XSSAuditor should send only one console error when blocking a page.
authormkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Mar 2013 16:39:46 +0000 (16:39 +0000)
committermkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Mar 2013 16:39:46 +0000 (16:39 +0000)
https://bugs.webkit.org/show_bug.cgi?id=110733

Reviewed by Daniel Bates.

Source/WebCore:

Currently, we send two console errors when XSSAuditor blocks a page:
"Refused to execute a JavaScript script. Source code of script found
within request.\n", and "Entire page will be blocked.".

We should only send one message, tuning it properly for the context, and
including the URL of the page effected by the XSSAuditor's work.

Covered by rebaselines of all the XSSAuditor and 'reflected-xss' tests.

* html/parser/XSSAuditor.cpp:
* html/parser/XSSAuditor.h:
(WebCore::XSSAuditor::XSSAuditor):
    Add two booleans to track the headers used to set the XSSAuditor state.
(WebCore::XSSAuditor::init):
    Save a copy of the document's URL even if we're not generating a
    report upon violation: we'll need it for the console messages. Also
    populate the didSendValidXXXHeader booleans for use later.
(WebCore::XSSAuditor::filterToken):
    Add detail about the header status to the constructed XSSInfo object.
* html/parser/XSSAuditorDelegate.cpp:
(WebCore::buildConsoleError):
    Move message construction out into a separate inlined function, as
    it's becoming complex.
(WebCore::XSSAuditorDelegate::didBlockScript):
    Fold the "Entire page will be blocked" message into the main console
    error.
* html/parser/XSSAuditorDelegate.h:
(WebCore::XSSInfo::create):
(WebCore::XSSInfo::XSSInfo):
    Add detail about header status to XSSInfo in order to correctly
    construct the console error.

LayoutTests:

* fast/frames/xss-auditor-handles-file-urls-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt:
* http/tests/security/xssAuditor/base-href-control-char-expected.txt:
* http/tests/security/xssAuditor/base-href-expected.txt:
* http/tests/security/xssAuditor/base-href-null-char-expected.txt:
* http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
* http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt:
* http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt:
* http/tests/security/xssAuditor/cached-frame-expected.txt:
* http/tests/security/xssAuditor/cookie-injection-expected.txt:
* http/tests/security/xssAuditor/dom-write-URL-expected.txt:
* http/tests/security/xssAuditor/dom-write-location-expected.txt:
* http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt:
* http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt:
* http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt:
* http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt:
* http/tests/security/xssAuditor/embed-tag-control-char-expected.txt:
* http/tests/security/xssAuditor/embed-tag-expected.txt:
* http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt:
* http/tests/security/xssAuditor/embed-tag-null-char-expected.txt:
* http/tests/security/xssAuditor/formaction-on-button-expected.txt:
* http/tests/security/xssAuditor/formaction-on-input-expected.txt:
* http/tests/security/xssAuditor/form-action-expected.txt:
* http/tests/security/xssAuditor/full-block-base-href-expected.txt:
* http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt:
* http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt:
* http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt:
* http/tests/security/xssAuditor/full-block-javascript-link-expected.txt:
* http/tests/security/xssAuditor/full-block-link-onclick-expected.txt:
* http/tests/security/xssAuditor/full-block-object-tag-expected.txt:
* http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt:
* http/tests/security/xssAuditor/get-from-iframe-expected.txt:
* http/tests/security/xssAuditor/iframe-injection-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt:
* http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt:
* http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt:
* http/tests/security/xssAuditor/iframe-srcdoc-expected.txt:
* http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt:
* http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt:
* http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt:
* http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt:
* http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt:
* http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt:
* http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt:
* http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt:
* http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt:
* http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt:
* http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt:
* http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt:
* http/tests/security/xssAuditor/javascript-link-control-char-expected.txt:
* http/tests/security/xssAuditor/javascript-link-expected.txt:
* http/tests/security/xssAuditor/javascript-link-null-char-expected.txt:
* http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt:
* http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt:
* http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt:
* http/tests/security/xssAuditor/link-onclick-control-char-expected.txt:
* http/tests/security/xssAuditor/link-onclick-entities-expected.txt:
* http/tests/security/xssAuditor/link-onclick-expected.txt:
* http/tests/security/xssAuditor/link-onclick-null-char-expected.txt:
* http/tests/security/xssAuditor/link-opens-new-window-expected.txt:
* http/tests/security/xssAuditor/malformed-HTML-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt:
* http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt:
* http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt:
* http/tests/security/xssAuditor/object-embed-tag-expected.txt:
* http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt:
* http/tests/security/xssAuditor/object-tag-expected.txt:
* http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt:
* http/tests/security/xssAuditor/open-attribute-body-expected.txt:
* http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt:
* http/tests/security/xssAuditor/open-iframe-src-01-expected.txt:
* http/tests/security/xssAuditor/open-iframe-src-02-expected.txt:
* http/tests/security/xssAuditor/open-script-src-01-expected.txt:
* http/tests/security/xssAuditor/open-script-src-02-expected.txt:
* http/tests/security/xssAuditor/open-script-src-03-expected.txt:
* http/tests/security/xssAuditor/open-script-src-04-expected.txt:
* http/tests/security/xssAuditor/post-from-iframe-expected.txt:
* http/tests/security/xssAuditor/property-escape-comment-01-expected.txt:
* http/tests/security/xssAuditor/property-escape-comment-02-expected.txt:
* http/tests/security/xssAuditor/property-escape-comment-03-expected.txt:
* http/tests/security/xssAuditor/property-escape-entity-01-expected.txt:
* http/tests/security/xssAuditor/property-escape-entity-02-expected.txt:
* http/tests/security/xssAuditor/property-escape-entity-03-expected.txt:
* http/tests/security/xssAuditor/property-escape-expected.txt:
* http/tests/security/xssAuditor/property-escape-long-expected.txt:
* http/tests/security/xssAuditor/property-escape-quote-01-expected.txt:
* http/tests/security/xssAuditor/property-escape-quote-02-expected.txt:
* http/tests/security/xssAuditor/property-escape-quote-03-expected.txt:
* http/tests/security/xssAuditor/report-script-tag-expected.txt:
* http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
* http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt:
* http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt:
* http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt:
* http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt:
* http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt:
* http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt:
* http/tests/security/xssAuditor/script-tag-control-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-convoluted-expected.txt:
* http/tests/security/xssAuditor/script-tag-entities-expected.txt:
* http/tests/security/xssAuditor/script-tag-expected.txt:
* http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt:
* http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt:
* http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt:
* http/tests/security/xssAuditor/script-tag-null-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-open-redirect-expected.txt:
* http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-post-expected.txt:
* http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-redirect-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt:
* http/tests/security/xssAuditor/svg-script-tag-expected.txt:
* http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt:
* http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt:
* http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt:
* http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt:
* http/tests/security/xssAuditor/xss-protection-parsing-02-expected.txt:
* http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt:
* http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt:
* platform/chromium/http/tests/security/xssAuditor/javascript-link-control-char2-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@145083 268f45cc-cd09-0410-ab3c-d52691b4dbfc

