Unreviewed, rolling out r145083.
authorrafaelw@chromium.org <rafaelw@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Mar 2013 20:03:45 +0000 (20:03 +0000)
committerrafaelw@chromium.org <rafaelw@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Mar 2013 20:03:45 +0000 (20:03 +0000)
http://trac.webkit.org/changeset/145083
https://bugs.webkit.org/show_bug.cgi?id=110733

caused lots crashes in http/tests/security/xssAuditor/* tests

Source/WebCore:

* html/parser/XSSAuditor.cpp:
(WebCore::XSSAuditor::XSSAuditor):
(WebCore::XSSAuditor::init):
(WebCore::XSSAuditor::filterToken):
* html/parser/XSSAuditor.h:
* html/parser/XSSAuditorDelegate.cpp:
(WebCore::XSSAuditorDelegate::didBlockScript):
* html/parser/XSSAuditorDelegate.h:
(WebCore::XSSInfo::create):
(XSSInfo):
(WebCore::XSSInfo::XSSInfo):

LayoutTests:

* fast/frames/xss-auditor-handles-file-urls-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt:
* http/tests/security/xssAuditor/base-href-control-char-expected.txt:
* http/tests/security/xssAuditor/base-href-expected.txt:
* http/tests/security/xssAuditor/base-href-null-char-expected.txt:
* http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
* http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt:
* http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt:
* http/tests/security/xssAuditor/cached-frame-expected.txt:
* http/tests/security/xssAuditor/cookie-injection-expected.txt:
* http/tests/security/xssAuditor/dom-write-URL-expected.txt:
* http/tests/security/xssAuditor/dom-write-location-expected.txt:
* http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt:
* http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt:
* http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt:
* http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt:
* http/tests/security/xssAuditor/embed-tag-control-char-expected.txt:
* http/tests/security/xssAuditor/embed-tag-expected.txt:
* http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt:
* http/tests/security/xssAuditor/embed-tag-null-char-expected.txt:
* http/tests/security/xssAuditor/form-action-expected.txt:
* http/tests/security/xssAuditor/formaction-on-button-expected.txt:
* http/tests/security/xssAuditor/formaction-on-input-expected.txt:
* http/tests/security/xssAuditor/full-block-base-href-expected.txt:
* http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt:
* http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt:
* http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt:
* http/tests/security/xssAuditor/full-block-javascript-link-expected.txt:
* http/tests/security/xssAuditor/full-block-link-onclick-expected.txt:
* http/tests/security/xssAuditor/full-block-object-tag-expected.txt:
* http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt:
* http/tests/security/xssAuditor/get-from-iframe-expected.txt:
* http/tests/security/xssAuditor/iframe-injection-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt:
* http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt:
* http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt:
* http/tests/security/xssAuditor/iframe-srcdoc-expected.txt:
* http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt:
* http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt:
* http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt:
* http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt:
* http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt:
* http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt:
* http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt:
* http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt:
* http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt:
* http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt:
* http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt:
* http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt:
* http/tests/security/xssAuditor/javascript-link-control-char-expected.txt:
* http/tests/security/xssAuditor/javascript-link-expected.txt:
* http/tests/security/xssAuditor/javascript-link-null-char-expected.txt:
* http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt:
* http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt:
* http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt:
* http/tests/security/xssAuditor/link-onclick-control-char-expected.txt:
* http/tests/security/xssAuditor/link-onclick-entities-expected.txt:
* http/tests/security/xssAuditor/link-onclick-expected.txt:
* http/tests/security/xssAuditor/link-onclick-null-char-expected.txt:
* http/tests/security/xssAuditor/link-opens-new-window-expected.txt:
* http/tests/security/xssAuditor/malformed-HTML-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt:
* http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt:
* http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt:
* http/tests/security/xssAuditor/object-embed-tag-expected.txt:
* http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt:
* http/tests/security/xssAuditor/object-tag-expected.txt:
* http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt:
* http/tests/security/xssAuditor/open-attribute-body-expected.txt:
* http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt:
* http/tests/security/xssAuditor/open-iframe-src-01-expected.txt:
* http/tests/security/xssAuditor/open-iframe-src-02-expected.txt:
* http/tests/security/xssAuditor/open-iframe-src-03-expected.txt:
* http/tests/security/xssAuditor/open-script-src-01-expected.txt:
* http/tests/security/xssAuditor/open-script-src-02-expected.txt:
* http/tests/security/xssAuditor/open-script-src-03-expected.txt:
* http/tests/security/xssAuditor/open-script-src-04-expected.txt:
* http/tests/security/xssAuditor/post-from-iframe-expected.txt:
* http/tests/security/xssAuditor/property-escape-comment-01-expected.txt:
* http/tests/security/xssAuditor/property-escape-comment-02-expected.txt:
* http/tests/security/xssAuditor/property-escape-comment-03-expected.txt:
* http/tests/security/xssAuditor/property-escape-entity-01-expected.txt:
* http/tests/security/xssAuditor/property-escape-entity-02-expected.txt:
* http/tests/security/xssAuditor/property-escape-entity-03-expected.txt:
* http/tests/security/xssAuditor/property-escape-expected.txt:
* http/tests/security/xssAuditor/property-escape-long-expected.txt:
* http/tests/security/xssAuditor/property-escape-quote-01-expected.txt:
* http/tests/security/xssAuditor/property-escape-quote-02-expected.txt:
* http/tests/security/xssAuditor/property-escape-quote-03-expected.txt:
* http/tests/security/xssAuditor/report-script-tag-expected.txt:
* http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
* http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt:
* http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt:
* http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt:
* http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt:
* http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt:
* http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt:
* http/tests/security/xssAuditor/script-tag-control-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-convoluted-expected.txt:
* http/tests/security/xssAuditor/script-tag-entities-expected.txt:
* http/tests/security/xssAuditor/script-tag-expected.txt:
* http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt:
* http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt:
* http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt:
* http/tests/security/xssAuditor/script-tag-null-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-open-redirect-expected.txt:
* http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-post-expected.txt:
* http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-redirect-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt:
* http/tests/security/xssAuditor/svg-animate-expected.txt:
* http/tests/security/xssAuditor/svg-script-tag-expected.txt:
* http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt:
* http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt:
* http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt:
* http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt:
* http/tests/security/xssAuditor/xss-protection-parsing-02-expected.txt:
* http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt:
* http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt:
* platform/chromium/http/tests/security/xssAuditor/javascript-link-control-char2-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@145115 268f45cc-cd09-0410-ab3c-d52691b4dbfc

