests/security/xssAuditor/embed-tag-expected.txt:
     56        * http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt:
     57        * http/tests/security/xssAuditor/embed-tag-null-char-expected.txt:
     58        * http/tests/security/xssAuditor/formaction-on-button-expected.txt:
     59        * http/tests/security/xssAuditor/formaction-on-input-expected.txt:
     60        * http/tests/security/xssAuditor/form-action-expected.txt:
     61        * http/tests/security/xssAuditor/full-block-base-href-expected.txt:
     62        * http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt:
     63        * http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt:
     64        * http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt:
     65        * http/tests/security/xssAuditor/full-block-javascript-link-expected.txt:
     66        * http/tests/security/xssAuditor/full-block-link-onclick-expected.txt:
     67        * http/tests/security/xssAuditor/full-block-object-tag-expected.txt:
     68        * http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt:
     69        * http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt:
     70        * http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
     71        * http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt:
     72        * http/tests/security/xssAuditor/get-from-iframe-expected.txt:
     73        * http/tests/security/xssAuditor/iframe-injection-expected.txt:
     74        * http/tests/security/xssAuditor/iframe-javascript-url-expected.txt:
     75        * http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt:
     76        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt:
     77        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt:
     78        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt:
     79        * http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt:
     80        * http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt:
     81        * http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt:
     82        * http/tests/security/xssAuditor/iframe-srcdoc-expected.txt:
     83        * http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt:
     84        * http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt:
     85        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt:
     86        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt:
     87        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt:
     88        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt:
     89        * http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt:
     90        * http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt:
     91        * http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt:
     92        * http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt:
     93        * http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt:
     94        * http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt:
     95        * http/tests/security/xssAuditor/javascript-link-control-char-expected.txt:
     96        * http/tests/security/xssAuditor/javascript-link-expected.txt:
     97        * http/tests/security/xssAuditor/javascript-link-null-char-expected.txt:
     98        * http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt:
     99        * http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt:
     100        * http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt:
     101        * http/tests/security/xssAuditor/link-onclick-control-char-expected.txt:
     102        * http/tests/security/xssAuditor/link-onclick-entities-expected.txt:
     103        * http/tests/security/xssAuditor/link-onclick-expected.txt:
     104        * http/tests/security/xssAuditor/link-onclick-null-char-expected.txt:
     105        * http/tests/security/xssAuditor/link-opens-new-window-expected.txt:
     106        * http/tests/security/xssAuditor/malformed-HTML-expected.txt:
     107        * http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt:
     108        * http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt:
     109        * http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt:
     110        * http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt:
     111        * http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt:
     112        * http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt:
     113        * http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt:
     114        * http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt:
     115        * http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt:
     116        * http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt:
     117        * http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt:
     118        * http/tests/security/xssAuditor/object-embed-tag-expected.txt:
     119        * http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt:
     120        * http/tests/security/xssAuditor/object-tag-expected.txt:
     121        * http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt:
     122        * http/tests/security/xssAuditor/open-attribute-body-expected.txt:
     123        * http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt:
     124        * http/tests/security/xssAuditor/open-iframe-src-01-expected.txt:
     125        * http/tests/security/xssAuditor/open-iframe-src-02-expected.txt:
     126        * http/tests/security/xssAuditor/open-script-src-01-expected.txt:
     127        * http/tests/security/xssAuditor/open-script-src-02-expected.txt:
     128        * http/tests/security/xssAuditor/open-script-src-03-expected.txt:
     129        * http/tests/security/xssAuditor/open-script-src-04-expected.txt:
     130        * http/tests/security/xssAuditor/post-from-iframe-expected.txt:
     131        * http/tests/security/xssAuditor/property-escape-comment-01-expected.txt:
     132        * http/tests/security/xssAuditor/property-escape-comment-02-expected.txt:
     133        * http/tests/security/xssAuditor/property-escape-comment-03-expected.txt:
     134        * http/tests/security/xssAuditor/property-escape-entity-01-expected.txt:
     135        * http/tests/security/xssAuditor/property-escape-entity-02-expected.txt:
     136        * http/tests/security/xssAuditor/property-escape-entity-03-expected.txt:
     137        * http/tests/security/xssAuditor/property-escape-expected.txt:
     138        * http/tests/security/xssAuditor/property-escape-long-expected.txt:
     139        * http/tests/security/xssAuditor/property-escape-quote-01-expected.txt:
     140        * http/tests/security/xssAuditor/property-escape-quote-02-expected.txt:
     141        * http/tests/security/xssAuditor/property-escape-quote-03-expected.txt:
     142        * http/tests/security/xssAuditor/report-script-tag-expected.txt:
     143        * http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
     144        * http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt:
     145        * http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt:
     146        * http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt:
     147        * http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt:
     148        * http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt:
     149        * http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt:
     150        * http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt:
     151        * http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt:
     152        * http/tests/security/xssAuditor/script-tag-control-char-expected.txt:
     153        * http/tests/security/xssAuditor/script-tag-convoluted-expected.txt:
     154        * http/tests/security/xssAuditor/script-tag-entities-expected.txt:
     155        * http/tests/security/xssAuditor/script-tag-expected.txt:
     156        * http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt:
     157        * http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt:
     158        * http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt:
     159        * http/tests/security/xssAuditor/script-tag-null-char-expected.txt:
     160        * http/tests/security/xssAuditor/script-tag-open-redirect-expected.txt:
     161        * http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt:
     162        * http/tests/security/xssAuditor/script-tag-post-expected.txt:
     163        * http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt:
     164        * http/tests/security/xssAuditor/script-tag-redirect-expected.txt:
     165        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt:
     166        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt:
     167        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt:
     168        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt:
     169        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt:
     170        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt:
     171        * http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt:
     172        * http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt:
     173        * http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt:
     174        * http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt:
     175        * http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt:
     176        * http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt:
     177        * http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt:
     178        * http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt:
     179        * http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt:
     180        * http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt:
     181        * http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt:
     182        * http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt:
     183        * http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt:
     184        * http/tests/security/xssAuditor/script-tag-with-source-expected.txt:
     185        * http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt:
     186        * http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt:
     187        * http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt:
     188        * http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt:
     189        * http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt:
     190        * http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt:
     191        * http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt:
     192        * http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt:
     193        * http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt:
     194        * http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt:
     195        * http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt:
     196        * http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt:
     197        * http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt:
     198        * http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt:
     199        * http/tests/security/xssAuditor/svg-script-tag-expected.txt:
     200        * http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt:
     201        * http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt:
     202        * http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt:
     203        * http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt:
     204        * http/tests/security/xssAuditor/xss-protection-parsing-02-expected.txt:
     205        * http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt:
     206        * http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt:
     207        * platform/chromium/http/tests/security/xssAuditor/javascript-link-control-char2-expected.txt:
     208
    12092013-03-12  Vsevolod Vlasov  <vsevik@chromium.org>
    2210