208 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/frames/xss-auditor-handles-file-urls-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt
LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt
LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt
LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt
LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt
LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt
LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt
LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt
LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt
LayoutTests/http/tests/security/xssAuditor/cached-frame-expected.txt
LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt
LayoutTests/http/tests/security/xssAuditor/dom-write-URL-expected.txt
LayoutTests/http/tests/security/xssAuditor/dom-write-location-expected.txt
LayoutTests/http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt
LayoutTests/http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt
LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt
LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt
LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt
LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt
LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt
LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt
LayoutTests/http/tests/security/xssAuditor/get-from-iframe-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-expected.txt
LayoutTests/http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt
LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt
LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt
LayoutTests/http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt
LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt
LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt
LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/link-onclick-entities-expected.txt
LayoutTests/http/tests/security/xssAuditor/link-onclick-expected.txt
LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/link-opens-new-window-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-HTML-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt
LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt
LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt
LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-attribute-body-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-iframe-src-01-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-iframe-src-02-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-iframe-src-03-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-script-src-01-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-script-src-02-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-script-src-03-expected.txt
LayoutTests/http/tests/security/xssAuditor/open-script-src-04-expected.txt
LayoutTests/http/tests/security/xssAuditor/post-from-iframe-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-comment-01-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-comment-02-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-comment-03-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-entity-01-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-entity-02-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-entity-03-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-long-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-quote-01-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-quote-02-expected.txt
LayoutTests/http/tests/security/xssAuditor/property-escape-quote-03-expected.txt
LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-convoluted-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-entities-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-open-redirect-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-post-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-redirect-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt
LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt
LayoutTests/http/tests/security/xssAuditor/svg-animate-expected.txt
LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt
LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt
LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt
LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt
LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-02-expected.txt
LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt
LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt
LayoutTests/platform/chromium/http/tests/security/xssAuditor/javascript-link-control-char2-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/html/parser/XSSAuditor.cpp
Source/WebCore/html/parser/XSSAuditor.h
Source/WebCore/html/parser/XSSAuditorDelegate.cpp
Source/WebCore/html/parser/XSSAuditorDelegate.h

index 3707870..4318fd7 100644 (file)
@@ -1,3 +1,211 @@
+2013-03-07  Mike West  <mkwst@chromium.org>
+
+        XSSAuditor should send only one console error when blocking a page.
+        https://bugs.webkit.org/show_bug.cgi?id=110733
+
+        Reviewed by Daniel Bates.
+
+        * fast/frames/xss-auditor-handles-file-urls-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt:
+        * http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt:
+        * http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt:
+        * http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt:
+        * http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt:
+        * http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt:
+        * http/tests/security/xssAuditor/base-href-control-char-expected.txt:
+        * http/tests/security/xssAuditor/base-href-expected.txt:
+        * http/tests/security/xssAuditor/base-href-null-char-expected.txt:
+        * http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
+        * http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt:
+        * http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt:
+        * http/tests/security/xssAuditor/cached-frame-expected.txt:
+        * http/tests/security/xssAuditor/cookie-injection-expected.txt:
+        * http/tests/security/xssAuditor/dom-write-URL-expected.txt:
+        * http/tests/security/xssAuditor/dom-write-location-expected.txt:
+        * http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt:
+        * http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt:
+        * http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt:
+        * http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt:
+        * http/tests/security/xssAuditor/embed-tag-control-char-expected.txt:
+        * http/tests/security/xssAuditor/embed-tag-expected.txt:
+        * http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt:
+        * http/tests/security/xssAuditor/embed-tag-null-char-expected.txt:
+        * http/tests/security/xssAuditor/formaction-on-button-expected.txt:
+        * http/tests/security/xssAuditor/formaction-on-input-expected.txt:
+        * http/tests/security/xssAuditor/form-action-expected.txt:
+        * http/tests/security/xssAuditor/full-block-base-href-expected.txt:
+        * http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt:
+        * http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt:
+        * http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt:
+        * http/tests/security/xssAuditor/full-block-javascript-link-expected.txt:
+        * http/tests/security/xssAuditor/full-block-link-onclick-expected.txt:
+        * http/tests/security/xssAuditor/full-block-object-tag-expected.txt:
+        * http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt:
+        * http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt:
+        * http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
+        * http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt:
+        * http/tests/security/xssAuditor/get-from-iframe-expected.txt:
+        * http/tests/security/xssAuditor/iframe-injection-expected.txt:
+        * http/tests/security/xssAuditor/iframe-javascript-url-expected.txt:
+        * http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt:
+        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt:
+        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt:
+        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt:
+        * http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt:
+        * http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt:
+        * http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt:
+        * http/tests/security/xssAuditor/iframe-srcdoc-expected.txt:
+        * http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt:
+        * http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt:
+        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt:
+        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt:
+        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt:
+        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt:
+        * http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-control-char-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-null-char-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt:
+        * http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt:
+        * http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt:
+        * http/tests/security/xssAuditor/link-onclick-control-char-expected.txt:
+        * http/tests/security/xssAuditor/link-onclick-entities-expected.txt:
+        * http/tests/security/xssAuditor/link-onclick-expected.txt:
+        * http/tests/security/xssAuditor/link-onclick-null-char-expected.txt:
+        * http/tests/security/xssAuditor/link-opens-new-window-expected.txt:
+        * http/tests/security/xssAuditor/malformed-HTML-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt:
+        * http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt:
+        * http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt:
+        * http/tests/security/xssAuditor/object-embed-tag-expected.txt:
+        * http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt:
+        * http/tests/security/xssAuditor/object-tag-expected.txt:
+        * http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt:
+        * http/tests/security/xssAuditor/open-attribute-body-expected.txt:
+        * http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt:
+        * http/tests/security/xssAuditor/open-iframe-src-01-expected.txt:
+        * http/tests/security/xssAuditor/open-iframe-src-02-expected.txt:
+        * http/tests/security/xssAuditor/open-script-src-01-expected.txt:
+        * http/tests/security/xssAuditor/open-script-src-02-expected.txt:
+        * http/tests/security/xssAuditor/open-script-src-03-expected.txt:
+        * http/tests/security/xssAuditor/open-script-src-04-expected.txt:
+        * http/tests/security/xssAuditor/post-from-iframe-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-comment-01-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-comment-02-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-comment-03-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-entity-01-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-entity-02-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-entity-03-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-long-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-quote-01-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-quote-02-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-quote-03-expected.txt:
+        * http/tests/security/xssAuditor/report-script-tag-expected.txt:
+        * http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-control-char-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-convoluted-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-entities-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-null-char-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-open-redirect-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-post-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-redirect-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt:
+        * http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt:
+        * http/tests/security/xssAuditor/svg-script-tag-expected.txt:
+        * http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt:
+        * http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt:
+        * http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt:
+        * http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt:
+        * http/tests/security/xssAuditor/xss-protection-parsing-02-expected.txt:
+        * http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt:
+        * http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt:
+        * platform/chromium/http/tests/security/xssAuditor/javascript-link-control-char2-expected.txt:
+
 2013-03-07  Ian Vollick  <vollick@chromium.org>
 