208 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/frames/xss-auditor-handles-file-urls-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt
LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt
LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt
LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt
LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt
LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt
LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt
LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt
LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt
LayoutTests/http/tests/security/xssAuditor/cached-frame-expected.txt
LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt
LayoutTests/http/tests/security/xssAuditor/dom-write-URL-expected.txt
LayoutTests/http/tests/security/xssAuditor/dom-write-location-expected.txt
LayoutTests/http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt
LayoutTests/http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt
LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt
LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt
LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt
LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt
LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt
LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt
LayoutTests/http/tests/security/xssAuditor/get-from-iframe-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-expected.txt
LayoutTests/http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt
LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt
LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt
LayoutTests/http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt
LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt
LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/link-onclick-entities-expected.txt
LayoutTests/http/tests/security/xssAuditor/link-onclick-expected.txt
LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/link-opens-new-window-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-HTML-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt
LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt
LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-attribute-body-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-iframe-src-01-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-iframe-src-02-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-iframe-src-03-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-script-src-01-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-script-src-02-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-script-src-03-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-script-src-04-expected.txt
LayoutTests/http/tests/security/xssAuditor/post-from-iframe-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-comment-01-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-comment-02-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-comment-03-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-entity-01-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-entity-02-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-entity-03-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-long-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-quote-01-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-quote-02-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-quote-03-expected.txt
LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-convoluted-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-entities-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-open-redirect-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-post-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-redirect-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt
LayoutTests/http/tests/security/xssAuditor/svg-animate-expected.txt
LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt
LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt
LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt
LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt
LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-02-expected.txt
LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt
LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt
LayoutTests/platform/chromium/http/tests/security/xssAuditor/javascript-link-control-char2-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/html/parser/XSSAuditor.cpp
Source/WebCore/html/parser/XSSAuditor.h
Source/WebCore/html/parser/XSSAuditorDelegate.cpp
Source/WebCore/html/parser/XSSAuditorDelegate.h

index f5f54ac..1fdef6f 100644 (file)
@@ -1,3 +1,214 @@
+2013-03-07  Rafael Weinstein  <rafaelw@chromium.org>
+
+        Unreviewed, rolling out r145083.
+        http://trac.webkit.org/changeset/145083
+        https://bugs.webkit.org/show_bug.cgi?id=110733
+
+        caused lots crashes in http/tests/security/xssAuditor/* tests
+
+        * fast/frames/xss-auditor-handles-file-urls-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt:
+        * http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt:
+        * http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt:
+        * http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt:
+        * http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt:
+        * http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt:
+        * http/tests/security/xssAuditor/base-href-control-char-expected.txt:
+        * http/tests/security/xssAuditor/base-href-expected.txt:
+        * http/tests/security/xssAuditor/base-href-null-char-expected.txt:
+        * http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
+        * http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt:
+        * http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt:
+        * http/tests/security/xssAuditor/cached-frame-expected.txt:
+        * http/tests/security/xssAuditor/cookie-injection-expected.txt:
+        * http/tests/security/xssAuditor/dom-write-URL-expected.txt:
+        * http/tests/security/xssAuditor/dom-write-location-expected.txt:
+        * http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt:
+        * http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt:
+        * http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt:
+        * http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt:
+        * http/tests/security/xssAuditor/embed-tag-control-char-expected.txt:
+        * http/tests/security/xssAuditor/embed-tag-expected.txt:
+        * http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt:
+        * http/tests/security/xssAuditor/embed-tag-null-char-expected.txt:
+        * http/tests/security/xssAuditor/form-action-expected.txt:
+        * http/tests/security/xssAuditor/formaction-on-button-expected.txt:
+        * http/tests/security/xssAuditor/formaction-on-input-expected.txt:
+        * http/tests/security/xssAuditor/full-block-base-href-expected.txt:
+        * http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt:
+        * http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt:
+        * http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt:
+        * http/tests/security/xssAuditor/full-block-javascript-link-expected.txt:
+        * http/tests/security/xssAuditor/full-block-link-onclick-expected.txt:
+        * http/tests/security/xssAuditor/full-block-object-tag-expected.txt:
+        * http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt:
+        * http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt:
+        * http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
+        * http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt:
+        * http/tests/security/xssAuditor/get-from-iframe-expected.txt:
+        * http/tests/security/xssAuditor/iframe-injection-expected.txt:
+        * http/tests/security/xssAuditor/iframe-javascript-url-expected.txt:
+        * http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt:
+        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt:
+        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt:
+        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt:
+        * http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt:
+        * http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt:
+        * http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt:
+        * http/tests/security/xssAuditor/iframe-srcdoc-expected.txt:
+        * http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt:
+        * http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt:
+        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt:
+        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt:
+        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt:
+        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt:
+        * http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-control-char-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-null-char-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt:
+        * http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt:
+        * http/tests/security/xssAuditor/link-onclick-control-char-expected.txt:
+        * http/tests/security/xssAuditor/link-onclick-entities-expected.txt:
+        * http/tests/security/xssAuditor/link-onclick-expected.txt:
+        * http/tests/security/xssAuditor/link-onclick-null-char-expected.txt:
+        * http/tests/security/xssAuditor/link-opens-new-window-expected.txt:
+        * http/tests/security/xssAuditor/malformed-HTML-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt:
+        * http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt:
+        * http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt:
+        * http/tests/security/xssAuditor/object-embed-tag-expected.txt:
+        * http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt:
+        * http/tests/security/xssAuditor/object-tag-expected.txt:
+        * http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt:
+        * http/tests/security/xssAuditor/open-attribute-body-expected.txt:
+        * http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt:
+        * http/tests/security/xssAuditor/open-iframe-src-01-expected.txt:
+        * http/tests/security/xssAuditor/open-iframe-src-02-expected.txt:
+        * http/tests/security/xssAuditor/open-iframe-src-03-expected.txt:
+        * http/tests/security/xssAuditor/open-script-src-01-expected.txt:
+        * http/tests/security/xssAuditor/open-script-src-02-expected.txt:
+        * http/tests/security/xssAuditor/open-script-src-03-expected.txt:
+        * http/tests/security/xssAuditor/open-script-src-04-expected.txt:
+        * http/tests/security/xssAuditor/post-from-iframe-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-comment-01-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-comment-02-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-comment-03-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-entity-01-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-entity-02-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-entity-03-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-long-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-quote-01-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-quote-02-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-quote-03-expected.txt:
+        * http/tests/security/xssAuditor/report-script-tag-expected.txt:
+        * http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-control-char-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-convoluted-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-entities-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-null-char-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-open-redirect-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-post-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-redirect-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt:
+        * http/tests/security/xssAuditor/svg-animate-expected.txt:
+        * http/tests/security/xssAuditor/svg-script-tag-expected.txt:
+        * http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt:
+        * http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt:
+        * http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt:
+        * http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt:
+        * http/tests/security/xssAuditor/xss-protection-parsing-02-expected.txt:
+        * http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt:
+        * http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt:
+        * platform/chromium/http/tests/security/xssAuditor/javascript-link-control-char2-expected.txt:
+
 2013-03-07  Michelangelo De Simone  <michelangelo@webkit.org>
 
