<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[215096] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/215096">215096</a></dd>
<dt>Author</dt> <dd>bfulgham@apple.com</dd>
<dt>Date</dt> <dd>2017-04-07 09:02:10 -0700 (Fri, 07 Apr 2017)</dd>
</dl>
<h3>Log Message</h3>
<pre>WebKit should percent encode single quotes in query strings
https://bugs.webkit.org/show_bug.cgi?id=170561
<rdar://problem/7415154>
Reviewed by Alex Christensen.
Source/WebCore:
Modify the characterClassTable to instruct the URLParser to convert
the single-quote character ' to %27 in URL query strings.
Tests: URLParserTest in TestWebKitAPI.
fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html
fast/frames/xss-auditor-handles-file-urls.html
http/tests/security/xssAuditor
* platform/URLParser.cpp:
Tools:
Add a test case for single-quote in the URL query string.
* TestWebKitAPI/Tests/WebCore/URLParser.cpp:
LayoutTests:
Rebaseline tests after change.
* fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt:
* fast/frames/xss-auditor-handles-file-urls-expected.txt:
* http/tests/security/xssAuditor/base-href-control-char-expected.txt:
* http/tests/security/xssAuditor/base-href-expected.txt:
* http/tests/security/xssAuditor/base-href-null-char-expected.txt:
* http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
* http/tests/security/xssAuditor/embed-tag-control-char-expected.txt:
* http/tests/security/xssAuditor/embed-tag-expected.txt:
* http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt:
* http/tests/security/xssAuditor/embed-tag-null-char-expected.txt:
* http/tests/security/xssAuditor/form-action-expected.txt:
* http/tests/security/xssAuditor/formaction-on-button-expected.txt:
* http/tests/security/xssAuditor/formaction-on-input-expected.txt:
* http/tests/security/xssAuditor/frameset-injection-expected.txt:
* http/tests/security/xssAuditor/full-block-base-href-expected.txt:
* http/tests/security/xssAuditor/full-block-link-onclick-expected.txt:
* http/tests/security/xssAuditor/full-block-object-tag-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt:
* http/tests/security/xssAuditor/iframe-injection-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt:
* http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt:
* http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt:
* http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt:
* http/tests/security/xssAuditor/link-onclick-control-char-expected.txt:
* http/tests/security/xssAuditor/link-onclick-entities-expected.txt:
* http/tests/security/xssAuditor/link-onclick-expected.txt:
* http/tests/security/xssAuditor/link-onclick-null-char-expected.txt:
* http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt:
* http/tests/security/xssAuditor/object-embed-tag-expected.txt:
* http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt:
* http/tests/security/xssAuditor/object-tag-expected.txt:
* http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt:
* http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt:
* http/tests/security/xssAuditor/svg-animate-expected.txt:
* http/tests/security/xssAuditor/svg-script-tag-expected.txt:
* http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt:
* http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsfasteventspopupblockedfromuniqueframeviawindowopennamedsiblingframeexpectedtxt">trunk/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastframesxssauditorhandlesfileurlsexpectedtxt">trunk/LayoutTests/fast/frames/xss-auditor-handles-file-urls-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorbasehrefcontrolcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorbasehrefexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorbasehrefnullcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorbasehrefschemerelativeexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorembedtagcontrolcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorembedtagexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorembedtagjavascripturlexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorembedtagnullcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorformactionexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorformactiononbuttonexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorformactiononinputexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorframesetinjectionexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/frameset-injection-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorfullblockbasehrefexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorfullblocklinkonclickexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorfullblockobjecttagexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorfullblockscripttagwithsourceexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoriframeinjectionexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditoriframejavascripturlmoreencodingexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorimgonerrornonASCIIchardefaultencodingexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorimgonerrornonASCIIcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorlinkonclickampersandexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorlinkonclickcontrolcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorlinkonclickentitiesexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-entities-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorlinkonclickexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorlinkonclicknullcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorobjectembedtagcontrolcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorobjectembedtagexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorobjectembedtagnullcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorobjecttagexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorobjecttagjavascripturlexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagexpressionfollowsexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwith16bitunicode4expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwith16bitunicode5expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithcomma01expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcecontrolcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourceentitiesexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourceexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcenullcharexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcesamehostwithqueryexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorsvganimateexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/svg-animate-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorsvgscripttagexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorxssfilterbypassbig5expectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorxssfilterbypasssjisexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreplatformURLParsercpp">trunk/Source/WebCore/platform/URLParser.cpp</a></li>
<li><a href="#trunkToolsChangeLog">trunk/Tools/ChangeLog</a></li>
<li><a href="#trunkToolsTestWebKitAPITestsWebCoreURLParsercpp">trunk/Tools/TestWebKitAPI/Tests/WebCore/URLParser.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/ChangeLog 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,3 +1,59 @@
</span><ins>+2017-04-07 Brent Fulgham <bfulgham@apple.com>
+
+ WebKit should percent encode single quotes in query strings
+ https://bugs.webkit.org/show_bug.cgi?id=170561
+ <rdar://problem/7415154>
+
+ Reviewed by Alex Christensen.
