<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[199525] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/199525">199525</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-04-13 19:29:55 -0700 (Wed, 13 Apr 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: Remove experimental directive reflected-xss
https://bugs.webkit.org/show_bug.cgi?id=156554
Reviewed by Brent Fulgham.
Source/WebCore:
The Content Security Policy directive reflected-xss was removed from the Content Security
Policy Level 2 spec., <https://w3c.github.io/webappsec-csp/2/> (Editor's Draft, 29 August 2015).
This directive was considered experimental and was guarded by a run-time flag that was never
enabled by default. We should remove support for this directive.
* html/parser/XSSAuditor.cpp:
(WebCore::XSSAuditor::XSSAuditor): Initialize m_xssProtection to XSSProtectionDisposition::Enabled.
(WebCore::XSSAuditor::init): Write logic in terms of enum class XSSProtectionDisposition.
(WebCore::XSSAuditor::filterToken): Ditto.
(WebCore::combineXSSProtectionHeaderAndCSP): Deleted.
* html/parser/XSSAuditor.h: Change data type of m_xssProtection from ContentSecurityPolicy::ReflectedXSSDisposition
to XSSProtectionDisposition.
* html/parser/XSSAuditorDelegate.cpp: Ditto.
(WebCore::buildConsoleError): Remove logic to emit a remarks in the console error when a XSS is
blocked because of the directive reflected-xss. Also substituted "because" for "as" in the remark
added to the error message when the XSS Auditor is enabled because the server did not send HTTP
header X-XSS-Protection.
* html/parser/XSSAuditorDelegate.h:
(WebCore::XSSInfo::XSSInfo): Removed argument didSendCSPHeader as we are removing support for the
directive reflected-xss.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::reflectedXSSDisposition): Deleted.
(WebCore::ContentSecurityPolicy::reportInvalidReflectedXSS): Deleted.
* page/csp/ContentSecurityPolicy.h:
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList): Remove initialization
of m_reflectedXSSDisposition as we are removing support for the directive reflected-xss.
(WebCore::ContentSecurityPolicyDirectiveList::parseReflectedXSS): Deleted.
(WebCore::ContentSecurityPolicyDirectiveList::addDirective): Remove logic to parse directive reflected-xss.
* page/csp/ContentSecurityPolicyDirectiveList.h:
(WebCore::ContentSecurityPolicyDirectiveList::reflectedXSSDisposition): Deleted.
* page/csp/ContentSecurityPolicyDirectiveNames.cpp:
* page/csp/ContentSecurityPolicyDirectiveNames.h:
* page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::isCSPDirectiveName):
(WebCore::isExperimentalDirectiveName): Deleted.
* platform/network/HTTPParsers.cpp:
(WebCore::parseXSSProtectionHeader): Write it terms of enum class XSSProtectionDisposition.
* platform/network/HTTPParsers.h: Define enum class XSSProtectionDisposition. Change return type
of parseXSSProtectionHeader() from ContentSecurityPolicy::ReflectedXSSDisposition to XSSProtectionDisposition
as we are removing the former.
LayoutTests:
Remove tests for directive reflected-xss and update the expected results of existing XSS Auditor tests
to reflect the change made to the wording of the error message emitted when an XSS attack is blocked.
* fast/frames/xss-auditor-handles-file-urls-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing.html: Removed.
* http/tests/security/contentSecurityPolicy/resources/reflected-xss-and-xss-protection.js: Removed.
* http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt:
* http/tests/security/xssAuditor/base-href-control-char-expected.txt:
* http/tests/security/xssAuditor/base-href-expected.txt:
* http/tests/security/xssAuditor/base-href-null-char-expected.txt:
* http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
* http/tests/security/xssAuditor/cookie-injection-expected.txt:
* http/tests/security/xssAuditor/dom-write-URL-expected.txt:
* http/tests/security/xssAuditor/dom-write-location-expected.txt:
* http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt:
* http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt:
* http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt:
* http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt:
* http/tests/security/xssAuditor/embed-tag-control-char-expected.txt:
* http/tests/security/xssAuditor/embed-tag-expected.txt:
* http/tests/security/xssAuditor/embed-tag-in-path-unterminated-expected.txt:
* http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt:
* http/tests/security/xssAuditor/embed-tag-null-char-expected.txt:
* http/tests/security/xssAuditor/form-action-expected.txt:
* http/tests/security/xssAuditor/formaction-on-button-expected.txt:
* http/tests/security/xssAuditor/formaction-on-input-expected.txt:
* http/tests/security/xssAuditor/frameset-injection-expected.txt:
* http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt:
* http/tests/security/xssAuditor/get-from-iframe-expected.txt:
* http/tests/security/xssAuditor/iframe-injection-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt:
* http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt:
* http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt:
* http/tests/security/xssAuditor/iframe-srcdoc-expected.txt:
* http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-expected.txt:
* http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt:
* http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt:
* http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt:
* http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt:
* http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt:
* http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt:
* http/tests/security/xssAuditor/img-tag-with-comma-expected.txt:
* http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt:
* http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt:
* http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt:
* http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt:
* http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt:
* http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt:
* http/tests/security/xssAuditor/javascript-link-control-char-expected.txt:
* http/tests/security/xssAuditor/javascript-link-expected.txt:
* http/tests/security/xssAuditor/javascript-link-null-char-expected.txt:
* http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt:
* http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt:
* http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt:
* http/tests/security/xssAuditor/link-onclick-control-char-expected.txt:
* http/tests/security/xssAuditor/link-onclick-entities-expected.txt:
* http/tests/security/xssAuditor/link-onclick-expected.txt:
* http/tests/security/xssAuditor/link-onclick-null-char-expected.txt:
* http/tests/security/xssAuditor/link-opens-new-window-expected.txt:
* http/tests/security/xssAuditor/malformed-HTML-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt:
* http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt:
* http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt:
* http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt:
* http/tests/security/xssAuditor/object-embed-tag-expected.txt:
* http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt:
* http/tests/security/xssAuditor/object-tag-expected.txt:
* http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt:
* http/tests/security/xssAuditor/open-attribute-body-expected.txt:
* http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt:
* http/tests/security/xssAuditor/open-iframe-src-01-expected.txt:
* http/tests/security/xssAuditor/open-iframe-src-02-expected.txt:
* http/tests/security/xssAuditor/open-iframe-src-03-expected.txt:
* http/tests/security/xssAuditor/open-script-src-01-expected.txt:
* http/tests/security/xssAuditor/open-script-src-02-expected.txt:
* http/tests/security/xssAuditor/open-script-src-03-expected.txt:
* http/tests/security/xssAuditor/open-script-src-04-expected.txt:
* http/tests/security/xssAuditor/post-from-iframe-expected.txt:
* http/tests/security/xssAuditor/property-escape-comment-01-expected.txt:
* http/tests/security/xssAuditor/property-escape-comment-02-expected.txt:
* http/tests/security/xssAuditor/property-escape-comment-03-expected.txt:
* http/tests/security/xssAuditor/property-escape-entity-01-expected.txt:
* http/tests/security/xssAuditor/property-escape-entity-02-expected.txt:
* http/tests/security/xssAuditor/property-escape-entity-03-expected.txt:
* http/tests/security/xssAuditor/property-escape-expected.txt:
* http/tests/security/xssAuditor/property-escape-long-expected.txt:
* http/tests/security/xssAuditor/property-escape-quote-01-expected.txt:
* http/tests/security/xssAuditor/property-escape-quote-02-expected.txt:
* http/tests/security/xssAuditor/property-escape-quote-03-expected.txt:
* http/tests/security/xssAuditor/reflection-in-path-expected.txt:
* http/tests/security/xssAuditor/resources/echo-intertag.pl:
* http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt:
* http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt:
* http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt:
* http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt:
* http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt:
* http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt:
* http/tests/security/xssAuditor/script-tag-control-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-convoluted-expected.txt:
* http/tests/security/xssAuditor/script-tag-entities-expected.txt:
* http/tests/security/xssAuditor/script-tag-expected.txt:
* http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt:
* http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt:
* http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt:
* http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt:
* http/tests/security/xssAuditor/script-tag-near-start-expected.txt:
* http/tests/security/xssAuditor/script-tag-null-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-post-expected.txt:
* http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-trailing-script-and-urlencode-expected.txt:
* http/tests/security/xssAuditor/svg-animate-expected.txt:
* http/tests/security/xssAuditor/svg-script-tag-expected.txt:
* http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt:
* http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt:
* http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsfastframesxssauditorhandlesfileurlsexpectedtxt">trunk/LayoutTests/fast/frames/xss-auditor-handles-file-urls-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoranchorurldomwritelocationexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoranchorurldomwritelocationinlineeventexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoranchorurldomwritelocationinlineeventnullcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoranchorurldomwritelocationjavascriptURLexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoranchorurldomwritelocation2expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorbasehrefcontrolcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorbasehrefexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorbasehrefnullcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorbasehrefschemerelativeexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorcookieinjectionexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditordomwriteURLexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-URL-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditordomwritelocationexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditordomwritelocationinlineeventexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditordomwritelocationjavascriptURLexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorembedtagcodeattribute2expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorembedtagcodeattributeexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorembedtagcontrolcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorembedtagexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorembedtaginpathunterminatedexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-in-path-unterminated-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorembedtagjavascripturlexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorembedtagnullcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorformactionexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorformactiononbuttonexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorformactiononinputexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorframesetinjectionexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/frameset-injection-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorfullblockiframenoinheritexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorgetfromiframeexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/get-from-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoriframeinjectionexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoriframejavascripturlexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoriframejavascripturlmoreencodingexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoriframejavascripturltwiceurlencodeexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoriframejavascripturltwiceurlencode2expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoriframejavascripturltwiceurlencode3expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoriframejavascripturlurlencodedexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoriframeonloadGBKcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoriframeonloadinsvgtagexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoriframesrcdocexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoriframesrcdocpropertyblockedexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorimgonerrorGBKcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorimgonerroraccentedcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorimgonerrornonASCIIchardefaultencodingexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorimgonerrornonASCIIcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorimgonerrornonASCIIchar2defaultencodingexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorimgonerrornonASCIIchar2expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorimgtagwithcommaexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/img-tag-with-comma-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorinlineeventHTMLentitiesexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkHTMLentitiescontrolcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkHTMLentitiesexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkHTMLentitiesnamedexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkHTMLentitiesnullcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkampersandexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkcontrolcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinknullcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-null-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkoneplusoneexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkurlencodedexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorlinkonclickampersandexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorlinkonclickcontrolcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorlinkonclickentitiesexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-entities-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorlinkonclickexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorlinkonclicknullcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorlinkopensnewwindowexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/link-opens-new-window-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditormalformedHTMLexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/malformed-HTML-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader1expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader2expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader3expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader4expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader5expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader6expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader7expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader8expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader9expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditormetataghttprefreshjavascripturlexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorobjectembedtagcontrolcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorobjectembedtagexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorobjectembedtagnullcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorobjecttagexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorobjecttagjavascripturlexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoropenattributebodyexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/open-attribute-body-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoropeneventhandleriframeexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoropeniframesrc01expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-01-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoropeniframesrc02expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-02-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoropeniframesrc03expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-03-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoropenscriptsrc01expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-01-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoropenscriptsrc02expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-02-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoropenscriptsrc03expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-03-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoropenscriptsrc04expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-04-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorpostfromiframeexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/post-from-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorpropertyescapecomment01expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-01-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorpropertyescapecomment02expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-02-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorpropertyescapecomment03expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-03-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorpropertyescapeentity01expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-01-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorpropertyescapeentity02expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-02-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorpropertyescapeentity03expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-03-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorpropertyescapeexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorpropertyescapelongexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-long-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorpropertyescapequote01expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-01-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorpropertyescapequote02expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-02-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorpropertyescapequote03expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-03-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorreflectioninpathexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/reflection-in-path-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorresourcesechointertagpl">trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagBig5charexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagBig5chartwiceurlencode16bitunicodeexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagBig5chartwiceurlencodeexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagBig5char2expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagaddslashesbackslashexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagaddslashesdoublequoteexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagaddslashesnullcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagaddslashessinglequoteexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagcontrolcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-control-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagconvolutedexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-convoluted-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagentitiesexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-entities-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagexpressionfollowsexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttaginsidesvgtagexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttaginsidesvgtag2expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttaginsidesvgtag3expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagnearstartexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-near-start-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagnullcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-null-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagpostcontrolcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagpostexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagpostnullcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwith16bitunicodeexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwith16bitunicodesurrogatepairexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwith16bitunicode2expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwith16bitunicode3expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwith16bitunicode4expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwith16bitunicode5expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithactualcommaexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithcallbacksexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithcomma01expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithcomma02expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithfancyunicodeexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithinjectedcommentexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithinvalidclosingtagexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithinvalidurlencodingexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcecontrolcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcedataurlexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcedataurl2expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcedataurl3expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcedoublequoteexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourceentitiesexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourceexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcenoquoteexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcenullcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcerelativeschemeexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcesamehostwithqueryexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourceunterminated01expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourceunterminated02expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourceunterminated03expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwiththreetimesurlencoded16bitunicodeexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithtrailingcommentU2028expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithtrailingcommentexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithtrailingcomment2expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithtrailingcomment3expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithtrailingcomment4expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithtrailingcomment5expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithtrailingscriptandurlencodeexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-script-and-urlencode-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorsvganimateexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/svg-animate-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorsvgscripttagexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorxssfilterbypassbig5expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorxssfilterbypasslongstringexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorxssfilterbypasssjisexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorehtmlparserXSSAuditorcpp">trunk/Source/WebCore/html/parser/XSSAuditor.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlparserXSSAuditorh">trunk/Source/WebCore/html/parser/XSSAuditor.h</a></li>
<li><a href="#trunkSourceWebCorehtmlparserXSSAuditorDelegatecpp">trunk/Source/WebCore/html/parser/XSSAuditorDelegate.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlparserXSSAuditorDelegateh">trunk/Source/WebCore/html/parser/XSSAuditorDelegate.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyh">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveNamescpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveNamesh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkHTTPParserscpp">trunk/Source/WebCore/platform/network/HTTPParsers.cpp</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkHTTPParsersh">trunk/Source/WebCore/platform/network/HTTPParsers.h</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowfilterexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowfilterhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowinvalidexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowinvalidhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowunsetexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowunsethtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockfilterexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockfilterhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockinvalidexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockinvalidhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockunsetexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockunsethtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterfilterexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterfilterhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterinvalidexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterinvalidhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterunsetexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterunsethtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidfilterexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidfilterhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidinvalidexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidinvalidhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidunsetexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidunsethtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetfilterexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetfilterhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetinvalidexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetinvalidhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetunsetexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetunsethtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssemptyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssemptyhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssfilterexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssfilterhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssinvalidexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssinvalidhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssparsingexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssparsinghtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesreflectedxssandxssprotectionjs">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/reflected-xss-and-xss-protection.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/ChangeLog 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,241 @@
</span><ins>+2016-04-13 Daniel Bates <dabates@apple.com>
+
+ CSP: Remove experimental directive reflected-xss
+ https://bugs.webkit.org/show_bug.cgi?id=156554
+
+ Reviewed by Brent Fulgham.
