Remove the 'reflected-xss' directive from CSP.

third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl

 #!/usr/bin/perl -wT
 use strict;
 use CGI;
 
 my $cgi = new CGI;
 
 # Passing semicolons through the url to this script is problematic. The raw
 # form truncates the input and the %-encoded form isn't being decoded. Hence
 # this set of hard-coded headers.
 if ($cgi->param('disable-protection')) {
@@ skipping 47 matching lines @@
         print "X-XSS-Protection: 1; red\n";
     }
     if ($cgi->param('malformed-header') == 8) {
         print "X-XSS-Protection: 1; mode=block; report=/fail; mode=block;\n";
     }
     if ($cgi->param('malformed-header') == 9) {
         print "X-XSS-Protection: 1; mode=block; report=/fail; report=/fail;\n";
     }
 }
 
-if ($cgi->param('csp') eq '_empty_') {
-    print "Content-Security-Policy: reflected-xss\n";
-} elsif ($cgi->param('csp')) {
-    print "Content-Security-Policy: reflected-xss " . $cgi->param('csp') . "\n";
-}
-
 print "Content-Type: text/html; charset=";
 print $cgi->param('charset') ? $cgi->param('charset') : "UTF-8";
 print "\n\n";
 
 print "<!DOCTYPE html>\n";
 print "<html>\n";
 if ($cgi->param('wait-for-load')) {
     print "<script>\n";
     print "onload = function() {\n";
     print "    window.parent.postMessage('loaded', '*');\n";
@@ skipping 63 matching lines @@
 if ($cgi->param('echo-report')) {
     print "<script src=/security/contentSecurityPolicy/resources/go-to-echo-report.js></script>\n";
 }
 print "Page rendered here.\n";
 if ($cgi->param('inHead')) {
     print "</head>\n";
 } else {
     print "</body>\n";
 }
 print "</html>\n";