         [CSS Shaders] Implement hue and saturation non-separable blend modes
index a0ec981..afd075e 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index a71d8cc..2113c1d 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&enable-full-block=1 ' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index d290c05..f362e22 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&valid-header=2 ' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&valid-header=2 into the IFrame.
 Testing behavior when "reflected-xss" is set to allow, and "X-XSS-Protection" is set to filter.
index 7cef5ac..bf830e9 100644 (file)
@@ -1,4 +1,5 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&malformed-header=1 ' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&malformed-header=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to allow, and "X-XSS-Protection" is set to invalid.
index f89b51b..82d14a1 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&disable-protection=1 ' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 2a7b4e6..f4481c2 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&enable-full-block=1 ' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 5ce7021..00e488f 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&valid-header=2 ' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 7797714..cec44b6 100644 (file)
@@ -1,5 +1,7 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&malformed-header=1 ' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 8cf4b86..0e8ee3c 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block ' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 124a236..9e216dc 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&disable-protection=1 ' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&disable-protection=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to allow.
index fee3e0c..3bb0254 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&enable-full-block=1 ' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 48787f6..529fe94 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&valid-header=2 ' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&valid-header=2 into the IFrame.
 Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to filter.
index 565f6d9..c03f7b5 100644 (file)
@@ -1,4 +1,5 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&malformed-header=1 ' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&malformed-header=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to invalid.
index 83ae308..23f8b59 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter ' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter into the IFrame.
 Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to unset.
index d624c43..9043c8d 100644 (file)
@@ -1,4 +1,5 @@
 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&disable-protection=1 ' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&disable-protection=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to allow.
index 4b4049e..7a9df5d 100644 (file)
@@ -1,5 +1,7 @@
 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&enable-full-block=1 ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 5c85ac5..34f9d11 100644 (file)
@@ -1,4 +1,5 @@
 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&valid-header=2 ' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&valid-header=2 into the IFrame.
 Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to filter.
index be4a0fe..f8725f0 100644 (file)
@@ -1,5 +1,6 @@
 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&malformed-header=1 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&malformed-header=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to invalid.
index 13fa6d9..77cf804 100644 (file)
@@ -1,4 +1,5 @@
 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid into the IFrame.
 Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to unset.
index 4d1c16b..a3a56a5 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&enable-full-block=1 ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 3b8d974..f0207eb 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&valid-header=2 ' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&valid-header=2 into the IFrame.
 Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to filter.
index ef160f2..9ea5686 100644 (file)
@@ -1,4 +1,5 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&malformed-header=1 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&malformed-header=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to invalid.
index 2825758..06bfd99 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E into the IFrame.
 Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to unset.
index ebb262b..65b2563 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=block&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=block&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E
index 52187d9..1f444cb 100644 (file)
@@ -1,5 +1,6 @@
 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=_empty_&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 Tests that 'X-WebKit-CSP: reflected-xss' enables the XSSAuditor. This test passes if a console message is generated, and the script is blocked.
 
 
index 6584873..ac13987 100644 (file)
@@ -1,4 +1,5 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=filter&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 Tests that 'X-WebKit-CSP: reflected-xss filter;' enables the XSSAuditor. This test passes if a console message is generated, and the script is blocked.
 
 
index 841ef16..3adb073 100644 (file)
@@ -1,5 +1,6 @@
 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=invalid&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 Tests that 'X-WebKit-CSP: reflected-xss invalid' enables the XSSAuditor. This test passes if a console message is generated, and the script is allowed.
 