+
+ Rebaseline tests after change.
+
+ * fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt:
+ * fast/frames/xss-auditor-handles-file-urls-expected.txt:
+ * http/tests/security/xssAuditor/base-href-control-char-expected.txt:
+ * http/tests/security/xssAuditor/base-href-expected.txt:
+ * http/tests/security/xssAuditor/base-href-null-char-expected.txt:
+ * http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
+ * http/tests/security/xssAuditor/embed-tag-control-char-expected.txt:
+ * http/tests/security/xssAuditor/embed-tag-expected.txt:
+ * http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt:
+ * http/tests/security/xssAuditor/embed-tag-null-char-expected.txt:
+ * http/tests/security/xssAuditor/form-action-expected.txt:
+ * http/tests/security/xssAuditor/formaction-on-button-expected.txt:
+ * http/tests/security/xssAuditor/formaction-on-input-expected.txt:
+ * http/tests/security/xssAuditor/frameset-injection-expected.txt:
+ * http/tests/security/xssAuditor/full-block-base-href-expected.txt:
+ * http/tests/security/xssAuditor/full-block-link-onclick-expected.txt:
+ * http/tests/security/xssAuditor/full-block-object-tag-expected.txt:
+ * http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt:
+ * http/tests/security/xssAuditor/iframe-injection-expected.txt:
+ * http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt:
+ * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt:
+ * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt:
+ * http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt:
+ * http/tests/security/xssAuditor/link-onclick-control-char-expected.txt:
+ * http/tests/security/xssAuditor/link-onclick-entities-expected.txt:
+ * http/tests/security/xssAuditor/link-onclick-expected.txt:
+ * http/tests/security/xssAuditor/link-onclick-null-char-expected.txt:
+ * http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt:
+ * http/tests/security/xssAuditor/object-embed-tag-expected.txt:
+ * http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt:
+ * http/tests/security/xssAuditor/object-tag-expected.txt:
+ * http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt:
+ * http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt:
+ * http/tests/security/xssAuditor/svg-animate-expected.txt:
+ * http/tests/security/xssAuditor/svg-script-tag-expected.txt:
+ * http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt:
+ * http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt:
+
</ins><span class="cx"> 2017-04-07 Youenn Fablet <youenn@apple.com>
</span><span class="cx">
</span><span class="cx"> Improve some WebRTC flaky tests
</span></span></pre></div>
<a id="trunkLayoutTestsfasteventspopupblockedfromuniqueframeviawindowopennamedsiblingframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'data:text/html,<script>alert(window.open('about:blank', 'A') ?%20'FAIL'%20:%20'PASS');%3C/script%3E'. The frame attempting navigation is neither same-origin with the target, nor is it the target's parent or opener.
</del><ins>+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'data:text/html,<script>alert(window.open('about:blank', 'A') ?%20%27FAIL%27%20:%20%27PASS%27);%3C/script%3E'. The frame attempting navigation is neither same-origin with the target, nor is it the target's parent or opener.