+
+ Remove tests for directive reflected-xss and update the expected results of existing XSS Auditor tests
+ to reflect the change made to the wording of the error message emitted when an XSS attack is blocked.
+
+ * fast/frames/xss-auditor-handles-file-urls-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing.html: Removed.
+ * http/tests/security/contentSecurityPolicy/resources/reflected-xss-and-xss-protection.js: Removed.
+ * http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt:
+ * http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt:
+ * http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt:
+ * http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt:
+ * http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt:
+ * http/tests/security/xssAuditor/base-href-control-char-expected.txt:
+ * http/tests/security/xssAuditor/base-href-expected.txt:
+ * http/tests/security/xssAuditor/base-href-null-char-expected.txt:
+ * http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
+ * http/tests/security/xssAuditor/cookie-injection-expected.txt:
+ * http/tests/security/xssAuditor/dom-write-URL-expected.txt:
+ * http/tests/security/xssAuditor/dom-write-location-expected.txt:
+ * http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt:
+ * http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt:
+ * http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt:
+ * http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt:
+ * http/tests/security/xssAuditor/embed-tag-control-char-expected.txt:
+ * http/tests/security/xssAuditor/embed-tag-expected.txt:
+ * http/tests/security/xssAuditor/embed-tag-in-path-unterminated-expected.txt:
+ * http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt:
+ * http/tests/security/xssAuditor/embed-tag-null-char-expected.txt:
+ * http/tests/security/xssAuditor/form-action-expected.txt:
+ * http/tests/security/xssAuditor/formaction-on-button-expected.txt:
+ * http/tests/security/xssAuditor/formaction-on-input-expected.txt:
+ * http/tests/security/xssAuditor/frameset-injection-expected.txt:
+ * http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt:
+ * http/tests/security/xssAuditor/get-from-iframe-expected.txt:
+ * http/tests/security/xssAuditor/iframe-injection-expected.txt:
+ * http/tests/security/xssAuditor/iframe-javascript-url-expected.txt:
+ * http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt:
+ * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt:
+ * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt:
+ * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt:
+ * http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt:
+ * http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt:
+ * http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt:
+ * http/tests/security/xssAuditor/iframe-srcdoc-expected.txt:
+ * http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-expected.txt:
+ * http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt:
+ * http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt:
+ * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt:
+ * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt:
+ * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt:
+ * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt:
+ * http/tests/security/xssAuditor/img-tag-with-comma-expected.txt:
+ * http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt:
+ * http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt:
+ * http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt:
+ * http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt:
+ * http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt:
+ * http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt:
+ * http/tests/security/xssAuditor/javascript-link-control-char-expected.txt:
+ * http/tests/security/xssAuditor/javascript-link-expected.txt:
+ * http/tests/security/xssAuditor/javascript-link-null-char-expected.txt:
+ * http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt:
+ * http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt:
+ * http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt:
+ * http/tests/security/xssAuditor/link-onclick-control-char-expected.txt:
+ * http/tests/security/xssAuditor/link-onclick-entities-expected.txt:
+ * http/tests/security/xssAuditor/link-onclick-expected.txt:
+ * http/tests/security/xssAuditor/link-onclick-null-char-expected.txt:
+ * http/tests/security/xssAuditor/link-opens-new-window-expected.txt:
+ * http/tests/security/xssAuditor/malformed-HTML-expected.txt:
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt:
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt:
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt:
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt:
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt:
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt:
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt:
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt:
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt:
+ * http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt:
+ * http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt:
+ * http/tests/security/xssAuditor/object-embed-tag-expected.txt:
+ * http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt:
+ * http/tests/security/xssAuditor/object-tag-expected.txt:
+ * http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt:
+ * http/tests/security/xssAuditor/open-attribute-body-expected.txt:
+ * http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt:
+ * http/tests/security/xssAuditor/open-iframe-src-01-expected.txt:
+ * http/tests/security/xssAuditor/open-iframe-src-02-expected.txt:
+ * http/tests/security/xssAuditor/open-iframe-src-03-expected.txt:
+ * http/tests/security/xssAuditor/open-script-src-01-expected.txt:
+ * http/tests/security/xssAuditor/open-script-src-02-expected.txt:
+ * http/tests/security/xssAuditor/open-script-src-03-expected.txt:
+ * http/tests/security/xssAuditor/open-script-src-04-expected.txt:
+ * http/tests/security/xssAuditor/post-from-iframe-expected.txt:
+ * http/tests/security/xssAuditor/property-escape-comment-01-expected.txt:
+ * http/tests/security/xssAuditor/property-escape-comment-02-expected.txt:
+ * http/tests/security/xssAuditor/property-escape-comment-03-expected.txt:
+ * http/tests/security/xssAuditor/property-escape-entity-01-expected.txt:
+ * http/tests/security/xssAuditor/property-escape-entity-02-expected.txt:
+ * http/tests/security/xssAuditor/property-escape-entity-03-expected.txt:
+ * http/tests/security/xssAuditor/property-escape-expected.txt:
+ * http/tests/security/xssAuditor/property-escape-long-expected.txt:
+ * http/tests/security/xssAuditor/property-escape-quote-01-expected.txt:
+ * http/tests/security/xssAuditor/property-escape-quote-02-expected.txt:
+ * http/tests/security/xssAuditor/property-escape-quote-03-expected.txt:
+ * http/tests/security/xssAuditor/reflection-in-path-expected.txt:
+ * http/tests/security/xssAuditor/resources/echo-intertag.pl:
+ * http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-control-char-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-convoluted-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-entities-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-near-start-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-null-char-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-post-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-trailing-script-and-urlencode-expected.txt:
+ * http/tests/security/xssAuditor/svg-animate-expected.txt:
+ * http/tests/security/xssAuditor/svg-script-tag-expected.txt:
+ * http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt:
+ * http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt:
+ * http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt:
+
</ins><span class="cx"> 2016-04-13 Michael Saboff <msaboff@apple.com>
</span><span class="cx">
</span><span class="cx"> Some tests fail with ES6 `u` (Unicode) flag for regular expressions
</span></span></pre></div>
<a id="trunkLayoutTestsfastframesxssauditorhandlesfileurlsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/fast/frames/xss-auditor-handles-file-urls-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/frames/xss-auditor-handles-file-urls-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/fast/frames/xss-auditor-handles-file-urls-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssallowexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +0,0 @@
</span><del>-ALERT: XSS
-Tests that 'X-WebKit-CSP: reflected-xss allow;' disables the XSSAuditor. This test passes if an alert is generated, and the script is allowed.
-
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssallowhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,16 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<head>
- <script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.setXSSAuditorEnabled(true);
- }
- </script>
-</head>
-<body>
- <p>Tests that 'X-WebKit-CSP: reflected-xss allow;' disables the XSSAuditor.
- This test passes if an alert is generated, and the script is allowed.</p>
- <iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/contentSecurityPolicy/1.1/reflected-xss-allow.html&csp=allow&amp;q=<script>alert(String.fromCharCode(0x58,0x53,0x53))</script>"></iframe>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowallowexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +0,0 @@
</span><del>-ALERT: XSS
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&disable-protection=1 into the IFrame.
-Testing behavior when "reflected-xss" is set to allow, and "X-XSS-Protection" is set to allow.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowallowhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('allow', 'allow');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowblockexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&enable-full-block=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&enable-full-block=1 into the IFrame.
-Testing behavior when "reflected-xss" is set to allow, and "X-XSS-Protection" is set to block.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowblockhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('allow', 'block');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowfilterexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&valid-header=2' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&valid-header=2 into the IFrame.
-Testing behavior when "reflected-xss" is set to allow, and "X-XSS-Protection" is set to filter.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowfilterhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('allow', 'filter');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowinvalidexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&malformed-header=1' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&malformed-header=1 into the IFrame.
-Testing behavior when "reflected-xss" is set to allow, and "X-XSS-Protection" is set to invalid.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowinvalidhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('allow', 'invalid');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowunsetexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +0,0 @@
</span><del>-ALERT: XSS
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow into the IFrame.
-Testing behavior when "reflected-xss" is set to allow, and "X-XSS-Protection" is set to unset.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowunsethtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,8 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('allow', 'unset');</script>
-</body>
-</html>
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockallowexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&disable-protection=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&disable-protection=1 into the IFrame.
-Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to allow.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockallowhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('block', 'allow');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockblockexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&enable-full-block=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&enable-full-block=1 into the IFrame.
-Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to block.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockblockhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('block', 'block');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockfilterexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&valid-header=2' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&valid-header=2 into the IFrame.
-Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to filter.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockfilterhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('block', 'filter');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockinvalidexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,8 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&malformed-header=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&malformed-header=1 into the IFrame.
-Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to invalid.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockinvalidhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('block', 'invalid');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockunsetexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block into the IFrame.
-Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to unset.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockunsethtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,8 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('block', 'unset');</script>
-</body>
-</html>
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterallowexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&disable-protection=1' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&disable-protection=1 into the IFrame.
-Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to allow.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterallowhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('filter', 'allow');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterblockexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&enable-full-block=1' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&enable-full-block=1 into the IFrame.
-Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to block.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterblockhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('filter', 'block');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterfilterexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&valid-header=2' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&valid-header=2 into the IFrame.
-Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to filter.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterfilterhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('filter', 'filter');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterinvalidexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&malformed-header=1' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&malformed-header=1 into the IFrame.
-Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to invalid.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterinvalidhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('filter', 'invalid');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterunsetexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter into the IFrame.
-Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to unset.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterunsethtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,8 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('filter', 'unset');</script>
-</body>
-</html>
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidallowexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +0,0 @@
</span><del>-CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&disable-protection=1' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&disable-protection=1 into the IFrame.
-Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to allow.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidallowhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('invalid', 'allow');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidblockexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,8 +0,0 @@
</span><del>-CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&enable-full-block=1' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&enable-full-block=1 into the IFrame.
-Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to block.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidblockhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('invalid', 'block');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidfilterexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +0,0 @@
</span><del>-CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&valid-header=2' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&valid-header=2 into the IFrame.
-Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to filter.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidfilterhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('invalid', 'filter');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidinvalidexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,5 +0,0 @@
</span><del>-CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&malformed-header=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&malformed-header=1 into the IFrame.
-Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to invalid.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidinvalidhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('invalid', 'invalid');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidunsetexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +0,0 @@
</span><del>-CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid into the IFrame.
-Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to unset.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidunsethtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,8 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('invalid', 'unset');</script>
-</body>
-</html>
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetallowexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +0,0 @@
</span><del>-ALERT: XSS
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&disable-protection=1 into the IFrame.
-Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to allow.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetallowhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('unset', 'allow');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetblockexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&enable-full-block=1' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&enable-full-block=1 into the IFrame.
-Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to block.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetblockhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('unset', 'block');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetfilterexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&valid-header=2' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&valid-header=2 into the IFrame.
-Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to filter.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetfilterhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('unset', 'filter');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetinvalidexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&malformed-header=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&malformed-header=1 into the IFrame.
-Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to invalid.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetinvalidhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('unset', 'invalid');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetunsetexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E into the IFrame.
-Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to unset.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetunsethtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<body>
- <script src='../resources/reflected-xss-and-xss-protection.js'></script>
- <script>testMixedHeader('unset', 'unset');</script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssblockexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,12 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=block&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=block&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E
-Tests that 'X-WebKit-CSP: reflected-xss block;' enables the XSSAuditor. This test passes if a console message is generated, and the page is blocked. There should be no content in the IFrame below:
-
-
-
---------
-Frame: 'frame'
---------
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssblockhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,22 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<head>
- <script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
- <script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.dumpChildFramesAsText();
- testRunner.waitUntilDone();
- testRunner.setXSSAuditorEnabled(true);
- }
- </script>
-</head>
-<body>
- <p>Tests that 'X-WebKit-CSP: reflected-xss block;' enables the XSSAuditor.
- This test passes if a console message is generated, and the page is blocked.
- There should be no content in the IFrame below:</p>
- <iframe id="frame"
- onload="checkIfFrameLocationMatchesSrcAndCallDone('frame')"
- src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/contentSecurityPolicy/1.1/reflected-xss-block.html&csp=block&amp;q=<script>alert(String.fromCharCode(0x58,0x53,0x53))</script>"></iframe>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssemptyexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,5 +0,0 @@
</span><del>-CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=_empty_&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-Tests that 'X-WebKit-CSP: reflected-xss' enables the XSSAuditor. This test passes if a console message is generated, and the script is blocked.
-
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssemptyhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,16 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<head>
- <script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.setXSSAuditorEnabled(true);
- }
- </script>
-</head>
-<body>
- <p>Tests that 'X-WebKit-CSP: reflected-xss' enables the XSSAuditor.
- This test passes if a console message is generated, and the script is blocked.</p>
- <iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/contentSecurityPolicy/1.1/reflected-xss-empty.html&csp=_empty_&amp;q=<script>alert(String.fromCharCode(0x58,0x53,0x53))</script>"></iframe>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssfilterexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=filter&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The server sent a 'Content-Security-Policy' header requesting this behavior.
-Tests that 'X-WebKit-CSP: reflected-xss filter;' enables the XSSAuditor. This test passes if a console message is generated, and the script is blocked.
-
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssfilterhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,16 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<head>
- <script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.setXSSAuditorEnabled(true);
- }
- </script>
-</head>
-<body>
- <p>Tests that 'X-WebKit-CSP: reflected-xss filter;' enables the XSSAuditor.
- This test passes if a console message is generated, and the script is blocked.</p>
- <iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/contentSecurityPolicy/1.1/reflected-xss-filter.html&csp=filter&amp;q=<script>alert(String.fromCharCode(0x58,0x53,0x53))</script>"></iframe>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssinvalidexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,5 +0,0 @@
</span><del>-CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "invalid". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?csp=invalid&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-Tests that 'X-WebKit-CSP: reflected-xss invalid' enables the XSSAuditor. This test passes if a console message is generated, and the script is allowed.
-
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssinvalidhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,16 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<head>
- <script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.setXSSAuditorEnabled(true);
- }
- </script>
-</head>
-<body>
- <p>Tests that 'X-WebKit-CSP: reflected-xss invalid' enables the XSSAuditor.
- This test passes if a console message is generated, and the script is allowed.</p>
- <iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/contentSecurityPolicy/1.1/reflected-xss-invalid.html&csp=invalid&amp;q=<script>alert(String.fromCharCode(0x58,0x53,0x53))</script>"></iframe>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssparsingexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,42 +0,0 @@
</span><del>-CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "blah". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "allow blah". Value values are "allow", "filter", and "block".
-CONSOLE MESSAGE: The 'reflected-xss' Content Security Policy directive has the invalid value "blah allow". Value values are "allow", "filter", and "block".
-Invalid 'reflected-xss' headers should generate console messages.
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame1-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame2-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame3-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame4-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame5-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame6-->-->'
---------
-PASS
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssparsinghtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing.html (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing.html 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing.html 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,22 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<head>
- <script src='../resources/multiple-iframe-test.js'></script>
- <script>
- var tests = [
- ['yes', 'reflected-xss allow', 'resources/script.js'],
- ['yes', 'reflected-xss filter', 'resources/script.js'],
- ['yes', 'reflected-xss block', 'resources/script.js'],
- ['yes', 'reflected-xss', 'resources/script.js'],
- ['yes', 'reflected-xss blah', 'resources/script.js'],
- ['yes', 'reflected-xss allow blah', 'resources/script.js'],
- ['yes', 'reflected-xss blah allow', 'resources/script.js'],
- ];
- </script>
-</head>
-<body onload="testExperimentalPolicy()">
- <p>
- Invalid 'reflected-xss' headers should generate console messages.
- </p>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesreflectedxssandxssprotectionjs"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/reflected-xss-and-xss-protection.js (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/reflected-xss-and-xss-protection.js 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/reflected-xss-and-xss-protection.js 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,40 +0,0 @@
</span><del>-if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.setXSSAuditorEnabled(true);
- testRunner.waitUntilDone();
-}
-
-function testMixedHeader(csp, xssProtection) {
- var params = [
- 'q=<script>alert(String.fromCharCode(0x58,0x53,0x53))<' + '/script>'
- ];
- if (csp != 'unset')
- params.push('csp='+csp);
-
- if (xssProtection == 'allow')
- params.push('disable-protection=1');
- if (xssProtection == 'block')
- params.push('enable-full-block=1');
- if (xssProtection == 'filter')
- params.push('valid-header=2');
- if (xssProtection == 'invalid')
- params.push('malformed-header=1');
-
- var url = '/security/xssAuditor/resources/echo-intertag.pl?test=' + location.pathname;
- url += params.join('&amp;');
-
- document.write('<p>Testing behavior when "reflected-xss" is set to ' + csp + ', and "X-XSS-Protection" is set to ' + xssProtection + '.');
- document.write('<iframe src="' + url + '"></iframe>');
-}
-
-function frameLoaded() {
- var frame = document.querySelector('iframe');
- try {
- alert('Loaded ' + frame.contentWindow.location + ' into the IFrame.');
- } catch (e) {
- alert('Loaded cross-origin frame.');
- }
- testRunner.notifyDone();
-}
-
-window.onload = frameLoaded;
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoranchorurldomwritelocationexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.html?#<script>alert(String.fromCharCode(0x58,0x53,0x53))</script>' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.html?#<script>alert(String.fromCharCode(0x58,0x53,0x53))</script>' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoranchorurldomwritelocationinlineeventexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoranchorurldomwritelocationinlineeventnullcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22al%00ert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22al%00ert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoranchorurldomwritelocationjavascriptURLexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html#%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoranchorurldomwritelocation2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-unescaped-location.html?#<script>alert('XS%41S')</script>' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-unescaped-location.html?#<script>alert('XS%41S')</script>' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorbasehrefcontrolcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%01urity/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%01urity/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> ALERT: This is a safe script.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorbasehrefexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> ALERT: This is a safe script.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorbasehrefnullcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> ALERT: This is a safe script.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorbasehrefschemerelativeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='//127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='//127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> ALERT: This is a safe script.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorcookieinjectionexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/cookie-injection.html&alert-cookie=1&q=%3Cmeta%20http-equiv=%22Set-Cookie%22%20content=%22xssAuditorTestCookie=FAIL%22%20/%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/cookie-injection.html&alert-cookie=1&q=%3Cmeta%20http-equiv=%22Set-Cookie%22%20content=%22xssAuditorTestCookie=FAIL%22%20/%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> ALERT: PASS
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditordomwriteURLexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-URL-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-URL-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-URL-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-URL.html?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-URL.html?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditordomwritelocationexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.html?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.html?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditordomwritelocationinlineeventexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html?%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html?%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditordomwritelocationjavascriptURLexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html?%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.html?%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorembedtagcodeattribute2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-code-attribute-2.html&q=%3Cembed%20code=//localhost:8000/fictional.swf%20allowscriptaccess=always%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-code-attribute-2.html&q=%3Cembed%20code=//localhost:8000/fictional.swf%20allowscriptaccess=always%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorembedtagcodeattributeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-code-attribute.html&q=%3Cembed%20code=data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-code-attribute.html&q=%3Cembed%20code=data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorembedtagcontrolcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-control-char.html&q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-control-char.html&q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorembedtagexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag.html&q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag.html&q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorembedtaginpathunterminatedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-in-path-unterminated-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-in-path-unterminated-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-in-path-unterminated-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/intercept/echo-intertag.pl/%3Cembed%20height=%22500%22src=%22https://127.0.0.1:8443/security/xssAuditor/resources/dummy.swf%22.xml&clutter=%3Cp%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/intercept/echo-intertag.pl/%3Cembed%20height=%22500%22src=%22https://127.0.0.1:8443/security/xssAuditor/resources/dummy.swf%22.xml&clutter=%3Cp%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> Check that the XSSAuditor catches reflected tags in path components