  • trunk/LayoutTests/fast/frames/xss-auditor-handles-file-urls-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&enable-full-block=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&valid-header=2' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
    32ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&valid-header=2 into the IFrame.
    43Testing behavior when "reflected-xss" is set to allow, and "X-XSS-Protection" is set to filter.

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&malformed-header=1' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
    43ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&malformed-header=1 into the IFrame.
    54Testing behavior when "reflected-xss" is set to allow, and "X-XSS-Protection" is set to invalid.

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&disable-protection=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&enable-full-block=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&valid-header=2' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
    4 CONSOLE MESSAGE: Entire page will be blocked.
     2CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&malformed-header=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
    53CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    64

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&disable-protection=1' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
    32ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&disable-protection=1 into the IFrame.
    43Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to allow.

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&enable-full-block=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&valid-header=2' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
    32ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&valid-header=2 into the IFrame.
    43Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to filter.

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&malformed-header=1' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
    43ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&malformed-header=1 into the IFrame.
    54Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to invalid.

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
    32ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter into the IFrame.
    43Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to unset.

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&disable-protection=1' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    43ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&disable-protection=1 into the IFrame.
    54Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to allow.

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
    4 CONSOLE MESSAGE: Entire page will be blocked.
     2CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&enable-full-block=1' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    53CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    64

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&valid-header=2' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    43ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&valid-header=2 into the IFrame.
    54Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to filter.

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
    22CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
    3 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    4 
     3CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&malformed-header=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    54ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&malformed-header=1 into the IFrame.
    65Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to invalid.

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    43ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid into the IFrame.
    54Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to unset.

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&enable-full-block=1' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&valid-header=2' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    32ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&valid-header=2 into the IFrame.
    43Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to filter.

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&malformed-header=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    43ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&malformed-header=1 into the IFrame.
    54Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to invalid.

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E into the IFrame.
    43Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to unset.

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=block&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "". Value values are "allow", "filter", and "block".
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=_empty_&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    43Tests that 'X-WebKit-CSP: reflected-xss' enables the XSSAuditor. This test passes if a console message is generated, and the script is blocked.
    54

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=filter&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
    32Tests that 'X-WebKit-CSP: reflected-xss filter;' enables the XSSAuditor. This test passes if a console message is generated, and the script is blocked.
    43

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=invalid&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    43Tests that 'X-WebKit-CSP: reflected-xss invalid' enables the XSSAuditor. This test passes if a console message is generated, and the script is allowed.
    54

  • trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.html?#<script>alert(String.fromCharCode(0x58,0x53,0x53))</script>' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22al%00ert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-unescaped-location.html?#<script>alert('XS%41S')</script>' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%01urity/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32ALERT: This is a safe script.
    43

  • trunk/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32ALERT: This is a safe script.
    43

  • trunk/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32ALERT: This is a safe script.
    43

  • trunk/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='//127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32ALERT: This is a safe script.
    43

  • trunk/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 7: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 7: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53));%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/block-does-not-leak-location.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/block-does-not-leak-referrer.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/xssAuditor/cached-frame-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
    4 
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3ealert(/XSS/);%3c/script%3e' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
     2CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3ealert(/XSS/);%3c/script%3e' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    53Check that an X-XSS-Protection header added by a 304 response does not override one from the original request.
    64

  • trunk/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?alert-cookie=1&q=%3Cmeta%20http-equiv=%22Set-Cookie%22%20content=%22xssAuditorTestCookie=FAIL%22%20/%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32ALERT: PASS
    43

  • trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-URL-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-URL.html?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.html?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html?%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html?%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20code=//localhost:8000/fictional.swf%20allowscriptaccess=always%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20code=data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20src='javascript:alert(document.domain)'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cform%20action=http://127.0.0.1:8000/%20method=x%3E%3Cinput%20type=submit%3E%3Cinput%20name=x%20value='Please%20type%20your%20PIN.'%3E&notifyDone=1&showAction=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32ALERT: Form action set to about:blank
    43

  • trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cform%3E%3Cbutton%20formaction='http://example.com/'%3E&notifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32ALERT: formaction present on BUTTON with value of about:blank
    43

  • trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cform%3E%3Cinput%20formaction='http://example.com/'%3E&notifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32ALERT: formaction present on INPUT with value of about:blank
    43

  • trunk/LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-head-base-href.pl?enable-full-block=1&q=%3Cbase%20href='http://localhost:8000/security/xssAuditor/resources/base-href/'%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-base-href.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert%28String.fromCharCode%280x58%2C0x53%2C0x53%29%29%3C%2Fscript%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42
    53

  • trunk/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ciframe%20src=javascript:alert(document.domain)%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-iframe-javascript-url.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(/XSS/)%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32This tests that the header X-XSS-Protection is not inherited by the iframe below:
    43

  • trunk/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 14: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?enable-full-block=1&elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-javascript-link.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-link-onclick.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cobject%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://localhost:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-object-tag.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42
    53

  • trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag-cross-domain.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%20src='http://localhost:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag-with-source.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/xssAuditor/get-from-iframe-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&q=%3Cscript%3Ealert%28String.fromCharCode%280x58%2C0x53%2C0x53%29%29%3C%2Fscript%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src='http://127.0.0.1:8000/'%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=javascript:alert(document.domain)%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3CIFRAME%20src='javascript:alert%26%23x25%3B281)'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=%22javascript:%20%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=%22javascript:%20//%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=%22javascript://%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=javascript%3A%271%2525251%27%3Balert%28document.domain%29%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=GBK&q=%3Ciframe%20onload=%C7Ojavascript:alert(document.domain)%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Csvg%3E%3Cscript%3E%3Ciframe%20onload=alert(0)%3E%3C/iframe%3E%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32 Test that dangerous attributes are still filtered in netsted script contexts.

  • trunk/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20srcdoc=%3Cscript%3Ealert(/FAIL/)%3C/script%3E%20%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=GBK&q=%3Cimg%20src=%201%20onerror=%C7Ojavascript:alert(document.domain)%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cimg%20src=%C3%A4%20onerror=alert(%27%C3%A4%27)%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src=%220%22+onerror=%22/%80/%3Balert(document.domain)%22%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cimg+src=%220%22+onerror=%22/%80/%3Balert(document.domain)%22%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cimg%20src=1%20onerror=%26%2397%26%23108%26%23101%26%23114%26%23116%26%2340%26%2349%26%2341%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x05%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2397%26%23108%26%23101%26%23114%26%23116%26%2340%26%2339%26copy%26%2339%26%2341%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x00%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/%26XSS/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/XSS%05/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-null-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aal%00ert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3A%271%2525251%27%3Balert%28/%26XSS/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20onclick='alert(1%261)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20onclick='al%05ert(0)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-entities-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20href='about:blank'%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20onclick='al%00ert(0)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/link-opens-new-window-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32Click me

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-HTML-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%3Cimg/src/onerror=alert(1)//%3C' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32
    43

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    43This tests that a malformed X-XSS-Protection header is not ignored when the length of its value exceeds 16 characters, and that an error is reported.
    54

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: red: expected 0 or 1 at character position 0. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=2&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    43This tests that the X-XSS-Protection header is not ignored when the first character is not 0 or 1, and that we issue an error.
    54

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=purple: invalid mode directive at character position 8. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    43This tests that a malformed X-XSS-Protection header is not ignored and an error is reported when the mode= token is invalid.
    54

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block-a-block-block: expected semicolon at character position 14. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    43This tests that the X-XSS-Protection header is not ignored when there is a trailing garbage after mode=block, and we issue an error
    54

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report: expected equals sign at character position 21. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=5&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    43This tests that the X-XSS-Protection header is not ignored when there is an incomplete report url following mode=block, and we issue an error
    54

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; report= ;: invalid report directive at character position 11. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=6&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    43This tests that the X-XSS-Protection header is not ignored when there is an incomplete report directive, and we issue an error
    54

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; red: unrecognized directive at character position 3. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=7&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    43This tests that the X-XSS-Protection header is not ignored when there is an invalid directive, and we issue an error
    54

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report=/fail; mode=block;: duplicate mode directive at character position 33. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=8&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    43This tests that the X-XSS-Protection header is not ignored when there is an duplicate mode directive, and we issue an error
    54

  • trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt

    r145115 r145503  
    11CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report=/fail; report=/fail;: duplicate report directive at character position 35. The default protections will be applied.
    2 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    3 
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=9&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    43This tests that the X-XSS-Protection header is not ignored when there is a duplicate report directive, and we issue an error
    54

  • trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head.pl?q=%3Cmeta+http-equiv%3D%22refresh%22+content%3D%220%3B+url%3Djavascript%3Aalert%28document.domain%29%22%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     2CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     3CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    24
    3 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
    4 
    5 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
    6 
    7 

  • trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     2CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     3CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    24
    3 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
    4 
    5 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
    6 
    7 

  • trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     2CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     3CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    24
    3 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
    4 
    5 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
    6 
    7 

  • trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     2CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    23
    3 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
    4 
    5 

  • trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20data='javascript:alert(document.domain)'%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-attribute-body-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=alert(String.fromCharCode(0x58,0x53,0x53))//' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20onload=alert(String.fromCharCode(0x58,0x53,0x53))//' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-01-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Ciframe%20src=javascript:alert(1)%3B//%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-02-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Ciframe%20src=javascript:alert(1)%3B//' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-03-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=%22javascript:alert(1)%3B%e2%80%a8--%3E&clutter=xxx%22%3E%3C/iframe%3E&notifyDone=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-01-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-02-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-03-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cobject%20data=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-04-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cobject%20data=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/post-from-iframe-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-01-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=%22alert(1)//' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-02-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(2)/' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-03-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=%3cdiv%3e&q=%22%20%22%20onload=alert(3)%3C!--' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-01-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))%26%23x2f%26%2347' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-02-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=alert(String.fromCharCode(0x58,0x53,0x53))-%26quot' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-03-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))-%26' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-long-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(111%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532)' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-01-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(1)-%22' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-02-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(2)-%27' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-03-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(3)-%27%22%27%22' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?echo-report=1&enable-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    32This tests that the X-XSS-Protection reports are sent out properly
    43

  • trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42CSP report received:
    53CONTENT_TYPE: application/json

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=Big5&q=%3Cscript%20%89g%3Ealert(location)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?charset=Big5&q=%3Cscript%3Ealert(/XS%u00252581SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=Big5&q=%3Cscript%3Ealert(/XS%2581SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=Big5&q=%3Cscript%3Ealert(/XS%81SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%5C/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%22/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%00/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%27/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-control-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))//h%01%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-convoluted-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Edocument.write(%22scri%22)%3C/script%3Ept%20src=%22xss.js%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-entities-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscraaa%3E%3Cscriaa%3E%3Cscripa%3E%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Csvg%3E%3Cscript%3E%2f%2f%26%23x0a%3balert%26%23x28%3bString.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32 Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed.

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cdiv%3E%3Ci%3Ex%3C/i%3E%3C/div%3E&q=%3Csvg%3E%3Cscript%3E%3C!--&q2=--%3E%26%23x0a%3balert%26%23x28%3bString.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32 Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed even with <!-- comments -->.

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    4 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cscript%3Ealert(1)%3C/script%3E&q=%3Csvg%3E%3Cscript%3E&q2=alert(0)%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
     2CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cscript%3Ealert(1)%3C/script%3E&q=%3Csvg%3E%3Cscript%3E&q2=alert(0)%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    53 Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed even with nested script blocks.

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-null-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Eal%00ert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-open-redirect-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    33
    4 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    33
    4 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    33
    4 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-redirect-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%25u0061%25u006c%25u0065%25u0072%25u0074%25u0028%25u002f%25u0058%25u0053%25u0053%25u002f%25u0029%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(/XS%uD834%uDD1E/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert(/XS%u002525u0053/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%25u0061%25u006c%25u0065%25u0072%25u0074%25u0028%25u002f%25u0058%25u0053%25u0053%25u2620%25u002f%25u0029%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E/**/0,0/*,*/-alert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32
    43Test that the XSSAuditor's tolerance for the IIS webserver's comma concatenation doesn't open holes when the reflected argument contains an actual comma. The test passes if the XSSAuditor logs console messages and no alerts fire.

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt

    r145115 r145503  
    22main frame - didFinishDocumentLoadForFrame
    33frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
    4 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    5 
     4CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    65didDetectXSS
    76frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=,&q=%3Cscript%20x='1&%3E&q2=1'%3Ealert(String.fromCharCode(0x58,0x53,0x53,0x31))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32
    43Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test passes if the XSSAuditor logs console messages and no alerts fire.