         Fix painting phases for composited scrolling
index afd075e..a0ec981 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 2113c1d..a71d8cc 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&enable-full-block=1 ' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index f362e22..d290c05 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&valid-header=2 ' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&valid-header=2 into the IFrame.
 Testing behavior when "reflected-xss" is set to allow, and "X-XSS-Protection" is set to filter.
index bf830e9..7cef5ac 100644 (file)
@@ -1,5 +1,4 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&malformed-header=1 ' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&malformed-header=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to allow, and "X-XSS-Protection" is set to invalid.
index 82d14a1..f89b51b 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&disable-protection=1 ' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index f4481c2..2a7b4e6 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&enable-full-block=1 ' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 00e488f..5ce7021 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&valid-header=2 ' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index cec44b6..7797714 100644 (file)
@@ -1,7 +1,5 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&malformed-header=1 ' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 0e8ee3c..8cf4b86 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block ' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 9e216dc..124a236 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&disable-protection=1 ' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&disable-protection=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to allow.
index 3bb0254..fee3e0c 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&enable-full-block=1 ' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 529fe94..48787f6 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&valid-header=2 ' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&valid-header=2 into the IFrame.
 Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to filter.
index c03f7b5..565f6d9 100644 (file)
@@ -1,5 +1,4 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&malformed-header=1 ' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&malformed-header=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to invalid.
index 23f8b59..83ae308 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter ' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter into the IFrame.
 Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to unset.
index 9043c8d..d624c43 100644 (file)
@@ -1,5 +1,4 @@
 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&disable-protection=1 ' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&disable-protection=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to allow.
index 7a9df5d..4b4049e 100644 (file)
@@ -1,7 +1,5 @@
 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&enable-full-block=1 ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 34f9d11..5c85ac5 100644 (file)
@@ -1,5 +1,4 @@
 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&valid-header=2 ' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&valid-header=2 into the IFrame.
 Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to filter.
index f8725f0..be4a0fe 100644 (file)
@@ -1,6 +1,5 @@
 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&malformed-header=1 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&malformed-header=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to invalid.
index 77cf804..13fa6d9 100644 (file)
@@ -1,5 +1,4 @@
 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid into the IFrame.
 Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to unset.
index a3a56a5..4d1c16b 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&enable-full-block=1 ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index f0207eb..3b8d974 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&valid-header=2 ' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&valid-header=2 into the IFrame.
 Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to filter.
index 9ea5686..ef160f2 100644 (file)
@@ -1,5 +1,4 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&malformed-header=1 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&malformed-header=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to invalid.
index 06bfd99..2825758 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E into the IFrame.
 Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to unset.
index 65b2563..ebb262b 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=block&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/reflected-xss-block.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=block&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E
index 1f444cb..52187d9 100644 (file)
@@ -1,6 +1,5 @@
 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=_empty_&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 Tests that 'X-WebKit-CSP: reflected-xss' enables the XSSAuditor. This test passes if a console message is generated, and the script is blocked.
 
 
index ac13987..6584873 100644 (file)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=filter&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
 Tests that 'X-WebKit-CSP: reflected-xss filter;' enables the XSSAuditor. This test passes if a console message is generated, and the script is blocked.
 
 
index 3adb073..841ef16 100644 (file)
@@ -1,6 +1,5 @@
 CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=invalid&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 Tests that 'X-WebKit-CSP: reflected-xss invalid' enables the XSSAuditor. This test passes if a console message is generated, and the script is allowed.
 
 
index f0ecf3d..4b36633 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.html?#<script>alert(String.fromCharCode(0x58,0x53,0x53))</script> ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index f0ecf3d..deb1df0 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index f0ecf3d..296e98c 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22al%00ert%280%29%22%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index f0ecf3d..cf92ef4 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index f0ecf3d..43e5626 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-unescaped-location.html?#<script>alert('XS%41S')</script> ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 55c3f47..d74c8f7 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%01urity/xssAuditor/resources/base-href/'%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 ALERT: This is a safe script.
 