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorembedtagjavascripturlexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-javascript-url.html&q=%3Cembed%20src='javascript:alert(document.domain)'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-javascript-url.html&q=%3Cembed%20src='javascript:alert(document.domain)'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorembedtagnullcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-null-char.html&q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-null-char.html&q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorformactionexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/form-action.html&q=%3Cform%20action=http://127.0.0.1:8000/%20method=x%3E%3Cinput%20type=submit%3E%3Cinput%20name=x%20value='Please%20type%20your%20PIN.'%3E&notifyDone=1&showAction=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/form-action.html&q=%3Cform%20action=http://127.0.0.1:8000/%20method=x%3E%3Cinput%20type=submit%3E%3Cinput%20name=x%20value='Please%20type%20your%20PIN.'%3E&notifyDone=1&showAction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> ALERT: Form action set to about:blank
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorformactiononbuttonexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/formaction-on-button.html&q=%3Cform%3E%3Cbutton%20formaction='http://example.com/'%3E&notifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/formaction-on-button.html&q=%3Cform%3E%3Cbutton%20formaction='http://example.com/'%3E&notifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> ALERT: formaction present on BUTTON with value of about:blank
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorformactiononinputexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/formaction-on-input.html&q=%3Cform%3E%3Cinput%20formaction='http://example.com/'%3E&notifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/formaction-on-input.html&q=%3Cform%3E%3Cinput%20formaction='http://example.com/'%3E&notifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> ALERT: formaction present on INPUT with value of about:blank
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorframesetinjectionexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/frameset-injection-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/frameset-injection-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/frameset-injection-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/frameset-injection.html&inHead=1&q=%3Cframeset%3E%3Cframe%20src='data:text/html,%3Cscript%3Ealert(0)%3C/script%3E'%3E%3C/frameset%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/frameset-injection.html&inHead=1&q=%3Cframeset%3E%3Cframe%20src='data:text/html,%3Cscript%3Ealert(0)%3C/script%3E'%3E%3C/frameset%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorfullblockiframenoinheritexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-iframe-no-inherit.html&q=%3Cscript%3Ealert(/XSS/)%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-iframe-no-inherit.html&q=%3Cscript%3Ealert(/XSS/)%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> This tests that the header X-XSS-Protection is not inherited by the iframe below:
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorgetfromiframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/get-from-iframe-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/get-from-iframe-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/get-from-iframe-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=%2Fsecurity%2FxssAuditor%2Fget-from-iframe.html&notifyDone=1&q=%3Cscript%3Ealert%28String.fromCharCode%280x58%2C0x53%2C0x53%29%29%3C%2Fscript%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=%2Fsecurity%2FxssAuditor%2Fget-from-iframe.html&notifyDone=1&q=%3Cscript%3Ealert%28String.fromCharCode%280x58%2C0x53%2C0x53%29%29%3C%2Fscript%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoriframeinjectionexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-injection.html&q=%3Ciframe%20src='http://127.0.0.1:8000/'%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-injection.html&q=%3Ciframe%20src='http://127.0.0.1:8000/'%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoriframejavascripturlexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url.html&q=%3Ciframe%20src=javascript:alert(document.domain)%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url.html&q=%3Ciframe%20src=javascript:alert(document.domain)%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoriframejavascripturlmoreencodingexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-more-encoding.html&q=%3CIFRAME%20src='javascript:alert%26%23x25%3B281)'%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-more-encoding.html&q=%3CIFRAME%20src='javascript:alert%26%23x25%3B281)'%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoriframejavascripturltwiceurlencodeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-twice-url-encode.html&q=%3Ciframe%20src=%22javascript:%20%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-twice-url-encode.html&q=%3Ciframe%20src=%22javascript:%20%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoriframejavascripturltwiceurlencode2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-twice-url-encode2.html&q=%3Ciframe%20src=%22javascript:%20//%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-twice-url-encode2.html&q=%3Ciframe%20src=%22javascript:%20//%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoriframejavascripturltwiceurlencode3expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-twice-url-encode3.html&q=%3Ciframe%20src=%22javascript://%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-twice-url-encode3.html&q=%3Ciframe%20src=%22javascript://%250Aalert(String.fromCharCode(0x58,0x53,0x53))%22%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoriframejavascripturlurlencodedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-url-encoded.html&q=%3Ciframe%20src=javascript%3A%271%2525251%27%3Balert%28document.domain%29%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-url-encoded.html&q=%3Ciframe%20src=javascript%3A%271%2525251%27%3Balert%28document.domain%29%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoriframeonloadGBKcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-onload-GBK-char.html&charset=GBK&q=%3Ciframe%20onload=%C7Ojavascript:alert(document.domain)%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-onload-GBK-char.html&charset=GBK&q=%3Ciframe%20onload=%C7Ojavascript:alert(document.domain)%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoriframeonloadinsvgtagexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-onload-in-svg-tag.html&q=%3Csvg%3E%3Cscript%3E%3Ciframe%20onload=alert(0)%3E%3C/iframe%3E%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-onload-in-svg-tag.html&q=%3Csvg%3E%3Cscript%3E%3Ciframe%20onload=alert(0)%3E%3C/iframe%3E%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> Test that dangerous attributes are still filtered in netsted script contexts.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoriframesrcdocexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-srcdoc.html&q=%3Ciframe%20srcdoc=%3Cscript%3Ealert(/FAIL/)%3C/script%3E%20%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-srcdoc.html&q=%3Ciframe%20srcdoc=%3Cscript%3Ealert(/FAIL/)%3C/script%3E%20%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoriframesrcdocpropertyblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-frame-src.pl?q=%22srcdoc=%22%3Cscript%3Ealert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-frame-src.pl?q=%22srcdoc=%22%3Cscript%3Ealert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> Catch injected srcdoc properties when there is punctuation enabling the auditor
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorimgonerrorGBKcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-GBK-char.html&charset=GBK&q=%3Cimg%20src=%201%20onerror=%C7Ojavascript:alert(document.domain)%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-GBK-char.html&charset=GBK&q=%3Cimg%20src=%201%20onerror=%C7Ojavascript:alert(document.domain)%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorimgonerroraccentedcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-accented-char.html&q=%3Cimg%20src=%C3%A4%20onerror=alert(%27%C3%A4%27)%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-accented-char.html&q=%3Cimg%20src=%C3%A4%20onerror=alert(%27%C3%A4%27)%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorimgonerrornonASCIIchardefaultencodingexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorimgonerrornonASCIIcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-non-ASCII-char.html&q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-non-ASCII-char.html&q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorimgonerrornonASCIIchar2defaultencodingexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src=%220%22+onerror=%22/%80/%3Balert(document.domain)%22%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src=%220%22+onerror=%22/%80/%3Balert(document.domain)%22%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorimgonerrornonASCIIchar2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-non-ASCII-char2.html&q=%3Cimg+src=%220%22+onerror=%22/%80/%3Balert(document.domain)%22%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-non-ASCII-char2.html&q=%3Cimg+src=%220%22+onerror=%22/%80/%3Balert(document.domain)%22%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorimgtagwithcommaexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/img-tag-with-comma-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/img-tag-with-comma-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/img-tag-with-comma-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-tag-with-comma.html&clutter=,&q=%3cimg%20src=x%20onerror=%22[]&q2=alert(1)%22%3c' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-tag-with-comma.html&clutter=,&q=%3cimg%20src=x%20onerror=%22[]&q2=alert(1)%22%3c' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span><span class="cx"> Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test passes if the XSSAuditor logs console messages and no alerts fire.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorinlineeventHTMLentitiesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/inline-event-HTML-entities.html&q=%3Cimg%20src=1%20onerror=%26%2397%26%23108%26%23101%26%23114%26%23116%26%2340%26%2349%26%2341%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/inline-event-HTML-entities.html&q=%3Cimg%20src=1%20onerror=%26%2397%26%23108%26%23101%26%23114%26%23116%26%2340%26%2349%26%2341%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkHTMLentitiescontrolcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x05%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x05%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkHTMLentitiesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkHTMLentitiesnamedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2397%26%23108%26%23101%26%23114%26%23116%26%2340%26%2339%26copy%26%2339%26%2341%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2397%26%23108%26%23101%26%23114%26%23116%26%2340%26%2339%26copy%26%2339%26%2341%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkHTMLentitiesnullcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x00%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3D%26%23x0000006a%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3a%26%23x61%26%23x6c%26%23x00%26%23x65%26%23x72%26%23x74%26%23x28%26%23x31%26%23x29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkampersandexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/%26XSS/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/%26XSS/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkcontrolcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/XSS%05/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/XSS%05/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinknullcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-null-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-null-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-null-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aal%00ert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aal%00ert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkoneplusoneexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorjavascriptlinkurlencodedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3A%271%2525251%27%3Balert%28/%26XSS/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 14: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3A%271%2525251%27%3Balert%28/%26XSS/%29%3Etest%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorlinkonclickampersandexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-ampersand.html&q=%3Ca%20onclick='alert(1%261)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-ampersand.html&q=%3Ca%20onclick='alert(1%261)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorlinkonclickcontrolcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-control-char.html&q=%3Ca%20onclick='al%05ert(0)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-control-char.html&q=%3Ca%20onclick='al%05ert(0)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorlinkonclickentitiesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-entities-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-entities-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-entities-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-entities.html&q=%3Ca%20href='about:blank'%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-entities.html&q=%3Ca%20href='about:blank'%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorlinkonclickexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick.html&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick.html&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorlinkonclicknullcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-null-char.html&q=%3Ca%20onclick='al%00ert(0)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-null-char.html&q=%3Ca%20onclick='al%00ert(0)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorlinkopensnewwindowexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/link-opens-new-window-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/link-opens-new-window-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/link-opens-new-window-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-opens-new-window.html&notifyDone=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-opens-new-window.html&notifyDone=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> Click me
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditormalformedHTMLexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-HTML-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-HTML-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-HTML-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-HTML.html&q=%3Ca%3Cimg/src/onerror=alert(1)//%3C' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-HTML.html&q=%3Ca%3Cimg/src/onerror=alert(1)//%3C' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span><span class="cx">
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader1expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-1.html&notifyDone=1&malformed-header=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-1.html&notifyDone=1&malformed-header=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> This tests that a malformed X-XSS-Protection header is not ignored when the length of its value exceeds 16 characters, and that an error is reported.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: red: expected 0 or 1 at character position 0. The default protections will be applied.
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-2.html&notifyDone=1&malformed-header=2&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-2.html&notifyDone=1&malformed-header=2&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> This tests that the X-XSS-Protection header is not ignored when the first character is not 0 or 1, and that we issue an error.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader3expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=purple: invalid mode directive at character position 8. The default protections will be applied.
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-3.html&notifyDone=1&malformed-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-3.html&notifyDone=1&malformed-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> This tests that a malformed X-XSS-Protection header is not ignored and an error is reported when the mode= token is invalid.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader4expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block-a-block-block: expected semicolon at character position 14. The default protections will be applied.
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-4.html&notifyDone=1&malformed-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-4.html&notifyDone=1&malformed-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> This tests that the X-XSS-Protection header is not ignored when there is a trailing garbage after mode=block, and we issue an error
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader5expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report: expected equals sign at character position 21. The default protections will be applied.
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-5.html&notifyDone=1&malformed-header=5&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-5.html&notifyDone=1&malformed-header=5&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> This tests that the X-XSS-Protection header is not ignored when there is an incomplete report url following mode=block, and we issue an error
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader6expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; report= ;: invalid report directive at character position 11. The default protections will be applied.
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-6.html&notifyDone=1&malformed-header=6&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-6.html&notifyDone=1&malformed-header=6&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> This tests that the X-XSS-Protection header is not ignored when there is an incomplete report directive, and we issue an error
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader7expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; red: unrecognized directive at character position 3. The default protections will be applied.
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-7.html&notifyDone=1&malformed-header=7&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-7.html&notifyDone=1&malformed-header=7&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> This tests that the X-XSS-Protection header is not ignored when there is an invalid directive, and we issue an error
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader8expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report=/fail; mode=block;: duplicate mode directive at character position 33. The default protections will be applied.
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-8.html&notifyDone=1&malformed-header=8&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-8.html&notifyDone=1&malformed-header=8&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> This tests that the X-XSS-Protection header is not ignored when there is an duplicate mode directive, and we issue an error
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditormalformedxssprotectionheader9expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: line 1: Error parsing header X-XSS-Protection: 1; mode=block; report=/fail; report=/fail;: duplicate report directive at character position 35. The default protections will be applied.