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=,&q=%3Cscript%3Ealert(String.fromCharCode(0x58&q2=0x53,0x53,0x32))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32
    43Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test passes if the XSSAuditor logs console messages and no alerts fire.

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E%u0061lert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(1%1)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='http://127.0.0.1:8000/sec%02urity/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22data:,alert(1)%22' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cb%3E***%3C/b%3E&q=%3Cscript%20src=%22data:,alert(1)//&q2=%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cb%3E***%3C/b%3E&q=%3Cscript%20src=%22data:,alert(1)%3C!----&q2=%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%26amp%3Bcopy%3B'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript+src%3D//127.0.0.1%3A8000/security/xssAuditor/resources/xss.js%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='xss.js?maybe+dangerous+query+string'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?&q2=%22%3E%3C/script%3E&clutter=blah' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%23&q2=%22%3E%3C/script%3E&clutter=blah' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/&q2=%22%3E%3C/script%3E&clutter=xss.js?' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E%252525u0061lert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E//%e2%80%a8alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3E/*&q2=*/alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Ci%3E%3Cb%3E&q=%3Cscript%3E//&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 6: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3E%20%0a%3C!--&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))//--%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E/*///*/alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Ci%3E%3Cb%3E&q=%3Cscript%3Ex=1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1//&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/svg-animate-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Csvg%20xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Ca%3E%3Ccircle%20r=100%20/%3E%3Canimate%20attributeName=xlink:href%20values=%3Bjavascript%3Aalert(1)%20begin=0s%20end=0.1s%20fill=freeze%20/%3E%3C/a%3E%3C/svg%3E&notifyDone=1&dumpElementBySelector=animate' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    32This test passes if the element displayed in the frame below has a 'values' attribute containing only 'javascript:void(0)'.
    43

  • trunk/LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3csvg%3e%3cscript%20XLinK:href='data:text/html,alert(0)'%3e%3c/script%3e%3c/svg%3e' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert('%b4%5f')%3C/script%3E&charset=big5&notifyDone=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 79: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 79: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/xss-filter-bypass-long-string-reply.html' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    33
    4 

  • trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert('%8f%5f')%3C/script%3E&charset=shift_jis&notifyDone=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42
    53

  • trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-02-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
     1CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=2&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    32This tests that the X-XSS-Protection header is not ignored when there is a trailing semicolon. Although theoretically malformed, we tolerate this case without issuing an error.
    43

  • trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/xss-protection-parsing-03.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
    2 
    3 CONSOLE MESSAGE: Entire page will be blocked.
     1CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
    42CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/xss-protection-parsing-04.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
    53

  • trunk/LayoutTests/platform/chromium/http/tests/security/xssAuditor/javascript-link-control-char2-expected.txt

    r145115 r145503  
    1 CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
     1CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%22%26%23x1javasc%09ript%3Aalert%28/XSS%05/%29%22%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
    22
    3 