 
index 4b36633..f0ecf3d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.html?#<script>alert(String.fromCharCode(0x58,0x53,0x53))</script> ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index deb1df0..f0ecf3d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 296e98c..f0ecf3d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22al%00ert%280%29%22%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index cf92ef4..f0ecf3d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 43e5626..f0ecf3d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-unescaped-location.html?#<script>alert('XS%41S')</script> ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index d74c8f7..55c3f47 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%01urity/xssAuditor/resources/base-href/'%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: This is a safe script.
 
index 55fc9ae..55c3f47 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: This is a safe script.
 
index 1a655e4..55c3f47 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/base-href/'%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: This is a safe script.
 
index dda9453..55c3f47 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='//127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: This is a safe script.
 
index 8d00e91..dd0f32c 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 7: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53));%3C/script%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 7: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/block-does-not-leak-location.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/block-does-not-leak-location.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 5bd33a2..0084035 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/block-does-not-leak-referrer.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 PASS frame.contentDocument is null
index c279323..a87e478 100644 (file)
@@ -1,5 +1,7 @@
-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3ealert(/XSS/);%3c/script%3e ' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3ealert(/XSS/);%3c/script%3e ' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
+
 Check that an X-XSS-Protection header added by a 304 response does not override one from the original request.
 
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
index ebfac72..0549e52 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?alert-cookie=1&q=%3Cmeta%20http-equiv=%22Set-Cookie%22%20content=%22xssAuditorTestCookie=FAIL%22%20/%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: PASS
 
index 9c6cf07..f0ecf3d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-URL.html?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index abc7883..f0ecf3d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.html?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 549a9d5..f0ecf3d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html?%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index ecd1425..f0ecf3d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html?%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 72c3586..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20code=//localhost:8000/fictional.swf%20allowscriptaccess=always%3E%3C/embed%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 28b3ff8..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20code=data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==%3E%3C/embed%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 9216d9c..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%3E%3C/embed%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 0715f6a..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 8eb4320..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20src='javascript:alert(document.domain)'%3E%3C/embed%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index c45e025..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 7031c12..d81af8e 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cform%20action=http://127.0.0.1:8000/%20method=x%3E%3Cinput%20type=submit%3E%3Cinput%20name=x%20value='Please%20type%20your%20PIN.'%3E&notifyDone=1&showAction=1 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: Form action set to about:blank
 
index 76e469c..fd01e91 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cform%3E%3Cbutton%20formaction='http://example.com/'%3E&notifyDone=1&showFormaction=1 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: formaction present on BUTTON with value of about:blank
 
index ab2f8bb..e0ed30c 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cform%3E%3Cinput%20formaction='http://example.com/'%3E&notifyDone=1&showFormaction=1 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 ALERT: formaction present on INPUT with value of about:blank
 
index 3d88b9e..baaa58a 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-head-base-href.pl?enable-full-block=1&q=%3Cbase%20href='http://localhost:8000/security/xssAuditor/resources/base-href/'%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-base-href.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-head-base-href.pl?enable-full-block=1&q=%3Cbase%20href='http://localhost:8000/security/xssAuditor/resources/base-href/'%3E
index 814de27..b2313da 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert%28String.fromCharCode%280x58%2C0x53%2C0x53%29%29%3C%2Fscript%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 
 
 --------
index 2aee139..70a44d3 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ciframe%20src=javascript:alert(document.domain)%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-iframe-javascript-url.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ciframe%20src=javascript:alert(document.domain)%3E
index eb75f67..d6b510f 100644 (file)
@@ -1,4 +1,5 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(/XSS/)%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 This tests that the header X-XSS-Protection is not inherited by the iframe below:
 
 
index 8a0e3c9..f70945c 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 14: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?enable-full-block=1&elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-javascript-link.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?enable-full-block=1&elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E
index 19bf755..2923d53 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-link-onclick.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E
index e3b66af..7660882 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cobject%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://localhost:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-object-tag.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cobject%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://localhost:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E
index 3ede0eb..b2313da 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 
 
 --------
index 8b4f703..96d5934 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag-cross-domain.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag-cross-domain.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index d512474..218c85c 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 64e06e0..24e9451 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%20src='http://localhost:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag-with-source.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%20src='http://localhost:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E
index d5a14a6..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&q=%3Cscript%3Ealert%28String.fromCharCode%280x58%2C0x53%2C0x53%29%29%3C%2Fscript%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 4ea172a..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src='http://127.0.0.1:8000/'%3E%3C/iframe%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 16b045c..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=javascript:alert(document.domain)%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 77ec69f..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3CIFRAME%20src='javascript:alert%26%23x25%3B281)'%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 6b52fc7..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=%22javascript:%20%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 9342b34..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=%22javascript:%20//%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index ab0153d..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=%22javascript://%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index a513971..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=javascript%3A%271%2525251%27%3Balert%28document.domain%29%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 17278fb..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=GBK&q=%3Ciframe%20onload=%C7Ojavascript:alert(document.domain)%3E%3C/iframe%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 4898a94..2a34c58 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Csvg%3E%3Cscript%3E%3Ciframe%20onload=alert(0)%3E%3C/iframe%3E%3C/script%3E%3C/svg%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
  Test that dangerous attributes are still filtered in netsted script contexts.
index 392cf78..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20srcdoc=%3Cscript%3Ealert(/FAIL/)%3C/script%3E%20%3E%3C/iframe%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 79552d4..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=GBK&q=%3Cimg%20src=%201%20onerror=%C7Ojavascript:alert(document.domain)%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 6892567..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cimg%20src=%C3%A4%20onerror=alert(%27%C3%A4%27)%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index fe3441c..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index aabd96b..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 31f2cdd..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src=%220%22+onerror=%22/%80/%3Balert(document.domain)%22%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index b540f70..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cimg+src=%220%22+onerror=%22/%80/%3Balert(document.domain)%22%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 1d03bec..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cimg%20src=1%20onerror=%26%2397%26%23108%26%23101%26%23114%26%23116%26%2340%26%2349%26%2341%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index bb5d65f..5306090 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x05%26%23x29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index bb0372f..5306090 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index a6aa4d4..5306090 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2397%26%23108%26%23101%26%23114%26%23116%26%2340%26%2339%26copy%26%2339%26%2341%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index edfcf01..5306090 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x00%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index bde0eda..5306090 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/%26XSS/%29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 5750920..5306090 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/XSS%05/%29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 18c81cb..5306090 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 81176d5..5306090 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aal%00ert%280%29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 18c81cb..5306090 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 9714eec..5306090 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3A%271%2525251%27%3Balert%28/%26XSS/%29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 7c704dc..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20onclick='alert(1%261)'%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index b0ba1d0..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20onclick='al%05ert(0)'%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index cf4d500..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20href='about:blank'%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B'%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 3b7f214..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index eb43499..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20onclick='al%00ert(0)'%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 2daddd8..a9bed3f 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 Click me
index 0b5aa4f..1d4e1d2 100644 (file)
@@ -1,4 +1,5 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%3Cimg/src/onerror=alert(1)//%3C ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
 