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-9.html&notifyDone=1&malformed-header=9&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/malformed-xss-protection-header-9.html&notifyDone=1&malformed-header=9&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> This tests that the X-XSS-Protection header is not ignored when there is a duplicate report directive, and we issue an error
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditormetataghttprefreshjavascripturlexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head.pl?q=%3Cmeta+http-equiv%3D%22refresh%22+content%3D%220%3B+url%3Djavascript%3Aalert%28document.domain%29%22%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head.pl?q=%3Cmeta+http-equiv%3D%22refresh%22+content%3D%220%3B+url%3Djavascript%3Aalert%28document.domain%29%22%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorobjectembedtagcontrolcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorobjectembedtagexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorobjectembedtagnullcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorobjecttagexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorobjecttagjavascripturlexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag-javascript-url.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20data='javascript:alert(document.domain)'%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag-javascript-url.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20data='javascript:alert(document.domain)'%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoropenattributebodyexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/open-attribute-body-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/open-attribute-body-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/open-attribute-body-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=alert(String.fromCharCode(0x58,0x53,0x53))//' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=alert(String.fromCharCode(0x58,0x53,0x53))//' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoropeneventhandleriframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/open-event-handler-iframe.html&q=%3Ciframe%20onload=alert(String.fromCharCode(0x58,0x53,0x53))//' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/open-event-handler-iframe.html&q=%3Ciframe%20onload=alert(String.fromCharCode(0x58,0x53,0x53))//' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoropeniframesrc01expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-01-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-01-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-01-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Ciframe%20src=javascript:alert(1)%3B//%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Ciframe%20src=javascript:alert(1)%3B//%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoropeniframesrc02expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-02-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-02-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-02-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Ciframe%20src=javascript:alert(1)%3B//' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Ciframe%20src=javascript:alert(1)%3B//' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoropeniframesrc03expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-03-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-03-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-03-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/open-iframe-src-03.html&q=%3Ciframe%20src=%22javascript:alert(1)%3B%e2%80%a8--%3E&clutter=xxx%22%3E%3C/iframe%3E&notifyDone=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/open-iframe-src-03.html&q=%3Ciframe%20src=%22javascript:alert(1)%3B%e2%80%a8--%3E&clutter=xxx%22%3E%3C/iframe%3E&notifyDone=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoropenscriptsrc01expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-01-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-01-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-01-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoropenscriptsrc02expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-02-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-02-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-02-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoropenscriptsrc03expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-03-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-03-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-03-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cobject%20data=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cobject%20data=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoropenscriptsrc04expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-04-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-04-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/open-script-src-04-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cobject%20data=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-inspan.pl?q=%3Cobject%20data=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorpostfromiframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/post-from-iframe-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/post-from-iframe-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/post-from-iframe-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorpropertyescapecomment01expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-01-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-01-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-01-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=%22alert(1)//' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=%22alert(1)//' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorpropertyescapecomment02expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-02-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-02-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-02-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(2)/' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(2)/' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorpropertyescapecomment03expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-03-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-03-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-03-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=%3cdiv%3e&q=%22%20%22%20onload=alert(3)%3C!--' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=%3cdiv%3e&q=%22%20%22%20onload=alert(3)%3C!--' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorpropertyescapeentity01expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-01-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-01-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-01-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))%26%23x2f%26%2347' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))%26%23x2f%26%2347' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorpropertyescapeentity02expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-02-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-02-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-02-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=alert(String.fromCharCode(0x58,0x53,0x53))-%26quot' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=alert(String.fromCharCode(0x58,0x53,0x53))-%26quot' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorpropertyescapeentity03expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-03-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-03-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-03-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))-%26' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=blah&q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))-%26' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorpropertyescapeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(String.fromCharCode(0x58,0x53,0x53))' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorpropertyescapelongexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-long-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-long-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-long-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(111%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532)' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%20onload=%22alert(111%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532%2532)' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorpropertyescapequote01expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-01-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-01-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-01-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(1)-%22' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(1)-%22' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorpropertyescapequote02expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-02-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-02-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-02-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(2)-%27' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(2)-%27' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorpropertyescapequote03expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-03-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-03-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-03-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(3)-%27%22%27%22' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?clutter=5xyzblah&q=%22%20onload=alert(3)-%27%22%27%22' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorreflectioninpathexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/reflection-in-path-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/reflection-in-path-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/reflection-in-path-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/intercept/echo-form-action.pl/%22%20onmouseover=%22JavaScript:alert(document.domain)%22%20name=%22?m=login' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/intercept/echo-form-action.pl/%22%20onmouseover=%22JavaScript:alert(document.domain)%22%20name=%22?m=login' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span><span class="cx">
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorresourcesechointertagpl"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -65,14 +65,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>-if (defined($cgi->param('csp'))) {
- if ($cgi->param('csp') eq '_empty_') {
- print "X-WebKit-CSP: reflected-xss\n";
- } else {
- print "X-WebKit-CSP: reflected-xss " . $cgi->param('csp') . "\n";
- }
-}
-
</del><span class="cx"> print "Content-Type: text/html; charset=";
</span><span class="cx"> print $cgi->param('charset') ? $cgi->param('charset') : "UTF-8";
</span><span class="cx"> print "\n\n";
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagBig5charexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-Big5-char.html&charset=Big5&q=%3Cscript%20%89g%3Ealert(location)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-Big5-char.html&charset=Big5&q=%3Cscript%20%89g%3Ealert(location)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagBig5chartwiceurlencode16bitunicodeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-16bit-unicode-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?charset=Big5&q=%3Cscript%3Ealert(/XS%u00252581SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?charset=Big5&q=%3Cscript%3Ealert(/XS%u00252581SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagBig5chartwiceurlencodeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char-twice-url-encode-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-Big5-char-twice-url-encode.html&charset=Big5&q=%3Cscript%3Ealert(/XS%2581SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-Big5-char-twice-url-encode.html&charset=Big5&q=%3Cscript%3Ealert(/XS%2581SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagBig5char2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-Big5-char2-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-Big5-char2.html&charset=Big5&q=%3Cscript%3Ealert(/XS%81SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-Big5-char2.html&charset=Big5&q=%3Cscript%3Ealert(/XS%81SS/)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagaddslashesbackslashexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%5C/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%5C/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagaddslashesdoublequoteexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%22/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%22/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagaddslashesnullcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%00/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%00/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagaddslashessinglequoteexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%27/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-addslashes.pl?q=%3Cscript%3Evar+bogus%3D/%27/%3Balert%280%29%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagcontrolcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-control-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-control-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-control-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-control-char.html&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))//h%01%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-control-char.html&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))//h%01%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagconvolutedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-convoluted-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-convoluted-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-convoluted-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-convoluted.html&q=%3Cscript%3Edocument.write(%22scri%22)%3C/script%3Ept%20src=%22xss.js%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-convoluted.html&q=%3Cscript%3Edocument.write(%22scri%22)%3C/script%3Ept%20src=%22xss.js%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagentitiesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-entities-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-entities-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-entities-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-entities.html&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-entities.html&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag.html&q=%3Cscraaa%3E%3Cscriaa%3E%3Cscripa%3E%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag.html&q=%3Cscraaa%3E%3Cscriaa%3E%3Cscripa%3E%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagexpressionfollowsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-expression-follows.html&script-expression-follows=1&q=%3Cscript%3Ealert('XSS')' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-expression-follows.html&script-expression-follows=1&q=%3Cscript%3Ealert('XSS')' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttaginsidesvgtagexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-inside-svg-tag.html&q=%3Csvg%3E%3Cscript%3E%2f%2f%26%23x0a%3balert%26%23x28%3bString.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-inside-svg-tag.html&q=%3Csvg%3E%3Cscript%3E%2f%2f%26%23x0a%3balert%26%23x28%3bString.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttaginsidesvgtag2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-inside-svg-tag2.html&clutter=%3Cdiv%3E%3Ci%3Ex%3C/i%3E%3C/div%3E&q=%3Csvg%3E%3Cscript%3E%3C!--&q2=--%3E%26%23x0a%3balert%26%23x28%3bString.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-inside-svg-tag2.html&clutter=%3Cdiv%3E%3Ci%3Ex%3C/i%3E%3C/div%3E&q=%3Csvg%3E%3Cscript%3E%3C!--&q2=--%3E%26%23x0a%3balert%26%23x28%3bString.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed even with <!-- comments -->.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttaginsidesvgtag3expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-inside-svg-tag3.html&clutter=%3Cscript%3Ealert(1)%3C/script%3E&q=%3Csvg%3E%3Cscript%3E&q2=alert(0)%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-inside-svg-tag3.html&clutter=%3Cscript%3Ealert(1)%3C/script%3E&q=%3Csvg%3E%3Cscript%3E&q2=alert(0)%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-inside-svg-tag3.html&clutter=%3Cscript%3Ealert(1)%3C/script%3E&q=%3Csvg%3E%3Cscript%3E&q2=alert(0)%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-inside-svg-tag3.html&clutter=%3Cscript%3Ealert(1)%3C/script%3E&q=%3Csvg%3E%3Cscript%3E&q2=alert(0)%3C/script%3E%3C/svg%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> Ensures HTML entities are recognized in script blocks in a context where CDATA is allowed even with nested script blocks.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagnearstartexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-near-start-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-near-start-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-near-start-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-near-start.html&script-expression-follows=1&q=%3Cscript%3E%22%3Cscript%3E%22-alert(/XSS/)' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-near-start.html&script-expression-follows=1&q=%3Cscript%3E%22%3Cscript%3E%22-alert(/XSS/)' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagnullcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-null-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-null-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-null-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-null-char.html&q=%3Cscript%3Eal%00ert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-null-char.html&q=%3Cscript%3Eal%00ert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagpostcontrolcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-post-control-char.html' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-post-control-char.html' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagpostexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-post.html' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-post.html' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagpostnullcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-post-null-char.html' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-post-null-char.html' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwith16bitunicodeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%25u0061%25u006c%25u0065%25u0072%25u0074%25u0028%25u002f%25u0058%25u0053%25u0053%25u002f%25u0029%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%25u0061%25u006c%25u0065%25u0072%25u0074%25u0028%25u002f%25u0058%25u0053%25u0053%25u002f%25u0029%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwith16bitunicodesurrogatepairexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair.html&q=%3Cscript%3Ealert(/XS%uD834%uDD1E/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair.html&q=%3Cscript%3Ealert(/XS%uD834%uDD1E/)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwith16bitunicode2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert(/XS%u002525u0053/)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert(/XS%u002525u0053/)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwith16bitunicode3expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%25u0061%25u006c%25u0065%25u0072%25u0074%25u0028%25u002f%25u0058%25u0053%25u0053%25u2620%25u002f%25u0029%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%25u0061%25u006c%25u0065%25u0072%25u0074%25u0028%25u002f%25u0058%25u0053%25u0053%25u2620%25u002f%25u0029%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwith16bitunicode4expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwith16bitunicode5expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-16bit-unicode5.html&q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-16bit-unicode5.html&q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithactualcommaexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-actual-comma-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-actual-comma.html&q=%3Cscript%3E/**/0,0/*,*/-alert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-actual-comma.html&q=%3Cscript%3E/**/0,0/*,*/-alert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span><span class="cx"> Test that the XSSAuditor's tolerance for the IIS webserver's comma concatenation doesn't open holes when the reflected argument contains an actual comma. The test passes if the XSSAuditor logs console messages and no alerts fire.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithcallbacksexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-callbacks-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