index 55c3f47..55fc9ae 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 ALERT: This is a safe script.
 
index 55c3f47..1a655e4 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/base-href/'%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 ALERT: This is a safe script.
 
index 55c3f47..dda9453 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='//127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 ALERT: This is a safe script.
 
index dd0f32c..8d00e91 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 7: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 7: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53));%3C/script%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/block-does-not-leak-location.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/block-does-not-leak-location.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 0084035..5bd33a2 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/block-does-not-leak-referrer.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 PASS frame.contentDocument is null
index a87e478..c279323 100644 (file)
@@ -1,7 +1,5 @@
-CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3ealert(/XSS/);%3c/script%3e ' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3ealert(/XSS/);%3c/script%3e ' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 Check that an X-XSS-Protection header added by a 304 response does not override one from the original request.
 
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
index 0549e52..ebfac72 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?alert-cookie=1&q=%3Cmeta%20http-equiv=%22Set-Cookie%22%20content=%22xssAuditorTestCookie=FAIL%22%20/%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 ALERT: PASS
 
index f0ecf3d..9c6cf07 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-URL.html?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index f0ecf3d..abc7883 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.html?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index f0ecf3d..549a9d5 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html?%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index f0ecf3d..ecd1425 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html?%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..72c3586 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20code=//localhost:8000/fictional.swf%20allowscriptaccess=always%3E%3C/embed%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..28b3ff8 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20code=data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==%3E%3C/embed%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..9216d9c 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%3E%3C/embed%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..0715f6a 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..8eb4320 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20src='javascript:alert(document.domain)'%3E%3C/embed%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..c45e025 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index d81af8e..7031c12 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cform%20action=http://127.0.0.1:8000/%20method=x%3E%3Cinput%20type=submit%3E%3Cinput%20name=x%20value='Please%20type%20your%20PIN.'%3E&notifyDone=1&showAction=1 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 ALERT: Form action set to about:blank
 
index fd01e91..76e469c 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cform%3E%3Cbutton%20formaction='http://example.com/'%3E&notifyDone=1&showFormaction=1 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 ALERT: formaction present on BUTTON with value of about:blank
 
index e0ed30c..ab2f8bb 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cform%3E%3Cinput%20formaction='http://example.com/'%3E&notifyDone=1&showFormaction=1 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 ALERT: formaction present on INPUT with value of about:blank
 
index baaa58a..3d88b9e 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-head-base-href.pl?enable-full-block=1&q=%3Cbase%20href='http://localhost:8000/security/xssAuditor/resources/base-href/'%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-base-href.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-head-base-href.pl?enable-full-block=1&q=%3Cbase%20href='http://localhost:8000/security/xssAuditor/resources/base-href/'%3E
index b2313da..814de27 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert%28String.fromCharCode%280x58%2C0x53%2C0x53%29%29%3C%2Fscript%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 
 
 --------
index 70a44d3..2aee139 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ciframe%20src=javascript:alert(document.domain)%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-iframe-javascript-url.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ciframe%20src=javascript:alert(document.domain)%3E
index d6b510f..eb75f67 100644 (file)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(/XSS/)%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 This tests that the header X-XSS-Protection is not inherited by the iframe below:
 
 
index f70945c..8a0e3c9 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 14: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?enable-full-block=1&elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-javascript-link.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?enable-full-block=1&elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E
index 2923d53..19bf755 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-link-onclick.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E
index 7660882..e3b66af 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cobject%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://localhost:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-object-tag.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cobject%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://localhost:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E
index b2313da..3ede0eb 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 
 
 --------
index 96d5934..8b4f703 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag-cross-domain.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag-cross-domain.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 218c85c..d512474 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
index 24e9451..64e06e0 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%20src='http://localhost:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/full-block-script-tag-with-source.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%20src='http://localhost:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E
index 8e1f42d..d5a14a6 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&q=%3Cscript%3Ealert%28String.fromCharCode%280x58%2C0x53%2C0x53%29%29%3C%2Fscript%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..4ea172a 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src='http://127.0.0.1:8000/'%3E%3C/iframe%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..16b045c 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=javascript:alert(document.domain)%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..77ec69f 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3CIFRAME%20src='javascript:alert%26%23x25%3B281)'%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..6b52fc7 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=%22javascript:%20%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..9342b34 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=%22javascript:%20//%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..ab0153d 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=%22javascript://%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..a513971 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=javascript%3A%271%2525251%27%3Balert%28document.domain%29%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..17278fb 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=GBK&q=%3Ciframe%20onload=%C7Ojavascript:alert(document.domain)%3E%3C/iframe%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 2a34c58..4898a94 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Csvg%3E%3Cscript%3E%3Ciframe%20onload=alert(0)%3E%3C/iframe%3E%3C/script%3E%3C/svg%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
  Test that dangerous attributes are still filtered in netsted script contexts.
index 8e1f42d..392cf78 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20srcdoc=%3Cscript%3Ealert(/FAIL/)%3C/script%3E%20%3E%3C/iframe%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..79552d4 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=GBK&q=%3Cimg%20src=%201%20onerror=%C7Ojavascript:alert(document.domain)%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..6892567 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cimg%20src=%C3%A4%20onerror=alert(%27%C3%A4%27)%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..fe3441c 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..aabd96b 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..31f2cdd 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src=%220%22+onerror=%22/%80/%3Balert(document.domain)%22%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..b540f70 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cimg+src=%220%22+onerror=%22/%80/%3Balert(document.domain)%22%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..1d03bec 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cimg%20src=1%20onerror=%26%2397%26%23108%26%23101%26%23114%26%23116%26%2340%26%2349%26%2341%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 5306090..bb5d65f 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x05%26%23x29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 5306090..bb0372f 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 5306090..a6aa4d4 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2397%26%23108%26%23101%26%23114%26%23116%26%2340%26%2339%26copy%26%2339%26%2341%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 5306090..edfcf01 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x00%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 5306090..bde0eda 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/%26XSS/%29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 5306090..5750920 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/XSS%05/%29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 5306090..18c81cb 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 5306090..81176d5 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aal%00ert%280%29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 5306090..18c81cb 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 5306090..9714eec 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3A%271%2525251%27%3Balert%28/%26XSS/%29%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..7c704dc 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20onclick='alert(1%261)'%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..b0ba1d0 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20onclick='al%05ert(0)'%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..cf4d500 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20href='about:blank'%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B'%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..3b7f214 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..eb43499 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%20onclick='al%00ert(0)'%3EClick%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index a9bed3f..2daddd8 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 Click me
index 1d4e1d2..0b5aa4f 100644 (file)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ca%3Cimg/src/onerror=alert(1)//%3C ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
 