</ins><span class="cx">
</span><span class="cx"> ALERT: PASS
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestsfastframesxssauditorhandlesfileurlsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/fast/frames/xss-auditor-handles-file-urls-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/frames/xss-auditor-handles-file-urls-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/fast/frames/xss-auditor-handles-file-urls-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==%27%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorbasehrefcontrolcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%01urity/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href=%27http://127.0.0.1:8000/sec%01urity/xssAuditor/resources/base-href/%27%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> ALERT: This is a safe script.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorbasehrefexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href=%27http://127.0.0.1:8000/security/xssAuditor/resources/base-href/%27%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> ALERT: This is a safe script.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorbasehrefnullcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href=%27http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/base-href/%27%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> ALERT: This is a safe script.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorbasehrefschemerelativeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href='//127.0.0.1:8000/security/xssAuditor/resources/base-href/'%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href=%27//127.0.0.1:8000/security/xssAuditor/resources/base-href/%27%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> ALERT: This is a safe script.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorembedtagcontrolcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-control-char.html&q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-control-char.html&q=%3Cembed%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%20src=%27http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05%27%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorembedtagexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag.html&q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag.html&q=%3Cembed%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%20src=%27http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%27%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorembedtagjavascripturlexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-javascript-url.html&q=%3Cembed%20src='javascript:alert(document.domain)'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-javascript-url.html&q=%3Cembed%20src=%27javascript:alert(document.domain)%27%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorembedtagnullcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-null-char.html&q=%3Cembed%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/embed-tag-null-char.html&q=%3Cembed%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%20src=%27http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf%27%3E%3C/embed%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorformactionexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/form-action.html&q=%3Cform%20action=http://127.0.0.1:8000/%20method=x%3E%3Cinput%20type=submit%3E%3Cinput%20name=x%20value='Please%20type%20your%20PIN.'%3E&notifyDone=1&showAction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/form-action.html&q=%3Cform%20action=http://127.0.0.1:8000/%20method=x%3E%3Cinput%20type=submit%3E%3Cinput%20name=x%20value=%27Please%20type%20your%20PIN.%27%3E&notifyDone=1&showAction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> ALERT: Form action set to about:blank
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorformactiononbuttonexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/formaction-on-button.html&q=%3Cform%3E%3Cbutton%20formaction='http://example.com/'%3E&notifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/formaction-on-button.html&q=%3Cform%3E%3Cbutton%20formaction=%27http://example.com/%27%3E&notifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> ALERT: formaction present on BUTTON with value of about:blank
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorformactiononinputexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/formaction-on-input.html&q=%3Cform%3E%3Cinput%20formaction='http://example.com/'%3E&notifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/formaction-on-input.html&q=%3Cform%3E%3Cinput%20formaction=%27http://example.com/%27%3E&notifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> ALERT: formaction present on INPUT with value of about:blank
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorframesetinjectionexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/frameset-injection-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/frameset-injection-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/frameset-injection-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/frameset-injection.html&inHead=1&q=%3Cframeset%3E%3Cframe%20src='data:text/html,%3Cscript%3Ealert(0)%3C/script%3E'%3E%3C/frameset%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/frameset-injection.html&inHead=1&q=%3Cframeset%3E%3Cframe%20src=%27data:text/html,%3Cscript%3Ealert(0)%3C/script%3E%27%3E%3C/frameset%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorfullblockbasehrefexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-head-base-href.pl?enable-full-block=1&q=%3Cbase%20href='http://localhost:8000/security/xssAuditor/resources/base-href/'%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-head-base-href.pl?enable-full-block=1&q=%3Cbase%20href=%27http://localhost:8000/security/xssAuditor/resources/base-href/%27%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</ins><span class="cx"> There should be no content in the iframe below:
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorfullblocklinkonclickexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-link-onclick.html&enable-full-block=1&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-link-onclick.html&enable-full-block=1&q=%3Ca%20onclick=%27alert(String.fromCharCode(0x58,0x53,0x53))%27%3EClick%3C/a%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</ins><span class="cx"> There should be no content in the iframe below:
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorfullblockobjecttagexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-object-tag.html&enable-full-block=1&q=%3Cobject%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://localhost:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-object-tag.html&enable-full-block=1&q=%3Cobject%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%3E%3Cparam%20name=%27movie%27%20value=%27http://localhost:8000/security/xssAuditor/resources/dummy.swf%27%20/%3E%3C/object%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</ins><span class="cx"> There should be no content in the iframe below:
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorfullblockscripttagwithsourceexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-script-tag-with-source.html&enable-full-block=1&q=%3Cscript%20src='http://localhost:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-script-tag-with-source.html&enable-full-block=1&q=%3Cscript%20src=%27http://localhost:8000/security/xssAuditor/resources/xss.js%27%3E%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</ins><span class="cx"> There should be no content in the iframe below:
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoriframeinjectionexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-injection.html&q=%3Ciframe%20src='http://127.0.0.1:8000/'%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-injection.html&q=%3Ciframe%20src=%27http://127.0.0.1:8000/%27%3E%3C/iframe%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditoriframejavascripturlmoreencodingexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-more-encoding.html&q=%3CIFRAME%20src='javascript:alert%26%23x25%3B281)'%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/iframe-javascript-url-more-encoding.html&q=%3CIFRAME%20src=%27javascript:alert%26%23x25%3B281)%27%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorimgonerrornonASCIIchardefaultencodingexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-default-encode.pl?q=%3Cimg+src=%27%80%27+onerror=%27alert(document.domain)%27' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorimgonerrornonASCIIcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-non-ASCII-char.html&q=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/img-onerror-non-ASCII-char.html&q=%3Cimg+src=%27%80%27+onerror=%27alert(document.domain)%27' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorlinkonclickampersandexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-ampersand.html&q=%3Ca%20onclick='alert(1%261)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-ampersand.html&q=%3Ca%20onclick=%27alert(1%261)%27%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorlinkonclickcontrolcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-control-char.html&q=%3Ca%20onclick='al%05ert(0)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-control-char.html&q=%3Ca%20onclick=%27al%05ert(0)%27%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorlinkonclickentitiesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-entities-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-entities-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-entities-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-entities.html&q=%3Ca%20href='about:blank'%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-entities.html&q=%3Ca%20href=%27about:blank%27%20onclick=%27alert(String.fromCharCode(0x58,0x53,0x53))//%26amp%3Bcopy%3B%27%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorlinkonclickexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick.html&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick.html&q=%3Ca%20onclick=%27alert(String.fromCharCode(0x58,0x53,0x53))%27%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorlinkonclicknullcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-null-char.html&q=%3Ca%20onclick='al%00ert(0)'%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/link-onclick-null-char.html&q=%3Ca%20onclick=%27al%00ert(0)%27%3EClick%3C/a%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorobjectembedtagcontrolcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id=%27object%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%3E%3Cparam%20name=%27movie%27%20value=%27http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05%27%20/%3E%3Cembed%20id=%27embed%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%20src=%27http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05%27%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id=%27object%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%3E%3Cparam%20name=%27movie%27%20value=%27http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05%27%20/%3E%3Cembed%20id=%27embed%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%20src=%27http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05%27%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-control-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id=%27object%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%3E%3Cparam%20name=%27movie%27%20value=%27http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05%27%20/%3E%3Cembed%20id=%27embed%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%20src=%27http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%05%27%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorobjectembedtagexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id=%27object%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%3E%3Cparam%20name=%27movie%27%20value=%27http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%27%20/%3E%3Cembed%20id=%27embed%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%20src=%27http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%27%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id=%27object%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%3E%3Cparam%20name=%27movie%27%20value=%27http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%27%20/%3E%3Cembed%20id=%27embed%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%20src=%27http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%27%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id=%27object%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%3E%3Cparam%20name=%27movie%27%20value=%27http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%27%20/%3E%3Cembed%20id=%27embed%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%20src=%27http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%27%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorobjectembedtagnullcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3Cembed%20id='embed'%20name='plugin'%20type='application/x-webkit-test-netscape'%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id=%27object%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%3E%3Cparam%20name=%27movie%27%20value=%27http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf%27%20/%3E%3Cembed%20id=%27embed%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%20src=%27http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf%27%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id=%27object%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%3E%3Cparam%20name=%27movie%27%20value=%27http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf%27%20/%3E%3Cembed%20id=%27embed%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%20src=%27http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf%27%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-embed-tag-null-char.