  • trunk/Source/WebCore/ChangeLog

    r145502 r145503  
     12013-03-12  Mike West  <mkwst@chromium.org>
     2
     3        XSSAuditor should send only one console error when blocking a page.
     4        https://bugs.webkit.org/show_bug.cgi?id=110733
     5
     6        Reviewed by Daniel Bates.
     7
     8        Currently, we send two console errors when XSSAuditor blocks a page:
     9        "Refused to execute a JavaScript script. Source code of script found
     10        within request.\n", and "Entire page will be blocked.".
     11
     12        We should only send one message, tuning it properly for the context, and
     13        including the URL of the page effected by the XSSAuditor's work.
     14
     15        Covered by rebaselines of all the XSSAuditor and 'reflected-xss' tests.
     16
     17        * html/parser/XSSAuditor.cpp:
     18        * html/parser/XSSAuditor.h:
     19        (WebCore::XSSAuditor::XSSAuditor):
     20            Add two booleans to track the headers used to set the XSSAuditor state.
     21        (WebCore::XSSAuditor::init):
     22        (WebCore::XSSAuditor::filterToken):
     23            Add detail about the header status to the constructed XSSInfo object.
     24        * html/parser/XSSAuditorDelegate.cpp:
     25        (WebCore::buildConsoleError):
     26            Move message construction out into a separate inlined function, as
     27            it's becoming complex.
     28        (WebCore::XSSAuditorDelegate::didBlockScript):
     29            Fold the "Entire page will be blocked" message into the main console
     30            error.
     31        * html/parser/XSSAuditorDelegate.h:
     32        (WebCore::XSSInfo::create):
     33        (WebCore::XSSInfo::XSSInfo):
     34            Add detail about header status to XSSInfo in order to correctly
     35            construct the console error.
     36
    1372013-03-12  Sheriff Bot  <webkit.review.bot@gmail.com>
    238

  • trunk/Source/WebCore/html/parser/XSSAuditor.cpp

    r145348 r145503  
    217217    : m_isEnabled(false)
    218218    , m_xssProtection(ContentSecurityPolicy::FilterReflectedXSS)
     219    , m_didSendValidCSPHeader(false)
     220    , m_didSendValidXSSProtectionHeader(false)
    219221    , m_state(Uninitialized)
    220222    , m_scriptTagNestingLevel(0)
     
    281283        // Process the X-XSS-Protection header, then mix in the CSP header's value.
    282284        ContentSecurityPolicy::ReflectedXSSDisposition xssProtectionHeader = parseXSSProtectionHeader(headerValue, errorDetails, errorPosition, reportURL);
     285        m_didSendValidXSSProtectionHeader = xssProtectionHeader != ContentSecurityPolicy::ReflectedXSSUnset && xssProtectionHeader != ContentSecurityPolicy::ReflectedXSSInvalid;
    283286        if ((xssProtectionHeader == ContentSecurityPolicy::FilterReflectedXSS || xssProtectionHeader == ContentSecurityPolicy::BlockReflectedXSS) && !reportURL.isEmpty()) {
    284287            xssProtectionReportURL = document->completeURL(reportURL);
     
    292295            document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, "Error parsing header X-XSS-Protection: " + headerValue + ": "  + errorDetails + " at character position " + String::format("%u", errorPosition) + ". The default protections will be applied.");
    293296
    294         m_xssProtection = combineXSSProtectionHeaderAndCSP(xssProtectionHeader, document->contentSecurityPolicy()->reflectedXSSDisposition());
     297        ContentSecurityPolicy::ReflectedXSSDisposition cspHeader = document->contentSecurityPolicy()->reflectedXSSDisposition();
     298        m_didSendValidCSPHeader = cspHeader != ContentSecurityPolicy::ReflectedXSSUnset && cspHeader != ContentSecurityPolicy::ReflectedXSSInvalid;
     299
     300        m_xssProtection = combineXSSProtectionHeaderAndCSP(xssProtectionHeader, cspHeader);
    295301        m_reportURL = xssProtectionReportURL; // FIXME: Combine the two report URLs in some reasonable way.
    296 
    297302        FormData* httpBody = documentLoader->originalRequest().httpBody();
    298303        if (httpBody && !httpBody->isEmpty()) {
     
    332337    if (didBlockScript) {
    333338        bool didBlockEntirePage = (m_xssProtection == ContentSecurityPolicy::BlockReflectedXSS);
    334         OwnPtr<XSSInfo> xssInfo = XSSInfo::create(m_reportURL, didBlockEntirePage);
     339        OwnPtr<XSSInfo> xssInfo = XSSInfo::create(m_reportURL, didBlockEntirePage, m_didSendValidXSSProtectionHeader, m_didSendValidCSPHeader);
    335340        m_reportURL = KURL();
    336341        return xssInfo.release();