 --------
index ce889c0..5b7d712 100644 (file)
@@ -1,5 +1,6 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 This tests that a malformed X-XSS-Protection header is not ignored when the length of its value exceeds 16 characters, and that an error is reported.
 
 
index 61a96f9..1457e86 100644 (file)
@@ -1,5 +1,6 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: red: expected 0 or 1 at character position 0. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=2&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 This tests that the X-XSS-Protection header is not ignored when the first character is not 0 or 1, and that we issue an error.
 
 
index 7f9a1d1..10570b2 100644 (file)
@@ -1,5 +1,6 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=purple: invalid mode directive at character position 8. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 This tests that a malformed X-XSS-Protection header is not ignored and an error is reported when the mode= token is invalid.
 
 
index 3b0142e..eb1256d 100644 (file)
@@ -1,5 +1,6 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block-a-block-block: expected semicolon at character position 14. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 This tests that the X-XSS-Protection header is not ignored when there is a trailing garbage after mode=block, and we issue an error
 
 
index f9f8d53..46c0a7d 100644 (file)
@@ -1,5 +1,6 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report: expected equals sign at character position 21. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=5&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 This tests that the X-XSS-Protection header is not ignored when there is an incomplete report url following mode=block, and we issue an error
 
 
index 7833659..eed920b 100644 (file)
@@ -1,5 +1,6 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; report= ;: invalid report directive at character position 11. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=6&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 This tests that the X-XSS-Protection header is not ignored when there is an incomplete report directive, and we issue an error
 
 
index 02ae1c3..5d41c3e 100644 (file)
@@ -1,5 +1,6 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; red: unrecognized directive at character position 3. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=7&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 This tests that the X-XSS-Protection header is not ignored when there is an invalid directive, and we issue an error
 
 
index 1b7373d..3b0d4ac 100644 (file)
@@ -1,5 +1,6 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report=/fail; mode=block;: duplicate mode directive at character position 33. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=8&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 This tests that the X-XSS-Protection header is not ignored when there is an duplicate mode directive, and we issue an error
 
 
index 03f746d..d3f1b09 100644 (file)
@@ -1,5 +1,6 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report=/fail; report=/fail;: duplicate report directive at character position 35. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=9&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 This tests that the X-XSS-Protection header is not ignored when there is a duplicate report directive, and we issue an error
 
 
index b7a8358..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head.pl?q=%3Cmeta+http-equiv%3D%22refresh%22+content%3D%220%3B+url%3Djavascript%3Aalert%28document.domain%29%22%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 8a85c08..e0890f0 100644 (file)
@@ -1,4 +1,7 @@
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 62ab582..e0890f0 100644 (file)
@@ -1,4 +1,7 @@
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index a3cbc80..e0890f0 100644 (file)
@@ -1,4 +1,7 @@
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 6b0d8e0..ecdb3c1 100644 (file)
@@ -1,3 +1,5 @@
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index ef096b6..9f5cdd6 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20data='javascript:alert(document.domain)'%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index e8f8f4e..afd075e 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=alert(String.fromCharCode(0x58,0x53,0x53))// ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 527f2df..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20onload=alert(String.fromCharCode(0x58,0x53,0x53))// ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 99be539..ff6f537 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Ciframe%20src=javascript:alert(1)%3B//%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 3edacfb..ff6f537 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Ciframe%20src=javascript:alert(1)%3B// ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index cbb0832..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=%22javascript:alert(1)%3B%e2%80%a8--%3E&clutter=xxx%22%3E%3C/iframe%3E&notifyDone=1 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 4d65aaa..ff6f537 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 641084f..ff6f537 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js? ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 45d484f..ff6f537 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cobject%20data=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 9c86410..ff6f537 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cobject%20data=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js? ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index d8cf02a..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index d3fe761..afd075e 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=%22alert(1)// ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 4ec3aae..afd075e 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(2)/ ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 343c9ba..afd075e 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=%3cdiv%3e&q=%22%20%22%20onload=alert(3)%3C!-- ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index e330203..afd075e 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))%26%23x2f%26%2347 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 09866e6..afd075e 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=alert(String.fromCharCode(0x58,0x53,0x53))-%26quot ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index baf491d..afd075e 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))-%26 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 095069c..afd075e 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53)) ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index e2c18e1..afd075e 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(111%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532) ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 4a5f19a..afd075e 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(1)-%22 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 9c9f0e1..afd075e 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(2)-%27 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index b91000e..afd075e 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(3)-%27%22%27%22 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 332cb99..91b99bf 100644 (file)
@@ -1,4 +1,5 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?echo-report=1&enable-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 This tests that the X-XSS-Protection reports are sent out properly
 