</span><span class="cx"> main frame - didFinishDocumentLoadForFrame
</span><span class="cx"> frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-callbacks.html&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-callbacks.html&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> didDetectXSS
</span><span class="cx"> frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
</span><span class="cx"> frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithcomma01expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-comma-01.html&clutter=,&q=%3Cscript%20x='1&%3E&q2=1'%3Ealert(String.fromCharCode(0x58,0x53,0x53,0x31))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-comma-01.html&clutter=,&q=%3Cscript%20x='1&%3E&q2=1'%3Ealert(String.fromCharCode(0x58,0x53,0x53,0x31))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span><span class="cx"> Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test passes if the XSSAuditor logs console messages and no alerts fire.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithcomma02expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-comma-02.html&clutter=,&q=%3Cscript%3Ealert(String.fromCharCode(0x58&q2=0x53,0x53,0x32))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-comma-02.html&clutter=,&q=%3Cscript%3Ealert(String.fromCharCode(0x58&q2=0x53,0x53,0x32))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span><span class="cx"> Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test passes if the XSSAuditor logs console messages and no alerts fire.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithfancyunicodeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-fancy-unicode.html&q=%3Cscript%3E%u0061lert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-fancy-unicode.html&q=%3Cscript%3E%u0061lert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithinjectedcommentexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=/*]]%3E*/&q=%3Cscript%3E/*%3C!CDATA[*/alert(/XSS/)&q2=%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=/*]]%3E*/&q=%3Cscript%3E/*%3C!CDATA[*/alert(/XSS/)&q2=%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithinvalidclosingtagexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-closing-tag-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-invalid-closing-tag.html&clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-invalid-closing-tag.html&clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithinvalidurlencodingexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-invalid-url-encoding-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-invalid-url-encoding.html&q=%3Cscript%3Ealert(1%1)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-invalid-url-encoding.html&q=%3Cscript%3Ealert(1%1)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcecontrolcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-control-char.html&q=%3Cscript%20src='http://127.0.0.1:8000/sec%02urity/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-control-char.html&q=%3Cscript%20src='http://127.0.0.1:8000/sec%02urity/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcedataurlexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-data-url.html&q=%3Cscript%20src=%22data:,alert(1)%22' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-data-url.html&q=%3Cscript%20src=%22data:,alert(1)%22' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcedataurl2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-data-url2.html&clutter=%3Cb%3E***%3C/b%3E&q=%3Cscript%20src=%22data:,alert(1)//&q2=%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-data-url2.html&clutter=%3Cb%3E***%3C/b%3E&q=%3Cscript%20src=%22data:,alert(1)//&q2=%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcedataurl3expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url3-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-data-url3.html&clutter=%3Cb%3E***%3C/b%3E&q=%3Cscript%20src=%22data:,alert(1)%3C!----&q2=%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-data-url3.html&clutter=%3Cb%3E***%3C/b%3E&q=%3Cscript%20src=%22data:,alert(1)%3C!----&q2=%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcedoublequoteexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-double-quote.html&q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-double-quote.html&q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%22%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourceentitiesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-entities.html&q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%26amp%3Bcopy%3B'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-entities.html&q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%26amp%3Bcopy%3B'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourceexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source.html&q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source.html&q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcenoquoteexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-no-quote.html&q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-no-quote.html&q=%3Cscript%20src=http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcenullcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-null-char.html&q=%3Cscript%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-null-char.html&q=%3Cscript%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcerelativeschemeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-relative-scheme-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-relative-scheme.html&q=%3Cscript+src%3D//127.0.0.1%3A8000/security/xssAuditor/resources/xss.js%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-relative-scheme.html&q=%3Cscript+src%3D//127.0.0.1%3A8000/security/xssAuditor/resources/xss.js%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcesamehostwithqueryexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-same-host-with-query.html&q=%3Cscript%20src='xss.js?maybe+dangerous+query+string'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-same-host-with-query.html&q=%3Cscript%20src='xss.js?maybe+dangerous+query+string'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourceunterminated01expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-01-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-unterminated-01.html&q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?&q2=%22%3E%3C/script%3E&clutter=blah' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-unterminated-01.html&q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?&q2=%22%3E%3C/script%3E&clutter=blah' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourceunterminated02expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-02-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-unterminated-02.html&q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%23&q2=%22%3E%3C/script%3E&clutter=blah' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-unterminated-02.html&q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%23&q2=%22%3E%3C/script%3E&clutter=blah' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourceunterminated03expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-unterminated-03-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-unterminated-03.html&q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/&q2=%22%3E%3C/script%3E&clutter=xss.js?' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-unterminated-03.html&q=%3Cscript%20src=%22http://127.0.0.1:8000/security/xssAuditor/resources/&q2=%22%3E%3C/script%3E&clutter=xss.js?' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwiththreetimesurlencoded16bitunicodeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode.html&q=%3Cscript%3E%252525u0061lert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode.html&q=%3Cscript%3E%252525u0061lert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithtrailingcommentU2028expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment-U2028.html&q=%3Cscript%3E//%e2%80%a8alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment-U2028.html&q=%3Cscript%3E//%e2%80%a8alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithtrailingcommentexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment.html&clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3E/*&q2=*/alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment.html&clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3E/*&q2=*/alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithtrailingcomment2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment2-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment2.html&clutter=%3Ci%3E%3Cb%3E&q=%3Cscript%3E//&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment2.html&clutter=%3Ci%3E%3Cb%3E&q=%3Cscript%3E//&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithtrailingcomment3expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment3-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment3.html&clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3E%20%0a%3C!--&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))//--%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment3.html&clutter=%20%3Ci%3E%3Cb%3E&q=%3Cscript%3E%20%0a%3C!--&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))//--%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithtrailingcomment4expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment4.html&q=%3Cscript%3E/*///*/alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment4.html&q=%3Cscript%3E/*///*/alert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithtrailingcomment5expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment5-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment5.html&clutter=%3Ci%3E%3Cb%3E&q=%3Cscript%3Ex=1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1//&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-trailing-comment5.html&clutter=%3Ci%3E%3Cb%3E&q=%3Cscript%3Ex=1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1*1//&q2=%0aalert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithtrailingscriptandurlencodeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-script-and-urlencode-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-script-and-urlencode-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-script-and-urlencode-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(/xss/)-1%2502%3Cscript%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(/xss/)-1%2502%3Cscript%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorsvganimateexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/svg-animate-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/svg-animate-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/svg-animate-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/svg-animate.html&q=%3Csvg%20xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Ca%3E%3Ccircle%20r=100%20/%3E%3Canimate%20attributeName=xlink:href%20values=%3Bjavascript%3Aalert(1)%20begin=0s%20end=0.1s%20fill=freeze%20/%3E%3C/a%3E%3C/svg%3E&notifyDone=1&dumpElementBySelector=animate' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/svg-animate.html&q=%3Csvg%20xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Ca%3E%3Ccircle%20r=100%20/%3E%3Canimate%20attributeName=xlink:href%20values=%3Bjavascript%3Aalert(1)%20begin=0s%20end=0.1s%20fill=freeze%20/%3E%3C/a%3E%3C/svg%3E&notifyDone=1&dumpElementBySelector=animate' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> This test passes if the element displayed in the frame below has a 'values' attribute containing only 'javascript:void(0)'.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorsvgscripttagexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/svg-script-tag.html&q=%3csvg%3e%3cscript%20XLinK:href='data:text/html,alert(0)'%3e%3c/script%3e%3c/svg%3e' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/svg-script-tag.html&q=%3csvg%3e%3cscript%20XLinK:href='data:text/html,alert(0)'%3e%3c/script%3e%3c/svg%3e' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorxssfilterbypassbig5expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-filter-bypass-big5.html&q=%3Cscript%3Ealert('%b4%5f')%3C/script%3E&charset=big5&notifyDone=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-filter-bypass-big5.html&q=%3Cscript%3Ealert('%b4%5f')%3C/script%3E&charset=big5&notifyDone=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorxssfilterbypasslongstringexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-long-string-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 79: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/xss-filter-bypass-long-string-reply.html' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 79: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/xss-filter-bypass-long-string-reply.html' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorxssfilterbypasssjisexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-filter-bypass-sjis.html&q=%3Cscript%3Ealert('%8f%5f')%3C/script%3E&charset=shift_jis&notifyDone=1' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-filter-bypass-sjis.html&q=%3Cscript%3Ealert('%8f%5f')%3C/script%3E&charset=shift_jis&notifyDone=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/Source/WebCore/ChangeLog 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -1,3 +1,52 @@
</span><ins>+2016-04-13 Daniel Bates <dabates@apple.com>
+
+ CSP: Remove experimental directive reflected-xss
+ https://bugs.webkit.org/show_bug.cgi?id=156554
+
+ Reviewed by Brent Fulgham.
+
+ The Content Security Policy directive reflected-xss was removed from the Content Security
+ Policy Level 2 spec., <https://w3c.github.io/webappsec-csp/2/> (Editor's Draft, 29 August 2015).
+ This directive was considered experimental and was guarded by a run-time flag that was never
+ enabled by default. We should remove support for this directive.
+
+ * html/parser/XSSAuditor.cpp:
+ (WebCore::XSSAuditor::XSSAuditor): Initialize m_xssProtection to XSSProtectionDisposition::Enabled.
+ (WebCore::XSSAuditor::init): Write logic in terms of enum class XSSProtectionDisposition.
+ (WebCore::XSSAuditor::filterToken): Ditto.
+ (WebCore::combineXSSProtectionHeaderAndCSP): Deleted.
+ * html/parser/XSSAuditor.h: Change data type of m_xssProtection from ContentSecurityPolicy::ReflectedXSSDisposition
+ to XSSProtectionDisposition.
+ * html/parser/XSSAuditorDelegate.cpp: Ditto.
+ (WebCore::buildConsoleError): Remove logic to emit a remarks in the console error when a XSS is
+ blocked because of the directive reflected-xss. Also substituted "because" for "as" in the remark
+ added to the error message when the XSS Auditor is enabled because the server did not send HTTP
+ header X-XSS-Protection.
+ * html/parser/XSSAuditorDelegate.h:
+ (WebCore::XSSInfo::XSSInfo): Removed argument didSendCSPHeader as we are removing support for the
+ directive reflected-xss.
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::reflectedXSSDisposition): Deleted.
+ (WebCore::ContentSecurityPolicy::reportInvalidReflectedXSS): Deleted.
+ * page/csp/ContentSecurityPolicy.h:
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList): Remove initialization
+ of m_reflectedXSSDisposition as we are removing support for the directive reflected-xss.
+ (WebCore::ContentSecurityPolicyDirectiveList::parseReflectedXSS): Deleted.
+ (WebCore::ContentSecurityPolicyDirectiveList::addDirective): Remove logic to parse directive reflected-xss.
+ * page/csp/ContentSecurityPolicyDirectiveList.h:
+ (WebCore::ContentSecurityPolicyDirectiveList::reflectedXSSDisposition): Deleted.
+ * page/csp/ContentSecurityPolicyDirectiveNames.cpp:
+ * page/csp/ContentSecurityPolicyDirectiveNames.h:
+ * page/csp/ContentSecurityPolicySourceList.cpp:
+ (WebCore::isCSPDirectiveName):
+ (WebCore::isExperimentalDirectiveName): Deleted.
+ * platform/network/HTTPParsers.cpp:
+ (WebCore::parseXSSProtectionHeader): Write it terms of enum class XSSProtectionDisposition.
+ * platform/network/HTTPParsers.h: Define enum class XSSProtectionDisposition. Change return type
+ of parseXSSProtectionHeader() from ContentSecurityPolicy::ReflectedXSSDisposition to XSSProtectionDisposition
+ as we are removing the former.
+
</ins><span class="cx"> 2016-04-13 Brady Eidson <beidson@apple.com>
</span><span class="cx">
</span><span class="cx"> Modern IDB (Blob support): Support retrieving Blobs from IDB.
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlparserXSSAuditorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/parser/XSSAuditor.cpp (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -27,7 +27,6 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "XSSAuditor.h"
</span><span class="cx">
</span><del>-#include "ContentSecurityPolicy.h"
</del><span class="cx"> #include "DecodeEscapeSequences.h"
</span><span class="cx"> #include "Document.h"
</span><span class="cx"> #include "DocumentLoader.h"
</span><span class="lines">@@ -226,16 +225,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>-static ContentSecurityPolicy::ReflectedXSSDisposition combineXSSProtectionHeaderAndCSP(ContentSecurityPolicy::ReflectedXSSDisposition xssProtection, ContentSecurityPolicy::ReflectedXSSDisposition reflectedXSS)
-{
- ContentSecurityPolicy::ReflectedXSSDisposition result = std::max(xssProtection, reflectedXSS);
-
- if (result == ContentSecurityPolicy::ReflectedXSSInvalid || result == ContentSecurityPolicy::FilterReflectedXSS || result == ContentSecurityPolicy::ReflectedXSSUnset)
- return ContentSecurityPolicy::FilterReflectedXSS;
-
- return result;
-}
-
</del><span class="cx"> static bool isSemicolonSeparatedAttribute(const HTMLToken::Attribute& attribute)
</span><span class="cx"> {
</span><span class="cx"> return threadSafeMatch(attribute.name, SVGNames::valuesAttr);
</span><span class="lines">@@ -254,8 +243,7 @@
</span><span class="cx">
</span><span class="cx"> XSSAuditor::XSSAuditor()
</span><span class="cx"> : m_isEnabled(false)
</span><del>- , m_xssProtection(ContentSecurityPolicy::FilterReflectedXSS)
- , m_didSendValidCSPHeader(false)
</del><ins>+ , m_xssProtection(XSSProtectionDisposition::Enabled)
</ins><span class="cx"> , m_didSendValidXSSProtectionHeader(false)
</span><span class="cx"> , m_state(Uninitialized)
</span><span class="cx"> , m_scriptTagNestingLevel(0)
</span><span class="lines">@@ -325,30 +313,27 @@
</span><span class="cx"> String headerValue = documentLoader->response().httpHeaderField(XSSProtectionHeader);
</span><span class="cx"> String errorDetails;
</span><span class="cx"> unsigned errorPosition = 0;
</span><del>- String reportURL;
- URL xssProtectionReportURL;
</del><ins>+ String parsedReportURL;
+ URL reportURL;
+ m_xssProtection = parseXSSProtectionHeader(headerValue, errorDetails, errorPosition, parsedReportURL);
+ m_didSendValidXSSProtectionHeader = !headerValue.isNull() && m_xssProtection != XSSProtectionDisposition::Invalid;
</ins><span class="cx">
</span><del>- // Process the X-XSS-Protection header, then mix in the CSP header's value.