  • trunk/Source/WebCore/html/parser/XSSAuditor.h

    r145348 r145503  
    104104    KURL m_documentURL;
    105105    bool m_isEnabled;
     106
    106107    ContentSecurityPolicy::ReflectedXSSDisposition m_xssProtection;
     108    bool m_didSendValidCSPHeader;
     109    bool m_didSendValidXSSProtectionHeader;
    107110
    108111    String m_decodedURL;

  • trunk/Source/WebCore/html/parser/XSSAuditorDelegate.cpp

    r145348 r145503  
    5555}
    5656
     57static inline String buildConsoleError(const XSSInfo& xssInfo, const String& url)
     58{
     59    StringBuilder message;
     60    message.append("The XSS Auditor ");
     61    message.append(xssInfo.m_didBlockEntirePage ? "blocked access to" : "refused to execute a script in");
     62    message.append(" '");
     63    message.append(url);
     64    message.append("' because ");
     65    message.append(xssInfo.m_didBlockEntirePage ? "the source code of a script" : "its source code");
     66    message.append(" was found within the request.");
     67
     68    if (xssInfo.m_didSendCSPHeader)
     69        message.append(" The server sent a 'Content-Security-Policy' header requesting this behavior.");
     70    else if (xssInfo.m_didSendXSSProtectionHeader)
     71        message.append(" The server sent an 'X-XSS-Protection' header requesting this behavior.");
     72    else
     73        message.append(" The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.");
     74
     75    return message.toString();
     76}
     77
    5778void XSSAuditorDelegate::didBlockScript(const XSSInfo& xssInfo)
    5879{
    5980    ASSERT(isMainThread());
    6081
    61     // FIXME: Consider using a more helpful console message.
    62     DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute a JavaScript script. Source code of script found within request.\n")));
    63     m_document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, consoleMessage);
     82    m_document->addConsoleMessage(JSMessageSource, ErrorMessageLevel, buildConsoleError(xssInfo, m_document->url().string()));
    6483
    6584    FrameLoader* frameLoader = m_document->frame()->loader();
     
    91110    }
    92111
    93     if (xssInfo.m_didBlockEntirePage) {
    94         m_document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, String("Entire page will be blocked."));
     112    if (xssInfo.m_didBlockEntirePage)
    95113        m_document->frame()->navigationScheduler()->scheduleLocationChange(m_document->securityOrigin(), String("data:text/html,<p></p>"), blankURL());
    96     }
    97114}
    98115

  • trunk/Source/WebCore/html/parser/XSSAuditorDelegate.h

    r145348 r145503  
    4040class XSSInfo {
    4141public:
    42     static PassOwnPtr<XSSInfo> create(const KURL& reportURL, bool didBlockEntirePage)
     42    static PassOwnPtr<XSSInfo> create(const KURL& reportURL, bool didBlockEntirePage, bool didSendXSSProtectionHeader, bool didSendCSPHeader)
    4343    {
    44         return adoptPtr(new XSSInfo(reportURL, didBlockEntirePage));
     44        return adoptPtr(new XSSInfo(reportURL, didBlockEntirePage, didSendXSSProtectionHeader, didSendCSPHeader));
    4545    }
    4646
     
    4949    KURL m_reportURL;
    5050    bool m_didBlockEntirePage;
     51    bool m_didSendXSSProtectionHeader;
     52    bool m_didSendCSPHeader;
    5153    TextPosition m_textPosition;
    5254
    5355private:
    54     XSSInfo(const KURL& reportURL, bool didBlockEntirePage)
     56    XSSInfo(const KURL& reportURL, bool didBlockEntirePage, bool didSendXSSProtectionHeader, bool didSendCSPHeader)
    5557        : m_reportURL(reportURL)
    5658        , m_didBlockEntirePage(didBlockEntirePage)
     59        , m_didSendXSSProtectionHeader(didSendXSSProtectionHeader)
     60        , m_didSendCSPHeader(didSendCSPHeader)
    5761    { }
    5862};
Note: See TracChangeset for help on using the changeset viewer.