 
index 3240ad9..e384ce0 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CSP report received:
 CONTENT_TYPE: application/json
 HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
index 6aa8f60..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=Big5&q=%3Cscript%20%89g%3Ealert(location)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index a4d5c84..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?charset=Big5&q=%3Cscript%3Ealert(/XS%u00252581SS/)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 48a3ce2..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=Big5&q=%3Cscript%3Ealert(/XS%2581SS/)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 6101b4d..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=Big5&q=%3Cscript%3Ealert(/XS%81SS/)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 91dac3c..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%5C/%3Balert%280%29%3B%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 52239f6..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%22/%3Balert%280%29%3B%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index a84e04b..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%00/%3Balert%280%29%3B%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 9820341..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%27/%3Balert%280%29%3B%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 77884ab..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))//h%01%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index a0a4040..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Edocument.write(%22scri%22)%3C/script%3Ept%20src=%22xss.js%22%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 0710937..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index ca1acf5..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscraaa%3E%3Cscriaa%3E%3Cscripa%3E%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index b4b60ca..650505a 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Csvg%3E%3Cscript%3E%2f%2f%26%23x0a%3balert%26%23x28%3bString.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3C/svg%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
  Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed.
index 0c4dd19..483ad77 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cdiv%3E%3Ci%3Ex%3C/i%3E%3C/div%3E&q=%3Csvg%3E%3Cscript%3E%3C!--&q2=--%3E%26%23x0a%3balert%26%23x28%3bString.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3C/svg%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
  Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed even with <!-- comments -->.
index d3fec94..c983c83 100644 (file)
@@ -1,3 +1,5 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cscript%3Ealert(1)%3C/script%3E&q=%3Csvg%3E%3Cscript%3E&q2=alert(0)%3C/script%3E%3C/svg%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cscript%3Ealert(1)%3C/script%3E&q=%3Csvg%3E%3Cscript%3E&q2=alert(0)%3C/script%3E%3C/svg%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
  Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed even with nested script blocks.
index c602347..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Eal%00ert(0)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 067ec23..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 4d201b6..60cfdb8 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
 
index 4d201b6..60cfdb8 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
 
index 4d201b6..60cfdb8 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
 
index 067ec23..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 72d9b26..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%25u0061%25u006c%25u0065%25u0072%25u0074%25u0028%25u002f%25u0058%25u0053%25u0053%25u002f%25u0029%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 1e98127..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(/XS%uD834%uDD1E/)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index b77faad..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert(/XS%u002525u0053/)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index e4f2df6..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%25u0061%25u006c%25u0065%25u0072%25u0074%25u0028%25u002f%25u0058%25u0053%25u0053%25u2620%25u002f%25u0029%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 3c60da4..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 1f11046..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 3b000a6..a5fe746 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E/**/0,0/*,*/-alert(0)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
 Test that the XSSAuditor's tolerance for the IIS webserver's comma concatenation doesn't open holes when the reflected argument contains an actual comma. The test passes if the XSSAuditor logs console messages and no alerts fire.
index 69a0fd5..5f99010 100644 (file)
@@ -1,7 +1,8 @@
 frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
 main frame - didFinishDocumentLoadForFrame
 frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 didDetectXSS
 frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
 frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
index 2719706..92ca40c 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=,&q=%3Cscript%20x='1&%3E&q2=1'%3Ealert(String.fromCharCode(0x58,0x53,0x53,0x31))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
 Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test passes if the XSSAuditor logs console messages and no alerts fire.
index 3d92c8a..92ca40c 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=,&q=%3Cscript%3Ealert(String.fromCharCode(0x58&q2=0x53,0x53,0x32))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
 Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test passes if the XSSAuditor logs console messages and no alerts fire.
index fef3961..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E%u0061lert(0)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index c5388a6..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 8dd6e8a..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(1%1)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 944e670..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='http://127.0.0.1:8000/sec%02urity/xssAuditor/resources/xss.js'%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 6ee6d0a..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22data:,alert(1)%22 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 2860a89..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cb%3E***%3C/b%3E&q=%3Cscript%20src=%22data:,alert(1)//&q2=%22%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 029ffea..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cb%3E***%3C/b%3E&q=%3Cscript%20src=%22data:,alert(1)%3C!----&q2=%22%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index f109797..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%22%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index e281903..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%26amp%3Bcopy%3B'%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 3e2708b..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 298c38c..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index e578e84..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/xss.js'%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index a626e88..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript+src%3D//127.0.0.1%3A8000/security/xssAuditor/resources/xss.js%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 174d957..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='xss.js?maybe+dangerous+query+string'%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 5d64b4b..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?&q2=%22%3E%3C/script%3E&clutter=blah ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 3e8649c..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%23&q2=%22%3E%3C/script%3E&clutter=blah ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 74b3984..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/&q2=%22%3E%3C/script%3E&clutter=xss.js? ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index a801807..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E%252525u0061lert(0)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index c093cb9..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E//%e2%80%a8alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index c941b82..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3E/*&q2=*/alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 6c3779b..ff6f537 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Ci%3E%3Cb%3E&q=%3Cscript%3E//&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index c9b6071..cb6e6fc 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3E%20%0a%3C!--&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))//--%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 6: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 27b8a44..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E/*///*/alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index c615046..ff6f537 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Ci%3E%3Cb%3E&q=%3Cscript%3Ex=1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1//&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 80c336b..e4bec8f 100644 (file)
@@ -1,4 +1,5 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Csvg%20xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Ca%3E%3Ccircle%20r=100%20/%3E%3Canimate%20attributeName=xlink:href%20values=%3Bjavascript%3Aalert(1)%20begin=0s%20end=0.1s%20fill=freeze%20/%3E%3C/a%3E%3C/svg%3E&notifyDone=1&dumpElementBySelector=animate ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 This test passes if the element displayed in the frame below has a 'values' attribute containing only 'javascript:void(0)'.
 