- ContentSecurityPolicy::ReflectedXSSDisposition xssProtectionHeader = parseXSSProtectionHeader(headerValue, errorDetails, errorPosition, reportURL);
- m_didSendValidXSSProtectionHeader = xssProtectionHeader != ContentSecurityPolicy::ReflectedXSSUnset && xssProtectionHeader != ContentSecurityPolicy::ReflectedXSSInvalid;
- if ((xssProtectionHeader == ContentSecurityPolicy::FilterReflectedXSS || xssProtectionHeader == ContentSecurityPolicy::BlockReflectedXSS) && !reportURL.isEmpty()) {
- xssProtectionReportURL = document->completeURL(reportURL);
- if (MixedContentChecker::isMixedContent(document->securityOrigin(), xssProtectionReportURL)) {
</del><ins>+ if ((m_xssProtection == XSSProtectionDisposition::Enabled || m_xssProtection == XSSProtectionDisposition::BlockEnabled) && !parsedReportURL.isEmpty()) {
+ reportURL = document->completeURL(parsedReportURL);
+ if (MixedContentChecker::isMixedContent(document->securityOrigin(), reportURL)) {
</ins><span class="cx"> errorDetails = "insecure reporting URL for secure page";
</span><del>- xssProtectionHeader = ContentSecurityPolicy::ReflectedXSSInvalid;
- xssProtectionReportURL = URL();
</del><ins>+ m_xssProtection = XSSProtectionDisposition::Invalid;
+ reportURL = URL();
+ m_didSendValidXSSProtectionHeader = false;
</ins><span class="cx"> }
</span><span class="cx"> }
</span><del>- if (xssProtectionHeader == ContentSecurityPolicy::ReflectedXSSInvalid)
</del><ins>+ if (m_xssProtection == XSSProtectionDisposition::Invalid) {
</ins><span class="cx"> document->addConsoleMessage(MessageSource::Security, MessageLevel::Error, "Error parsing header X-XSS-Protection: " + headerValue + ": " + errorDetails + " at character position " + String::format("%u", errorPosition) + ". The default protections will be applied.");
</span><ins>+ m_xssProtection = XSSProtectionDisposition::Enabled;
+ }
</ins><span class="cx">
</span><del>- ContentSecurityPolicy::ReflectedXSSDisposition cspHeader = document->contentSecurityPolicy()->reflectedXSSDisposition();
- m_didSendValidCSPHeader = cspHeader != ContentSecurityPolicy::ReflectedXSSUnset && cspHeader != ContentSecurityPolicy::ReflectedXSSInvalid;
-
- m_xssProtection = combineXSSProtectionHeaderAndCSP(xssProtectionHeader, cspHeader);
- // FIXME: Combine the two report URLs in some reasonable way.
</del><span class="cx"> if (auditorDelegate)
</span><del>- auditorDelegate->setReportURL(xssProtectionReportURL.isolatedCopy());
</del><ins>+ auditorDelegate->setReportURL(reportURL.isolatedCopy());
</ins><span class="cx"> FormData* httpBody = documentLoader->originalRequest().httpBody();
</span><span class="cx"> if (httpBody && !httpBody->isEmpty()) {
</span><span class="cx"> httpBodyAsString = httpBody->flattenToString();
</span><span class="lines">@@ -371,7 +356,7 @@
</span><span class="cx"> std::unique_ptr<XSSInfo> XSSAuditor::filterToken(const FilterTokenRequest& request)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(m_state == Initialized);
</span><del>- if (!m_isEnabled || m_xssProtection == ContentSecurityPolicy::AllowReflectedXSS)
</del><ins>+ if (!m_isEnabled || m_xssProtection == XSSProtectionDisposition::Disabled)
</ins><span class="cx"> return nullptr;
</span><span class="cx">
</span><span class="cx"> bool didBlockScript = false;
</span><span class="lines">@@ -387,8 +372,8 @@
</span><span class="cx"> if (!didBlockScript)
</span><span class="cx"> return nullptr;
</span><span class="cx">
</span><del>- bool didBlockEntirePage = (m_xssProtection == ContentSecurityPolicy::BlockReflectedXSS);
- return std::make_unique<XSSInfo>(m_documentURL, didBlockEntirePage, m_didSendValidXSSProtectionHeader, m_didSendValidCSPHeader);
</del><ins>+ bool didBlockEntirePage = m_xssProtection == XSSProtectionDisposition::BlockEnabled;
+ return std::make_unique<XSSInfo>(m_documentURL, didBlockEntirePage, m_didSendValidXSSProtectionHeader);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool XSSAuditor::filterStartToken(const FilterTokenRequest& request)
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlparserXSSAuditorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/parser/XSSAuditor.h (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/parser/XSSAuditor.h 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.h 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -106,8 +106,7 @@
</span><span class="cx"> URL m_documentURL;
</span><span class="cx"> bool m_isEnabled;
</span><span class="cx">
</span><del>- ContentSecurityPolicy::ReflectedXSSDisposition m_xssProtection;
- bool m_didSendValidCSPHeader;
</del><ins>+ XSSProtectionDisposition m_xssProtection;
</ins><span class="cx"> bool m_didSendValidXSSProtectionHeader;
</span><span class="cx">
</span><span class="cx"> String m_decodedURL;
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlparserXSSAuditorDelegatecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/parser/XSSAuditorDelegate.cpp (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/parser/XSSAuditorDelegate.cpp 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/Source/WebCore/html/parser/XSSAuditorDelegate.cpp 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -61,12 +61,10 @@
</span><span class="cx"> message.append(xssInfo.m_didBlockEntirePage ? "the source code of a script" : "its source code");
</span><span class="cx"> message.appendLiteral(" was found within the request.");
</span><span class="cx">
</span><del>- if (xssInfo.m_didSendCSPHeader)
- message.appendLiteral(" The server sent a 'Content-Security-Policy' header requesting this behavior.");
- else if (xssInfo.m_didSendXSSProtectionHeader)
</del><ins>+ if (xssInfo.m_didSendXSSProtectionHeader)
</ins><span class="cx"> message.appendLiteral(" The server sent an 'X-XSS-Protection' header requesting this behavior.");
</span><span class="cx"> else
</span><del>- message.appendLiteral(" The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.");
</del><ins>+ message.appendLiteral(" The auditor was enabled because the server did not send an 'X-XSS-Protection' header.");
</ins><span class="cx">
</span><span class="cx"> return message.toString();
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlparserXSSAuditorDelegateh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/parser/XSSAuditorDelegate.h (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/parser/XSSAuditorDelegate.h 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/Source/WebCore/html/parser/XSSAuditorDelegate.h 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -38,18 +38,16 @@
</span><span class="cx">
</span><span class="cx"> class XSSInfo {
</span><span class="cx"> public:
</span><del>- XSSInfo(const String& originalURL, bool didBlockEntirePage, bool didSendXSSProtectionHeader, bool didSendCSPHeader)
</del><ins>+ XSSInfo(const String& originalURL, bool didBlockEntirePage, bool didSendXSSProtectionHeader)
</ins><span class="cx"> : m_originalURL(originalURL.isolatedCopy())
</span><span class="cx"> , m_didBlockEntirePage(didBlockEntirePage)
</span><span class="cx"> , m_didSendXSSProtectionHeader(didSendXSSProtectionHeader)
</span><del>- , m_didSendCSPHeader(didSendCSPHeader)
</del><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> String m_originalURL;
</span><span class="cx"> bool m_didBlockEntirePage;
</span><span class="cx"> bool m_didSendXSSProtectionHeader;
</span><del>- bool m_didSendCSPHeader;
</del><span class="cx"> TextPosition m_textPosition;
</span><span class="cx"> };
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -523,16 +523,6 @@
</span><span class="cx"> return violatedDirective->directiveList().isReportOnly();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-ContentSecurityPolicy::ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const
-{
- ReflectedXSSDisposition disposition = ReflectedXSSUnset;
- for (auto& policy : m_policies) {
- if (policy->reflectedXSSDisposition() > disposition)
- disposition = std::max(disposition, policy->reflectedXSSDisposition());
- }
- return disposition;
-}
-
</del><span class="cx"> static String stripURLForUseInReport(Document& document, const URL& url)
</span><span class="cx"> {
</span><span class="cx"> if (!url.isValid())
</span><span class="lines">@@ -677,11 +667,6 @@
</span><span class="cx"> logToConsole("Error while parsing the 'sandbox' Content Security Policy directive: " + invalidFlags);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void ContentSecurityPolicy::reportInvalidReflectedXSS(const String& invalidValue) const
-{
- logToConsole("The 'reflected-xss' Content Security Policy directive has the invalid value \"" + invalidValue + "\". Value values are \"allow\", \"filter\", and \"block\".");
-}
-
</del><span class="cx"> void ContentSecurityPolicy::reportInvalidDirectiveInReportOnlyMode(const String& directiveName) const
</span><span class="cx"> {
</span><span class="cx"> logToConsole("The Content Security Policy directive '" + directiveName + "' is ignored when delivered in a report-only policy.");
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -65,16 +65,6 @@
</span><span class="cx">
</span><span class="cx"> void didCreateWindowShell(JSDOMWindowShell&) const;
</span><span class="cx">
</span><del>- // Be sure to update the behavior of XSSAuditor::combineXSSProtectionHeaderAndCSP whenever you change this enum's content or ordering.