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id=%27object%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%3E%3Cparam%20name=%27movie%27%20value=%27http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf%27%20/%3E%3Cembed%20id=%27embed%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%20src=%27http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/dummy.swf%27%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorobjecttagexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id=%27object%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%3E%3Cparam%20name=%27movie%27%20value=%27http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%27%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id=%27object%27%20name=%27plugin%27%20type=%27application/x-webkit-test-netscape%27%3E%3Cparam%20name=%27movie%27%20value=%27http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf%27%20/%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorobjecttagjavascripturlexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag-javascript-url.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id='object'%20data='javascript:alert(document.domain)'%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 9: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/object-tag-javascript-url.html&relay-target-ids-for-event=beforeload&q=%3Cobject%20id=%27object%27%20data=%27javascript:alert(document.domain)%27%3E%3C/object%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagexpressionfollowsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-expression-follows.html&script-expression-follows=1&q=%3Cscript%3Ealert('XSS')' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-expression-follows.html&script-expression-follows=1&q=%3Cscript%3Ealert(%27XSS%27)' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwith16bitunicode4expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl?q=%3Cscript%3Ealert(%27%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb%27)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwith16bitunicode5expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-16bit-unicode5.html&q=%3Cscript%3Ealert('%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb')%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-16bit-unicode5.html&q=%3Cscript%3Ealert(%27%u0058%u0053%u0053%u0020%u05d0%u05d1%u05d8%u05d7%u05d4%u0020%u05e4%u05d2%u05d9%u05e2%u05d5%u05ea-%u8de8%u7ad9%u5f0f%u811a%u672c%u653b%u51fb%27)%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithcomma01expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-comma-01.html&clutter=,&q=%3Cscript%20x='1&%3E&q2=1'%3Ealert(String.fromCharCode(0x58,0x53,0x53,0x31))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-comma-01.html&clutter=,&q=%3Cscript%20x=%271&%3E&q2=1%27%3Ealert(String.fromCharCode(0x58,0x53,0x53,0x31))%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span><span class="cx"> Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test passes if the XSSAuditor logs console messages and no alerts fire.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcecontrolcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-control-char.html&q=%3Cscript%20src='http://127.0.0.1:8000/sec%02urity/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-control-char.html&q=%3Cscript%20src=%27http://127.0.0.1:8000/sec%02urity/xssAuditor/resources/xss.js%27%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourceentitiesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-entities.html&q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%26amp%3Bcopy%3B'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-entities.html&q=%3Cscript%20src=%27http://127.0.0.1:8000/security/xssAuditor/resources/xss.js?%26amp%3Bcopy%3B%27%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourceexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source.html&q=%3Cscript%20src='http://127.0.0.1:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source.html&q=%3Cscript%20src=%27http://127.0.0.1:8000/security/xssAuditor/resources/xss.js%27%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcenullcharexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-null-char.html&q=%3Cscript%20src='http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/xss.js'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-null-char.html&q=%3Cscript%20src=%27http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/xss.js%27%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorscripttagwithsourcesamehostwithqueryexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-same-host-with-query.html&q=%3Cscript%20src='xss.js?maybe+dangerous+query+string'%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-with-source-same-host-with-query.html&q=%3Cscript%20src=%27xss.js?maybe+dangerous+query+string%27%3E%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorsvganimateexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/svg-animate-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/svg-animate-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/svg-animate-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/svg-animate.html&q=%3Csvg%20xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Ca%3E%3Ccircle%20r=100%20/%3E%3Canimate%20attributeName=xlink:href%20values=%3Bjavascript%3Aalert(1)%20begin=0s%20end=0.1s%20fill=freeze%20/%3E%3C/a%3E%3C/svg%3E&notifyDone=1&dumpElementBySelector=animate' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/svg-animate.html&q=%3Csvg%20xmlns:xlink=%27http://www.w3.org/1999/xlink%27%3E%3Ca%3E%3Ccircle%20r=100%20/%3E%3Canimate%20attributeName=xlink:href%20values=%3Bjavascript%3Aalert(1)%20begin=0s%20end=0.1s%20fill=freeze%20/%3E%3C/a%3E%3C/svg%3E&notifyDone=1&dumpElementBySelector=animate' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx"> This test passes if the element displayed in the frame below has a 'values' attribute containing only 'javascript:void(0)'.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorsvgscripttagexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/svg-script-tag.html&q=%3csvg%3e%3cscript%20XLinK:href='data:text/html,alert(0)'%3e%3c/script%3e%3c/svg%3e' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/svg-script-tag.html&q=%3csvg%3e%3cscript%20XLinK:href=%27data:text/html,alert(0)%27%3e%3c/script%3e%3c/svg%3e' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorxssfilterbypassbig5expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-filter-bypass-big5.html&q=%3Cscript%3Ealert('%b4%5f')%3C/script%3E&charset=big5&notifyDone=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-filter-bypass-big5.html&q=%3Cscript%3Ealert(%27%b4%5f%27)%3C/script%3E&charset=big5&notifyDone=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorxssfilterbypasssjisexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-filter-bypass-sjis.html&q=%3Cscript%3Ealert('%8f%5f')%3C/script%3E&charset=shift_jis&notifyDone=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</del><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-filter-bypass-sjis.html&q=%3Cscript%3Ealert(%27%8f%5f%27)%3C/script%3E&charset=shift_jis&notifyDone=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/Source/WebCore/ChangeLog 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2017-04-07 Brent Fulgham <bfulgham@apple.com>
+
+ WebKit should percent encode single quotes in query strings
+ https://bugs.webkit.org/show_bug.cgi?id=170561
+ <rdar://problem/7415154>
+
+ Reviewed by Alex Christensen.