 --------
index 5b7d712..ce889c0 100644 (file)
@@ -1,6 +1,5 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 This tests that a malformed X-XSS-Protection header is not ignored when the length of its value exceeds 16 characters, and that an error is reported.
 
 
index 1457e86..61a96f9 100644 (file)
@@ -1,6 +1,5 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: red: expected 0 or 1 at character position 0. The default protections will be applied.
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=2&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 This tests that the X-XSS-Protection header is not ignored when the first character is not 0 or 1, and that we issue an error.
 
 
index 10570b2..7f9a1d1 100644 (file)
@@ -1,6 +1,5 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=purple: invalid mode directive at character position 8. The default protections will be applied.
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 This tests that a malformed X-XSS-Protection header is not ignored and an error is reported when the mode= token is invalid.
 
 
index eb1256d..3b0142e 100644 (file)
@@ -1,6 +1,5 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block-a-block-block: expected semicolon at character position 14. The default protections will be applied.
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 This tests that the X-XSS-Protection header is not ignored when there is a trailing garbage after mode=block, and we issue an error
 
 
index 46c0a7d..f9f8d53 100644 (file)
@@ -1,6 +1,5 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report: expected equals sign at character position 21. The default protections will be applied.
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=5&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 This tests that the X-XSS-Protection header is not ignored when there is an incomplete report url following mode=block, and we issue an error
 
 
index eed920b..7833659 100644 (file)
@@ -1,6 +1,5 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; report= ;: invalid report directive at character position 11. The default protections will be applied.
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=6&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 This tests that the X-XSS-Protection header is not ignored when there is an incomplete report directive, and we issue an error
 
 
index 5d41c3e..02ae1c3 100644 (file)
@@ -1,6 +1,5 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; red: unrecognized directive at character position 3. The default protections will be applied.
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=7&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 This tests that the X-XSS-Protection header is not ignored when there is an invalid directive, and we issue an error
 
 
index 3b0d4ac..1b7373d 100644 (file)
@@ -1,6 +1,5 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report=/fail; mode=block;: duplicate mode directive at character position 33. The default protections will be applied.
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=8&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 This tests that the X-XSS-Protection header is not ignored when there is an duplicate mode directive, and we issue an error
 
 
index d3f1b09..03f746d 100644 (file)
@@ -1,6 +1,5 @@
 CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report=/fail; report=/fail;: duplicate report directive at character position 35. The default protections will be applied.
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&malformed-header=9&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 This tests that the X-XSS-Protection header is not ignored when there is a duplicate report directive, and we issue an error
 
 
index 8e1f42d..b7a8358 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head.pl?q=%3Cmeta+http-equiv%3D%22refresh%22+content%3D%220%3B+url%3Djavascript%3Aalert%28document.domain%29%22%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index e0890f0..8a85c08 100644 (file)
@@ -1,7 +1,4 @@
-CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index e0890f0..62ab582 100644 (file)
@@ -1,7 +1,4 @@
-CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index e0890f0..a3cbc80 100644 (file)
@@ -1,7 +1,4 @@
-CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index ecdb3c1..6b0d8e0 100644 (file)
@@ -1,5 +1,3 @@
-CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 9f5cdd6..ef096b6 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 9: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20data='javascript:alert(document.domain)'%3E%3C/object%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index afd075e..e8f8f4e 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=alert(String.fromCharCode(0x58,0x53,0x53))// ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..527f2df 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20onload=alert(String.fromCharCode(0x58,0x53,0x53))// ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index ff6f537..99be539 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Ciframe%20src=javascript:alert(1)%3B//%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index ff6f537..3edacfb 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Ciframe%20src=javascript:alert(1)%3B// ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..cbb0832 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=%22javascript:alert(1)%3B%e2%80%a8--%3E&clutter=xxx%22%3E%3C/iframe%3E&notifyDone=1 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index ff6f537..4d65aaa 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index ff6f537..641084f 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js? ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index ff6f537..45d484f 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cobject%20data=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index ff6f537..9c86410 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cobject%20data=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js? ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..d8cf02a 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index afd075e..d3fe761 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=%22alert(1)// ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index afd075e..4ec3aae 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(2)/ ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index afd075e..343c9ba 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=%3cdiv%3e&q=%22%20%22%20onload=alert(3)%3C!-- ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index afd075e..e330203 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))%26%23x2f%26%2347 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index afd075e..09866e6 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=alert(String.fromCharCode(0x58,0x53,0x53))-%26quot ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index afd075e..baf491d 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))-%26 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index afd075e..095069c 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53)) ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index afd075e..e2c18e1 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(111%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532) ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index afd075e..4a5f19a 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(1)-%22 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index afd075e..9c9f0e1 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(2)-%27 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index afd075e..b91000e 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 3: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(3)-%27%22%27%22 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 91b99bf..332cb99 100644 (file)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?echo-report=1&enable-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 This tests that the X-XSS-Protection reports are sent out properly
 