- enum ReflectedXSSDisposition {
- ReflectedXSSUnset = 0,
- AllowReflectedXSS,
- ReflectedXSSInvalid,
- FilterReflectedXSS,
- BlockReflectedXSS
- };
- ReflectedXSSDisposition reflectedXSSDisposition() const;
-
</del><span class="cx"> enum class PolicyFrom {
</span><span class="cx"> HTTPEquivMeta,
</span><span class="cx"> HTTPHeader,
</span><span class="lines">@@ -130,7 +120,6 @@
</span><span class="cx"> void reportDuplicateDirective(const String&) const;
</span><span class="cx"> void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
</span><span class="cx"> void reportInvalidSandboxFlags(const String&) const;
</span><del>- void reportInvalidReflectedXSS(const String&) const;
</del><span class="cx"> void reportInvalidDirectiveInReportOnlyMode(const String&) const;
</span><span class="cx"> void reportInvalidDirectiveInHTTPEquivMeta(const String&) const;
</span><span class="cx"> void reportMissingReportURI(const String&) const;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -101,7 +101,6 @@
</span><span class="cx"> , m_headerType(type)
</span><span class="cx"> , m_reportOnly(false)
</span><span class="cx"> , m_haveSandboxPolicy(false)
</span><del>- , m_reflectedXSSDisposition(ContentSecurityPolicy::ReflectedXSSUnset)
</del><span class="cx"> {
</span><span class="cx"> m_reportOnly = (type == ContentSecurityPolicyHeaderType::Report || type == ContentSecurityPolicyHeaderType::PrefixedReport);
</span><span class="cx"> }
</span><span class="lines">@@ -435,52 +434,6 @@
</span><span class="cx"> m_policy.reportInvalidSandboxFlags(invalidTokens);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void ContentSecurityPolicyDirectiveList::parseReflectedXSS(const String& name, const String& value)
-{
- if (m_reflectedXSSDisposition != ContentSecurityPolicy::ReflectedXSSUnset) {
- m_policy.reportDuplicateDirective(name);
- m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
- return;
- }
-
- if (value.isEmpty()) {
- m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
- m_policy.reportInvalidReflectedXSS(value);
- return;
- }
-
- auto characters = StringView(value).upconvertedCharacters();
- const UChar* position = characters;
- const UChar* end = position + value.length();
-
- skipWhile<UChar, isASCIISpace>(position, end);
- const UChar* begin = position;
- skipWhile<UChar, isNotASCIISpace>(position, end);
-
- // value1
- // ^
- if (equalLettersIgnoringASCIICase(begin, position - begin, "allow"))
- m_reflectedXSSDisposition = ContentSecurityPolicy::AllowReflectedXSS;
- else if (equalLettersIgnoringASCIICase(begin, position - begin, "filter"))
- m_reflectedXSSDisposition = ContentSecurityPolicy::FilterReflectedXSS;
- else if (equalLettersIgnoringASCIICase(begin, position - begin, "block"))
- m_reflectedXSSDisposition = ContentSecurityPolicy::BlockReflectedXSS;
- else {
- m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
- m_policy.reportInvalidReflectedXSS(value);
- return;
- }
-
- skipWhile<UChar, isASCIISpace>(position, end);
- if (position == end && m_reflectedXSSDisposition != ContentSecurityPolicy::ReflectedXSSUnset)
- return;
-
- // value1 value2
- // ^
- m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
- m_policy.reportInvalidReflectedXSS(value);
-}
-
</del><span class="cx"> void ContentSecurityPolicyDirectiveList::addDirective(const String& name, const String& value)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(!name.isEmpty());
</span><span class="lines">@@ -527,14 +480,6 @@
</span><span class="cx"> applySandboxPolicy(name, value);
</span><span class="cx"> else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::reportURI))
</span><span class="cx"> parseReportURI(name, value);
</span><del>-#if ENABLE(CSP_NEXT)
- else if (m_policy.experimentalFeaturesEnabled()) {
- if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::reflectedXSS))
- parseReflectedXSS(name, value);
- else
- m_policy.reportUnsupportedDirective(name);
- }
-#endif
</del><span class="cx"> else
</span><span class="cx"> m_policy.reportUnsupportedDirective(name);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -73,7 +73,6 @@
</span><span class="cx"> const ContentSecurityPolicyDirective* defaultSrc() const { return m_defaultSrc.get(); }
</span><span class="cx">
</span><span class="cx"> const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
</span><del>- ContentSecurityPolicy::ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflectedXSSDisposition; }
</del><span class="cx"> bool isReportOnly() const { return m_reportOnly; }
</span><span class="cx"> const Vector<String>& reportURIs() const { return m_reportURIs; }
</span><span class="cx">
</span><span class="lines">@@ -86,7 +85,6 @@
</span><span class="cx"> bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
</span><span class="cx"> void parseReportURI(const String& name, const String& value);
</span><span class="cx"> void parsePluginTypes(const String& name, const String& value);
</span><del>- void parseReflectedXSS(const String& name, const String& value);
</del><span class="cx"> void addDirective(const String& name, const String& value);
</span><span class="cx"> void applySandboxPolicy(const String& name, const String& sandboxPolicy);
</span><span class="cx">
</span><span class="lines">@@ -105,7 +103,6 @@
</span><span class="cx">
</span><span class="cx"> bool m_reportOnly;
</span><span class="cx"> bool m_haveSandboxPolicy;
</span><del>- ContentSecurityPolicy::ReflectedXSSDisposition m_reflectedXSSDisposition;
</del><span class="cx">
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicyMediaListDirective> m_pluginTypes;
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicySourceListDirective> m_baseURI;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveNamescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -46,10 +46,6 @@
</span><span class="cx"> const char* const sandbox = "sandbox";
</span><span class="cx"> const char* const scriptSrc = "script-src";
</span><span class="cx"> const char* const styleSrc = "style-src";
</span><del>-
-#if ENABLE(CSP_NEXT)
-const char* const reflectedXSS = "reflected-xss";
-#endif
</del><span class="cx">
</span><span class="cx"> } // namespace ContentSecurityPolicyDirectiveNames
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveNamesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -46,10 +46,6 @@
</span><span class="cx"> extern const char* const scriptSrc;
</span><span class="cx"> extern const char* const styleSrc;
</span><span class="cx">
</span><del>-#if ENABLE(CSP_NEXT)
-extern const char* const reflectedXSS;
-#endif
-
</del><span class="cx"> } // namespace ContentSecurityPolicyDirectiveNames
</span><span class="cx">
</span><span class="cx"> } // namespace WebCore
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -38,16 +38,6 @@
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><del>-static inline bool isExperimentalDirectiveName(const String& name)
-{
-#if ENABLE(CSP_NEXT)
- return equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::reflectedXSS);
-#else
- UNUSED_PARAM(name);
- return false;
-#endif
-}
-
</del><span class="cx"> static bool isCSPDirectiveName(const String& name)
</span><span class="cx"> {
</span><span class="cx"> return equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::baseURI)
</span><span class="lines">@@ -63,8 +53,7 @@
</span><span class="cx"> || equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::reportURI)
</span><span class="cx"> || equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::sandbox)
</span><span class="cx"> || equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::scriptSrc)
</span><del>- || equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::styleSrc)
- || isExperimentalDirectiveName(name);
</del><ins>+ || equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::styleSrc);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static bool isSourceCharacter(UChar c)
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkHTTPParserscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/HTTPParsers.cpp (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/HTTPParsers.cpp 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/Source/WebCore/platform/network/HTTPParsers.cpp 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -33,7 +33,6 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "HTTPParsers.h"
</span><span class="cx">
</span><del>-#include "ContentSecurityPolicy.h"
</del><span class="cx"> #include <wtf/DateMath.h>
</span><span class="cx"> #include <wtf/NeverDestroyed.h>
</span><span class="cx"> #include <wtf/text/CString.h>
</span><span class="lines">@@ -364,7 +363,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>-ContentSecurityPolicy::ReflectedXSSDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL)
</del><ins>+XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL)
</ins><span class="cx"> {
</span><span class="cx"> static NeverDestroyed<String> failureReasonInvalidToggle(ASCIILiteral("expected 0 or 1"));
</span><span class="cx"> static NeverDestroyed<String> failureReasonInvalidSeparator(ASCIILiteral("expected semicolon"));
</span><span class="lines">@@ -378,17 +377,17 @@
</span><span class="cx"> unsigned pos = 0;
</span><span class="cx">
</span><span class="cx"> if (!skipWhiteSpace(header, pos, false))
</span><del>- return ContentSecurityPolicy::ReflectedXSSUnset;
</del><ins>+ return XSSProtectionDisposition::Enabled;
</ins><span class="cx">
</span><span class="cx"> if (header[pos] == '0')
</span><del>- return ContentSecurityPolicy::AllowReflectedXSS;
</del><ins>+ return XSSProtectionDisposition::Disabled;
</ins><span class="cx">
</span><span class="cx"> if (header[pos++] != '1') {
</span><span class="cx"> failureReason = failureReasonInvalidToggle;
</span><del>- return ContentSecurityPolicy::ReflectedXSSInvalid;
</del><ins>+ return XSSProtectionDisposition::Invalid;
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- ContentSecurityPolicy::ReflectedXSSDisposition result = ContentSecurityPolicy::FilterReflectedXSS;
</del><ins>+ XSSProtectionDisposition result = XSSProtectionDisposition::Enabled;
</ins><span class="cx"> bool modeDirectiveSeen = false;
</span><span class="cx"> bool reportDirectiveSeen = false;
</span><span class="cx">
</span><span class="lines">@@ -400,7 +399,7 @@
</span><span class="cx"> if (header[pos++] != ';') {
</span><span class="cx"> failureReason = failureReasonInvalidSeparator;
</span><span class="cx"> failurePosition = pos;
</span><del>- return ContentSecurityPolicy::ReflectedXSSInvalid;
</del><ins>+ return XSSProtectionDisposition::Invalid;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (!skipWhiteSpace(header, pos, false))
</span><span class="lines">@@ -411,44 +410,44 @@
</span><span class="cx"> if (modeDirectiveSeen) {
</span><span class="cx"> failureReason = failureReasonDuplicateMode;
</span><span class="cx"> failurePosition = pos;
</span><del>- return ContentSecurityPolicy::ReflectedXSSInvalid;
</del><ins>+ return XSSProtectionDisposition::Invalid;
</ins><span class="cx"> }
</span><span class="cx"> modeDirectiveSeen = true;
</span><span class="cx"> if (!skipEquals(header, pos)) {
</span><span class="cx"> failureReason = failureReasonInvalidEquals;
</span><span class="cx"> failurePosition = pos;
</span><del>- return ContentSecurityPolicy::ReflectedXSSInvalid;
</del><ins>+ return XSSProtectionDisposition::Invalid;
</ins><span class="cx"> }
</span><span class="cx"> if (!skipToken(header, pos, "block")) {
</span><span class="cx"> failureReason = failureReasonInvalidMode;
</span><span class="cx"> failurePosition = pos;
</span><del>- return ContentSecurityPolicy::ReflectedXSSInvalid;
</del><ins>+ return XSSProtectionDisposition::Invalid;
</ins><span class="cx"> }
</span><del>- result = ContentSecurityPolicy::BlockReflectedXSS;
</del><ins>+ result = XSSProtectionDisposition::BlockEnabled;
</ins><span class="cx"> } else if (skipToken(header, pos, "report")) {
</span><span class="cx"> if (reportDirectiveSeen) {
</span><span class="cx"> failureReason = failureReasonDuplicateReport;
</span><span class="cx"> failurePosition = pos;
</span><del>- return ContentSecurityPolicy::ReflectedXSSInvalid;
</del><ins>+ return XSSProtectionDisposition::Invalid;
</ins><span class="cx"> }
</span><span class="cx"> reportDirectiveSeen = true;
</span><span class="cx"> if (!skipEquals(header, pos)) {
</span><span class="cx"> failureReason = failureReasonInvalidEquals;
</span><span class="cx"> failurePosition = pos;
</span><del>- return ContentSecurityPolicy::ReflectedXSSInvalid;
</del><ins>+ return XSSProtectionDisposition::Invalid;
</ins><span class="cx"> }
</span><span class="cx"> size_t startPos = pos;
</span><span class="cx"> if (!skipValue(header, pos)) {
</span><span class="cx"> failureReason = failureReasonInvalidReport;
</span><span class="cx"> failurePosition = pos;
</span><del>- return ContentSecurityPolicy::ReflectedXSSInvalid;
</del><ins>+ return XSSProtectionDisposition::Invalid;
</ins><span class="cx"> }
</span><span class="cx"> reportURL = header.substring(startPos, pos - startPos);
</span><span class="cx"> failurePosition = startPos; // If later semantic check deems unacceptable.
</span><span class="cx"> } else {
</span><span class="cx"> failureReason = failureReasonInvalidDirective;
</span><span class="cx"> failurePosition = pos;
</span><del>- return ContentSecurityPolicy::ReflectedXSSInvalid;
</del><ins>+ return XSSProtectionDisposition::Invalid;
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkHTTPParsersh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/HTTPParsers.h (199524 => 199525)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/HTTPParsers.h 2016-04-14 00:54:10 UTC (rev 199524)
+++ trunk/Source/WebCore/platform/network/HTTPParsers.h 2016-04-14 02:29:55 UTC (rev 199525)
</span><span class="lines">@@ -31,13 +31,20 @@
</span><span class="cx"> #ifndef HTTPParsers_h
</span><span class="cx"> #define HTTPParsers_h
</span><span class="cx">
</span><del>-#include "ContentSecurityPolicy.h"
</del><span class="cx"> #include <wtf/Forward.h>
</span><span class="cx"> #include <wtf/Optional.h>
</span><span class="cx"> #include <wtf/Vector.h>
</span><ins>+#include <wtf/text/WTFString.h>
</ins><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><ins>+enum class XSSProtectionDisposition {
+ Invalid,
+ Disabled,
+ Enabled,
+ BlockEnabled,
+};
+
</ins><span class="cx"> enum ContentDispositionType {
</span><span class="cx"> ContentDispositionNone,
</span><span class="cx"> ContentDispositionInline,
</span><span class="lines">@@ -70,7 +77,7 @@
</span><span class="cx"> String extractMIMETypeFromMediaType(const String&);
</span><span class="cx"> String extractCharsetFromMediaType(const String&);
</span><span class="cx"> void findCharsetInMediaType(const String& mediaType, unsigned int& charsetPos, unsigned int& charsetLen, unsigned int start = 0);
</span><del>-ContentSecurityPolicy::ReflectedXSSDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL);
</del><ins>+XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL);
</ins><span class="cx"> String extractReasonPhraseFromHTTPStatusLine(const String&);
</span><span class="cx"> XFrameOptionsDisposition parseXFrameOptionsHeader(const String&);
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>