 
index a0aeecb..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3csvg%3e%3cscript%20XLinK:href='data:text/html,alert(0)'%3e%3c/script%3e%3c/svg%3e ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index d5e141b..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert('%b4%5f')%3C/script%3E&charset=big5&notifyDone=1 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 239daa2..ae28ad4 100644 (file)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 79: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/xss-filter-bypass-long-string-reply.html ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 79: Refused to execute a JavaScript script. Source code of script found within request.
+
 
 
index d0ab996..8e1f42d 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert('%8f%5f')%3C/script%3E&charset=shift_jis&notifyDone=1 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 3ede0eb..b2313da 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 
 
 --------
index 766ad79..7abcce5 100644 (file)
@@ -1,4 +1,5 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=2&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
 This tests that the X-XSS-Protection header is not ignored when there is a trailing semicolon. Although theoretically malformed, we tolerate this case without issuing an error.
 
 
index 073e569..caec2f6 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/xss-protection-parsing-03.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E
index 423e335..cbb3401 100644 (file)
@@ -1,4 +1,6 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+CONSOLE MESSAGE: Entire page will be blocked.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/xss-protection-parsing-04.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E
index 9731b1e..5306090 100644 (file)
@@ -1,2 +1,3 @@
-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%22%26%23x1javasc%09ript%3Aalert%28/XSS%05/%29%22%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
+
 
index 387caa4..cc4f694 100644 (file)
@@ -1,3 +1,23 @@
+2013-03-07  Rafael Weinstein  <rafaelw@chromium.org>
+
+        Unreviewed, rolling out r145083.
+        http://trac.webkit.org/changeset/145083
+        https://bugs.webkit.org/show_bug.cgi?id=110733
+
+        caused lots crashes in http/tests/security/xssAuditor/* tests
+
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::XSSAuditor::XSSAuditor):
+        (WebCore::XSSAuditor::init):
+        (WebCore::XSSAuditor::filterToken):
+        * html/parser/XSSAuditor.h:
+        * html/parser/XSSAuditorDelegate.cpp:
+        (WebCore::XSSAuditorDelegate::didBlockScript):
+        * html/parser/XSSAuditorDelegate.h:
+        (WebCore::XSSInfo::create):
+        (XSSInfo):
+        (WebCore::XSSInfo::XSSInfo):
+
 2013-03-07  Michelangelo De Simone  <michelangelo@webkit.org>
 
         [CSS Shaders] Implement hue and saturation non-separable blend modes
index 0c39acf..1a02644 100644 (file)
@@ -216,8 +216,6 @@ static bool semicolonSeparatedValueContainsJavaScriptURL(const String& value)
 XSSAuditor::XSSAuditor()
     : m_isEnabled(false)
     , m_xssProtection(ContentSecurityPolicy::FilterReflectedXSS)
-    , m_didSendValidCSPHeader(false)
-    , m_didSendValidXSSProtectionHeader(false)
     , m_state(Uninitialized)
     , m_scriptTagNestingLevel(0)
     , m_encoding(UTF8Encoding())
@@ -282,7 +280,6 @@ void XSSAuditor::init(Document* document)
 
         // Process the X-XSS-Protection header, then mix in the CSP header's value.
         ContentSecurityPolicy::ReflectedXSSDisposition xssProtectionHeader = parseXSSProtectionHeader(headerValue, errorDetails, errorPosition, reportURL);
-        m_didSendValidXSSProtectionHeader = xssProtectionHeader != ContentSecurityPolicy::ReflectedXSSUnset && xssProtectionHeader != ContentSecurityPolicy::ReflectedXSSInvalid;
         if ((xssProtectionHeader == ContentSecurityPolicy::FilterReflectedXSS || xssProtectionHeader == ContentSecurityPolicy::BlockReflectedXSS) && !reportURL.isEmpty()) {
             xssProtectionReportURL = document->completeURL(reportURL);
             if (MixedContentChecker::isMixedContent(document->securityOrigin(), xssProtectionReportURL)) {
@@ -294,11 +291,9 @@ void XSSAuditor::init(Document* document)
         if (xssProtectionHeader == ContentSecurityPolicy::ReflectedXSSInvalid)
             document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, "Error parsing header X-XSS-Protection: " + headerValue + ": "  + errorDetails + " at character position " + String::format("%u", errorPosition) + ". The default protections will be applied.");
 
-        ContentSecurityPolicy::ReflectedXSSDisposition cspHeader = document->contentSecurityPolicy()->reflectedXSSDisposition();
-        m_didSendValidCSPHeader = cspHeader != ContentSecurityPolicy::ReflectedXSSUnset && cspHeader != ContentSecurityPolicy::ReflectedXSSInvalid;
-
-        m_xssProtection = combineXSSProtectionHeaderAndCSP(xssProtectionHeader, cspHeader);
+        m_xssProtection = combineXSSProtectionHeaderAndCSP(xssProtectionHeader, document->contentSecurityPolicy()->reflectedXSSDisposition());
         m_reportURL = xssProtectionReportURL; // FIXME: Combine the two report URLs in some reasonable way.
+
         FormData* httpBody = documentLoader->originalRequest().httpBody();
         if (httpBody && !httpBody->isEmpty()) {
             httpBodyAsString = httpBody->flattenToString();
@@ -317,12 +312,11 @@ void XSSAuditor::init(Document* document)
         return;
     }
 
