Index: third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt |
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt |
index 72408c14b89ebadc9df86c83e512bd1e3a5fa9fb..0a292e0bf20fb780dfde5452c508b9fb9d4a05a0 100644 |
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt |
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-02-expected.txt |
@@ -1,3 +1,3 @@ |
-CONSOLE ERROR: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=,&q=%3Cscript%3Ealert(String.fromCharCode(0x58&q2=0x53,0x53,0x32))%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server did not send an 'X-XSS-Protection' header. |
+CONSOLE ERROR: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=,&q=%3Cscript%3Ealert(String.fromCharCode(0x58&q2=0x53,0x53,0x32))%3C/script%3E' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. |
Test that the XSSAuditor catches the specific case where the IIS webserver resovles multiply occuring query parameters by concatenating them before passing the result to the application. Conceptually, its as if ?a=1&a=2 becomes ?a=1,2. The test passes if the XSSAuditor logs console messages and no alerts fire. |