 
index e384ce0..3240ad9 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 CSP report received:
 CONTENT_TYPE: application/json
 HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
index 8e1f42d..6aa8f60 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=Big5&q=%3Cscript%20%89g%3Ealert(location)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..a4d5c84 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?charset=Big5&q=%3Cscript%3Ealert(/XS%u00252581SS/)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..48a3ce2 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=Big5&q=%3Cscript%3Ealert(/XS%2581SS/)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..6101b4d 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?charset=Big5&q=%3Cscript%3Ealert(/XS%81SS/)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..91dac3c 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%5C/%3Balert%280%29%3B%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..52239f6 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%22/%3Balert%280%29%3B%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..a84e04b 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%00/%3Balert%280%29%3B%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..9820341 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%27/%3Balert%280%29%3B%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..77884ab 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))//h%01%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..a0a4040 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Edocument.write(%22scri%22)%3C/script%3Ept%20src=%22xss.js%22%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..0710937 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..ca1acf5 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscraaa%3E%3Cscriaa%3E%3Cscripa%3E%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 650505a..b4b60ca 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Csvg%3E%3Cscript%3E%2f%2f%26%23x0a%3balert%26%23x28%3bString.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3C/svg%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
  Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed.
index 483ad77..0c4dd19 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cdiv%3E%3Ci%3Ex%3C/i%3E%3C/div%3E&q=%3Csvg%3E%3Cscript%3E%3C!--&q2=--%3E%26%23x0a%3balert%26%23x28%3bString.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3C/svg%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
  Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed even with <!-- comments -->.
index c983c83..d3fec94 100644 (file)
@@ -1,5 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cscript%3Ealert(1)%3C/script%3E&q=%3Csvg%3E%3Cscript%3E&q2=alert(0)%3C/script%3E%3C/svg%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cscript%3Ealert(1)%3C/script%3E&q=%3Csvg%3E%3Cscript%3E&q2=alert(0)%3C/script%3E%3C/svg%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
  Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed even with nested script blocks.
index 8e1f42d..c602347 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Eal%00ert(0)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..067ec23 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 60cfdb8..4d201b6 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
 
index 60cfdb8..4d201b6 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
 
index 60cfdb8..4d201b6 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
 
index 8e1f42d..067ec23 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..72d9b26 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%25u0061%25u006c%25u0065%25u0072%25u0074%25u0028%25u002f%25u0058%25u0053%25u0053%25u002f%25u0029%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..1e98127 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(/XS%uD834%uDD1E/)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..b77faad 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert(/XS%u002525u0053/)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..e4f2df6 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%25u0061%25u006c%25u0065%25u0072%25u0074%25u0028%25u002f%25u0058%25u0053%25u0053%25u2620%25u002f%25u0029%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..3c60da4 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..1f11046 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index a5fe746..3b000a6 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E/**/0,0/*,*/-alert(0)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
 Test that the XSSAuditor's tolerance for the IIS webserver's comma concatenation doesn't open holes when the reflected argument contains an actual comma. The test passes if the XSSAuditor logs console messages and no alerts fire.
index 5f99010..69a0fd5 100644 (file)
@@ -1,8 +1,7 @@
 frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
 main frame - didFinishDocumentLoadForFrame
 frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 didDetectXSS
 frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
 frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
index 92ca40c..2719706 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=,&q=%3Cscript%20x='1&%3E&q2=1'%3Ealert(String.fromCharCode(0x58,0x53,0x53,0x31))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
 Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test passes if the XSSAuditor logs console messages and no alerts fire.
index 92ca40c..3d92c8a 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=,&q=%3Cscript%3Ealert(String.fromCharCode(0x58&q2=0x53,0x53,0x32))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
 Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test passes if the XSSAuditor logs console messages and no alerts fire.
index 8e1f42d..fef3961 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E%u0061lert(0)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..c5388a6 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..8dd6e8a 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(1%1)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..944e670 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='http://127.0.0.1:8000/sec%02urity/xssAuditor/resources/xss.js'%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..6ee6d0a 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22data:,alert(1)%22 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..2860a89 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cb%3E***%3C/b%3E&q=%3Cscript%20src=%22data:,alert(1)//&q2=%22%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..029ffea 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Cb%3E***%3C/b%3E&q=%3Cscript%20src=%22data:,alert(1)%3C!----&q2=%22%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..f109797 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%22%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..e281903 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%26amp%3Bcopy%3B'%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..3e2708b 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..298c38c 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..e578e84 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/xss.js'%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..a626e88 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript+src%3D//127.0.0.1%3A8000/security/xssAuditor/resources/xss.js%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..174d957 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src='xss.js?maybe+dangerous+query+string'%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..5d64b4b 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?&q2=%22%3E%3C/script%3E&clutter=blah ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..3e8649c 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%23&q2=%22%3E%3C/script%3E&clutter=blah ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..74b3984 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/&q2=%22%3E%3C/script%3E&clutter=xss.js? ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..a801807 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E%252525u0061lert(0)%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..c093cb9 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E//%e2%80%a8alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..c941b82 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3E/*&q2=*/alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index ff6f537..6c3779b 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Ci%3E%3Cb%3E&q=%3Cscript%3E//&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index cb6e6fc..c9b6071 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 6: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3E%20%0a%3C!--&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))//--%3E%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..27b8a44 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3E/*///*/alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index ff6f537..c615046 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 5: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=%3Ci%3E%3Cb%3E&q=%3Cscript%3Ex=1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1//&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index e4bec8f..80c336b 100644 (file)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Csvg%20xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Ca%3E%3Ccircle%20r=100%20/%3E%3Canimate%20attributeName=xlink:href%20values=%3Bjavascript%3Aalert(1)%20begin=0s%20end=0.1s%20fill=freeze%20/%3E%3C/a%3E%3C/svg%3E&notifyDone=1&dumpElementBySelector=animate ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 This test passes if the element displayed in the frame below has a 'values' attribute containing only 'javascript:void(0)'.
 
 
index 8e1f42d..a0aeecb 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3csvg%3e%3cscript%20XLinK:href='data:text/html,alert(0)'%3e%3c/script%3e%3c/svg%3e ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 8e1f42d..d5e141b 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert('%b4%5f')%3C/script%3E&charset=big5&notifyDone=1 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index ae28ad4..239daa2 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: line 79: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 79: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/xss-filter-bypass-long-string-reply.html ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
 
index 8e1f42d..d0ab996 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert('%8f%5f')%3C/script%3E&charset=shift_jis&notifyDone=1 ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index b2313da..3ede0eb 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 
 