-    // If we discover XSS, we'll need this for reporting and console messages later on.
-    m_originalURL = m_documentURL.string().isolatedCopy();
-
-    // We'll only need the body for reporting.
-    if (!m_reportURL.isEmpty())
+    if (!m_reportURL.isEmpty()) {
+        // May need these for reporting later on.
+        m_originalURL = m_documentURL.string().isolatedCopy();
         m_originalHTTPBody = httpBodyAsString;
+    }
 }
 
 PassOwnPtr<XSSInfo> XSSAuditor::filterToken(const FilterTokenRequest& request)
@@ -343,7 +337,7 @@ PassOwnPtr<XSSInfo> XSSAuditor::filterToken(const FilterTokenRequest& request)
 
     if (didBlockScript) {
         bool didBlockEntirePage = (m_xssProtection == ContentSecurityPolicy::BlockReflectedXSS);
-        OwnPtr<XSSInfo> xssInfo = XSSInfo::create(m_reportURL, m_originalURL, m_originalHTTPBody, didBlockEntirePage, m_didSendValidXSSProtectionHeader, m_didSendValidCSPHeader);
+        OwnPtr<XSSInfo> xssInfo = XSSInfo::create(m_reportURL, m_originalURL, m_originalHTTPBody, didBlockEntirePage);
         if (!m_reportURL.isEmpty()) {
             m_reportURL = KURL();
             m_originalURL = String();
index b66b970..4cf8301 100644 (file)
@@ -103,10 +103,7 @@ private:
 
     KURL m_documentURL;
     bool m_isEnabled;
-
     ContentSecurityPolicy::ReflectedXSSDisposition m_xssProtection;
-    bool m_didSendValidCSPHeader;
-    bool m_didSendValidXSSProtectionHeader;
 
     String m_originalURL;
     String m_originalHTTPBody;
index 7fbd901..4a0fe3d 100644 (file)
@@ -55,32 +55,13 @@ XSSAuditorDelegate::XSSAuditorDelegate(Document* document)
     ASSERT(m_document);
 }
 
-static inline String buildConsoleError(const XSSInfo& xssInfo)
-{
-    StringBuilder message;
-    message.append("The XSS Auditor ");
-    message.append(xssInfo.m_didBlockEntirePage ? "blocked access to" : "refused to execute a script in");
-    message.append(" '");
-    message.append(xssInfo.m_originalURL);
-    message.append(" ' because ");
-    message.append(xssInfo.m_didBlockEntirePage ? "the source code of a script" : "its source code");
-    message.append(" was found within the request.");
-
-    if (xssInfo.m_didSendCSPHeader)
-        message.append(" The server sent a 'Content-Security-Policy' header requesting this behavior.");
-    else if (xssInfo.m_didSendXSSProtectionHeader)
-        message.append(" The server sent an 'X-XSS-Protection' header requesting this behavior.");
-    else
-        message.append(" The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.");
-
-    return message.toString();
-}
-
 void XSSAuditorDelegate::didBlockScript(const XSSInfo& xssInfo)
 {
     ASSERT(isMainThread());
 
-    m_document->addConsoleMessage(JSMessageSource, ErrorMessageLevel, buildConsoleError(xssInfo));
+    // FIXME: Consider using a more helpful console message.
+    DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute a JavaScript script. Source code of script found within request.\n")));
+    m_document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, consoleMessage);
 
     if (xssInfo.m_didBlockEntirePage)
         m_document->frame()->loader()->stopAllLoaders();
@@ -102,8 +83,10 @@ void XSSAuditorDelegate::didBlockScript(const XSSInfo& xssInfo)
         PingLoader::sendViolationReport(m_document->frame(), xssInfo.m_reportURL, report);
     }
 
-    if (xssInfo.m_didBlockEntirePage)
+    if (xssInfo.m_didBlockEntirePage) {
+        m_document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, String("Entire page will be blocked."));
         m_document->frame()->navigationScheduler()->scheduleLocationChange(m_document->securityOrigin(), String("data:text/html,<p></p>"), blankURL());
+    }
 }
 
 } // namespace WebCore
index d4991d4..7c10bcf 100644 (file)
@@ -39,9 +39,9 @@ class Document;
 
 class XSSInfo {
 public:
-    static PassOwnPtr<XSSInfo> create(const KURL& reportURL, const String& originalURL, const String& originalHTTPBody, bool didBlockEntirePage, bool didSendXSSProtectionHeader, bool didSendCSPHeader)
+    static PassOwnPtr<XSSInfo> create(const KURL& reportURL, const String& originalURL, const String& originalHTTPBody, bool didBlockEntirePage)
     {
-        return adoptPtr(new XSSInfo(reportURL, originalURL, originalHTTPBody, didBlockEntirePage, didSendXSSProtectionHeader, didSendCSPHeader));
+        return adoptPtr(new XSSInfo(reportURL, originalURL, originalHTTPBody, didBlockEntirePage));
     }
 
     bool isSafeToSendToAnotherThread() const;
@@ -50,18 +50,14 @@ public:
     String m_originalURL;
     String m_originalHTTPBody;
     bool m_didBlockEntirePage;
-    bool m_didSendXSSProtectionHeader;
-    bool m_didSendCSPHeader;
     TextPosition m_textPosition;
 
 private:
-    XSSInfo(const KURL& reportURL, const String& originalURL, const String& originalHTTPBody, bool didBlockEntirePage, bool didSendXSSProtectionHeader, bool didSendCSPHeader)
+    XSSInfo(const KURL& reportURL, const String& originalURL, const String& originalHTTPBody, bool didBlockEntirePage)
         : m_reportURL(reportURL)
         , m_originalURL(originalURL)
         , m_originalHTTPBody(originalHTTPBody)
         , m_didBlockEntirePage(didBlockEntirePage)
-        , m_didSendXSSProtectionHeader(didSendXSSProtectionHeader)
-        , m_didSendCSPHeader(didSendCSPHeader)
     { }
 };