+
+ Modify the characterClassTable to instruct the URLParser to convert
+ the single-quote character ' to %27 in URL query strings.
+
+ Tests: URLParserTest in TestWebKitAPI.
+ fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html
+ fast/frames/xss-auditor-handles-file-urls.html
+ http/tests/security/xssAuditor
+
+ * platform/URLParser.cpp:
+
</ins><span class="cx"> 2017-04-07 Zalan Bujtas <zalan@apple.com>
</span><span class="cx">
</span><span class="cx"> Text insertion cursor disappears after pressing enter
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformURLParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/URLParser.cpp (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/URLParser.cpp 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/Source/WebCore/platform/URLParser.cpp 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -191,7 +191,7 @@
</span><span class="cx"> 0, // '$'
</span><span class="cx"> ForbiddenHost, // '%'
</span><span class="cx"> 0, // '&'
</span><del>- 0, // '''
</del><ins>+ QueryPercent, // '''
</ins><span class="cx"> 0, // '('
</span><span class="cx"> 0, // ')'
</span><span class="cx"> 0, // '*'
</span></span></pre></div>
<a id="trunkToolsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Tools/ChangeLog (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/ChangeLog 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/Tools/ChangeLog 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2017-04-07 Brent Fulgham <bfulgham@apple.com>
+
+ WebKit should percent encode single quotes in query strings
+ https://bugs.webkit.org/show_bug.cgi?id=170561
+ <rdar://problem/7415154>
+
+ Reviewed by Alex Christensen.
+
+ Add a test case for single-quote in the URL query string.
+
+ * TestWebKitAPI/Tests/WebCore/URLParser.cpp:
+
</ins><span class="cx"> 2017-04-06 Myles C. Maxfield <mmaxfield@apple.com>
</span><span class="cx">
</span><span class="cx"> Make FontWithFeatures test font pass OTS
</span></span></pre></div>
<a id="trunkToolsTestWebKitAPITestsWebCoreURLParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Tools/TestWebKitAPI/Tests/WebCore/URLParser.cpp (215095 => 215096)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/TestWebKitAPI/Tests/WebCore/URLParser.cpp 2017-04-07 15:24:09 UTC (rev 215095)
+++ trunk/Tools/TestWebKitAPI/Tests/WebCore/URLParser.cpp 2017-04-07 16:02:10 UTC (rev 215096)
</span><span class="lines">@@ -1298,6 +1298,7 @@
</span><span class="cx"> checkURL(makeString("gopher://host/path?", withUmlauts, "#fragment"), "asdf://example.com/?doesntmatter", iso88591, {"gopher", "", "", "host", 0, "/path", "%DC%26%231072%3B%26%231105%3B", "fragment", "gopher://host/path?%DC%26%231072%3B%26%231105%3B#fragment"});
</span><span class="cx"> checkURL(makeString("asdf://host/path?", withUmlauts, "#fragment"), "http://example.com/?doesntmatter", iso88591, {"asdf", "", "", "host", 0, "/path", "%C3%9C%D0%B0%D1%91", "fragment", "asdf://host/path?%C3%9C%D0%B0%D1%91#fragment"});
</span><span class="cx">
</span><ins>+ checkURL("http://host/?query=foo'bar", UTF8Encoding(), {"http", "", "", "host", 0, "/", "query=foo%27bar", "", "http://host/?query=foo%27bar"});
</ins><span class="cx"> // FIXME: Add more tests with other encodings and things like non-ascii characters, emoji and unmatched surrogate pairs.
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>