 --------
index 7abcce5..766ad79 100644 (file)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=2&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 This tests that the X-XSS-Protection header is not ignored when there is a trailing semicolon. Although theoretically malformed, we tolerate this case without issuing an error.
 
 
index caec2f6..073e569 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/xss-protection-parsing-03.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E
index cbb3401..423e335 100644 (file)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
-
-CONSOLE MESSAGE: Entire page will be blocked.
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E ' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,<p></p> from frame with URL http://127.0.0.1:8000/security/xssAuditor/xss-protection-parsing-04.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
 
 ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&valid-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E
index 5306090..9731b1e 100644 (file)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: line 14: Refused to execute a JavaScript script. Source code of script found within request.
-
+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%22%26%23x1javasc%09ript%3Aalert%28/XSS%05/%29%22%3Etest%3C/a%3E ' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
 
index 1e963ce..2c59867 100644 (file)
@@ -1,3 +1,42 @@
+2013-03-07  Mike West  <mkwst@chromium.org>
+
+        XSSAuditor should send only one console error when blocking a page.
+        https://bugs.webkit.org/show_bug.cgi?id=110733
+
+        Reviewed by Daniel Bates.
+
+        Currently, we send two console errors when XSSAuditor blocks a page:
+        "Refused to execute a JavaScript script. Source code of script found
+        within request.\n", and "Entire page will be blocked.".
+
+        We should only send one message, tuning it properly for the context, and
+        including the URL of the page effected by the XSSAuditor's work.
+
+        Covered by rebaselines of all the XSSAuditor and 'reflected-xss' tests.
+
+        * html/parser/XSSAuditor.cpp:
+        * html/parser/XSSAuditor.h:
+        (WebCore::XSSAuditor::XSSAuditor):
+            Add two booleans to track the headers used to set the XSSAuditor state.
+        (WebCore::XSSAuditor::init):
+            Save a copy of the document's URL even if we're not generating a
+            report upon violation: we'll need it for the console messages. Also
+            populate the didSendValidXXXHeader booleans for use later.
+        (WebCore::XSSAuditor::filterToken):
+            Add detail about the header status to the constructed XSSInfo object.
+        * html/parser/XSSAuditorDelegate.cpp:
+        (WebCore::buildConsoleError):
+            Move message construction out into a separate inlined function, as
+            it's becoming complex.
+        (WebCore::XSSAuditorDelegate::didBlockScript):
+            Fold the "Entire page will be blocked" message into the main console
+            error.
+        * html/parser/XSSAuditorDelegate.h:
+        (WebCore::XSSInfo::create):
+        (WebCore::XSSInfo::XSSInfo):
+            Add detail about header status to XSSInfo in order to correctly
+            construct the console error.
+
 2013-03-07  Vsevolod Vlasov  <vsevik@chromium.org>
 
         Web Inspector: Add some more compilation annotations to NavigatorView
index 1a02644..0c39acf 100644 (file)
@@ -216,6 +216,8 @@ static bool semicolonSeparatedValueContainsJavaScriptURL(const String& value)
 XSSAuditor::XSSAuditor()
     : m_isEnabled(false)
     , m_xssProtection(ContentSecurityPolicy::FilterReflectedXSS)
+    , m_didSendValidCSPHeader(false)
+    , m_didSendValidXSSProtectionHeader(false)
     , m_state(Uninitialized)
     , m_scriptTagNestingLevel(0)
     , m_encoding(UTF8Encoding())
@@ -280,6 +282,7 @@ void XSSAuditor::init(Document* document)
 
         // Process the X-XSS-Protection header, then mix in the CSP header's value.
         ContentSecurityPolicy::ReflectedXSSDisposition xssProtectionHeader = parseXSSProtectionHeader(headerValue, errorDetails, errorPosition, reportURL);
+        m_didSendValidXSSProtectionHeader = xssProtectionHeader != ContentSecurityPolicy::ReflectedXSSUnset && xssProtectionHeader != ContentSecurityPolicy::ReflectedXSSInvalid;
         if ((xssProtectionHeader == ContentSecurityPolicy::FilterReflectedXSS || xssProtectionHeader == ContentSecurityPolicy::BlockReflectedXSS) && !reportURL.isEmpty()) {
             xssProtectionReportURL = document->completeURL(reportURL);
             if (MixedContentChecker::isMixedContent(document->securityOrigin(), xssProtectionReportURL)) {
@@ -291,9 +294,11 @@ void XSSAuditor::init(Document* document)
         if (xssProtectionHeader == ContentSecurityPolicy::ReflectedXSSInvalid)
             document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, "Error parsing header X-XSS-Protection: " + headerValue + ": "  + errorDetails + " at character position " + String::format("%u", errorPosition) + ". The default protections will be applied.");
 
-        m_xssProtection = combineXSSProtectionHeaderAndCSP(xssProtectionHeader, document->contentSecurityPolicy()->reflectedXSSDisposition());
-        m_reportURL = xssProtectionReportURL; // FIXME: Combine the two report URLs in some reasonable way.
+        ContentSecurityPolicy::ReflectedXSSDisposition cspHeader = document->contentSecurityPolicy()->reflectedXSSDisposition();
+        m_didSendValidCSPHeader = cspHeader != ContentSecurityPolicy::ReflectedXSSUnset && cspHeader != ContentSecurityPolicy::ReflectedXSSInvalid;
 
+        m_xssProtection = combineXSSProtectionHeaderAndCSP(xssProtectionHeader, cspHeader);
+        m_reportURL = xssProtectionReportURL; // FIXME: Combine the two report URLs in some reasonable way.
         FormData* httpBody = documentLoader->originalRequest().httpBody();
         if (httpBody && !httpBody->isEmpty()) {
             httpBodyAsString = httpBody->flattenToString();
@@ -312,11 +317,12 @@ void XSSAuditor::init(Document* document)
         return;
     }
 
-    if (!m_reportURL.isEmpty()) {
-        // May need these for reporting later on.
-        m_originalURL = m_documentURL.string().isolatedCopy();
+    // If we discover XSS, we'll need this for reporting and console messages later on.
+    m_originalURL = m_documentURL.string().isolatedCopy();
+
+    // We'll only need the body for reporting.
+    if (!m_reportURL.isEmpty())
         m_originalHTTPBody = httpBodyAsString;
-    }
 }
 
 PassOwnPtr<XSSInfo> XSSAuditor::filterToken(const FilterTokenRequest& request)
@@ -337,7 +343,7 @@ PassOwnPtr<XSSInfo> XSSAuditor::filterToken(const FilterTokenRequest& request)
 
     if (didBlockScript) {
         bool didBlockEntirePage = (m_xssProtection == ContentSecurityPolicy::BlockReflectedXSS);
-        OwnPtr<XSSInfo> xssInfo = XSSInfo::create(m_reportURL, m_originalURL, m_originalHTTPBody, didBlockEntirePage);
+        OwnPtr<XSSInfo> xssInfo = XSSInfo::create(m_reportURL, m_originalURL, m_originalHTTPBody, didBlockEntirePage, m_didSendValidXSSProtectionHeader, m_didSendValidCSPHeader);
         if (!m_reportURL.isEmpty()) {
             m_reportURL = KURL();
             m_originalURL = String();
index 4cf8301..b66b970 100644 (file)
@@ -103,7 +103,10 @@ private:
 
     KURL m_documentURL;
     bool m_isEnabled;
+
     ContentSecurityPolicy::ReflectedXSSDisposition m_xssProtection;
+    bool m_didSendValidCSPHeader;
+    bool m_didSendValidXSSProtectionHeader;
 
     String m_originalURL;
     String m_originalHTTPBody;
index 4a0fe3d..7fbd901 100644 (file)
@@ -55,13 +55,32 @@ XSSAuditorDelegate::XSSAuditorDelegate(Document* document)
     ASSERT(m_document);
 }
 
+static inline String buildConsoleError(const XSSInfo& xssInfo)
+{
+    StringBuilder message;
+    message.append("The XSS Auditor ");
+    message.append(xssInfo.m_didBlockEntirePage ? "blocked access to" : "refused to execute a script in");
+    message.append(" '");
+    message.append(xssInfo.m_originalURL);
+    message.append(" ' because ");
+    message.append(xssInfo.m_didBlockEntirePage ? "the source code of a script" : "its source code");
+    message.append(" was found within the request.");
+
+    if (xssInfo.m_didSendCSPHeader)
+        message.append(" The server sent a 'Content-Security-Policy' header requesting this behavior.");
+    else if (xssInfo.m_didSendXSSProtectionHeader)
+        message.append(" The server sent an 'X-XSS-Protection' header requesting this behavior.");
+    else
+        message.append(" The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.");
+
+    return message.toString();
+}
+
 void XSSAuditorDelegate::didBlockScript(const XSSInfo& xssInfo)
 {
     ASSERT(isMainThread());
 
-    // FIXME: Consider using a more helpful console message.
-    DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute a JavaScript script. Source code of script found within request.\n")));
-    m_document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, consoleMessage);
+    m_document->addConsoleMessage(JSMessageSource, ErrorMessageLevel, buildConsoleError(xssInfo));
 
     if (xssInfo.m_didBlockEntirePage)
         m_document->frame()->loader()->stopAllLoaders();
@@ -83,10 +102,8 @@ void XSSAuditorDelegate::didBlockScript(const XSSInfo& xssInfo)
         PingLoader::sendViolationReport(m_document->frame(), xssInfo.m_reportURL, report);
     }
 
-    if (xssInfo.m_didBlockEntirePage) {
-        m_document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, String("Entire page will be blocked."));
+    if (xssInfo.m_didBlockEntirePage)
         m_document->frame()->navigationScheduler()->scheduleLocationChange(m_document->securityOrigin(), String("data:text/html,<p></p>"), blankURL());
-    }
 }
 
 } // namespace WebCore
index 7c10bcf..d4991d4 100644 (file)
@@ -39,9 +39,9 @@ class Document;
 
 class XSSInfo {
 public:
-    static PassOwnPtr<XSSInfo> create(const KURL& reportURL, const String& originalURL, const String& originalHTTPBody, bool didBlockEntirePage)
+    static PassOwnPtr<XSSInfo> create(const KURL& reportURL, const String& originalURL, const String& originalHTTPBody, bool didBlockEntirePage, bool didSendXSSProtectionHeader, bool didSendCSPHeader)
     {
-        return adoptPtr(new XSSInfo(reportURL, originalURL, originalHTTPBody, didBlockEntirePage));
+        return adoptPtr(new XSSInfo(reportURL, originalURL, originalHTTPBody, didBlockEntirePage, didSendXSSProtectionHeader, didSendCSPHeader));
     }
 
     bool isSafeToSendToAnotherThread() const;
@@ -50,14 +50,18 @@ public:
     String m_originalURL;
     String m_originalHTTPBody;
     bool m_didBlockEntirePage;
+    bool m_didSendXSSProtectionHeader;
+    bool m_didSendCSPHeader;
     TextPosition m_textPosition;
 
 private:
-    XSSInfo(const KURL& reportURL, const String& originalURL, const String& originalHTTPBody, bool didBlockEntirePage)
+    XSSInfo(const KURL& reportURL, const String& originalURL, const String& originalHTTPBody, bool didBlockEntirePage, bool didSendXSSProtectionHeader, bool didSendCSPHeader)
         : m_reportURL(reportURL)
         , m_originalURL(originalURL)
         , m_originalHTTPBody(originalHTTPBody)
         , m_didBlockEntirePage(didBlockEntirePage)
+        , m_didSendXSSProtectionHeader(didSendXSSProtectionHeader)
+        , m_didSendCSPHeader(didSendCSPHeader)
     { }
 };