XSSAuditor: truncate form action attribute like other src-like attributes

XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the path/query/fragment, so they won't
influence behaviour. 

See https://codereview.chromium.org/1179633002 for context. The
problem was the the auditor would sometimes fire on fragment
prefix matches (when right) and sometimes not (when wrong),
and might leak info as a result.

We fixed it last time by not firing until the entire fragment was right.
We fix it this time by always firing, even when the prefix is wrong.
As a result, the removed test as written would fail even
though things are safe.

BUG=719092

[Tom Sepez, 2017-05-08 22:02:52]

The CQ bit was checked by tsepez@chromium.org to run a CQ dry run

[Tom Sepez, 2017-05-08 22:03:34]

Description was changed from

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the fragment, so it can't influence
behaviour. It always fires now, even when the guess is wrong, so
deducing the token isn't possible.
==========

to

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the fragment, so it can't influence
behaviour. It always fires now, even when the guess is wrong, so
deducing the token isn't possible.

Bug: 719092
==========

[Tom Sepez, 2017-05-08 22:03:34]

tsepez@chromium.org changed reviewers:
+ mkwst@chromium.org

[Tom Sepez, 2017-05-08 22:03:48]

Mike, for review.

[commit-bot: I haz the power, 2017-05-08 22:04:04]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Tom Sepez, 2017-05-08 22:04:20]

Description was changed from

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the fragment, so it can't influence
behaviour. It always fires now, even when the guess is wrong, so
deducing the token isn't possible.

Bug: 719092
==========

to

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the fragment, so it can't influence
behaviour. It always fires now, even when the guess is wrong, so
forcing the token isn't possible.

Bug: 719092
==========

[Tom Sepez, 2017-05-08 22:04:38]

Description was changed from

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the fragment, so it can't influence
behaviour. It always fires now, even when the guess is wrong, so
forcing the token isn't possible.

Bug: 719092
==========

to

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the fragment, so it can't influence
behaviour. It always fires now, even when the guess is wrong, so
forcing the token isn't possible.

Bug=719092
==========

[Tom Sepez, 2017-05-08 22:06:24]

Description was changed from

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the fragment, so it can't influence
behaviour. It always fires now, even when the guess is wrong, so
forcing the token isn't possible.

Bug=719092
==========

to

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the fragment, so it can't influence
behaviour. It always fires now, even when the guess is wrong, so
forcing the token isn't possible. See https://codereview.chromium.org/1179633002
for context.

Bug=719092
==========

[Tom Sepez, 2017-05-08 22:07:36]

Description was changed from

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the fragment, so it can't influence
behaviour. It always fires now, even when the guess is wrong, so
forcing the token isn't possible. See https://codereview.chromium.org/1179633002
for context.

Bug=719092
==========

to

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the fragment, so it can't influence
behaviour. 

See https://codereview.chromium.org/1179633002 for context.


Bug=719092
==========

[Tom Sepez, 2017-05-08 22:10:24]

Description was changed from

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the fragment, so it can't influence
behaviour. 

See https://codereview.chromium.org/1179633002 for context.


Bug=719092
==========

to

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the fragment, so it can't influence
behaviour. 

See https://codereview.chromium.org/1179633002 for context. The
problem was the the auditor would sometimes fire on fragment
prefix matches (when right) and sometimes not (when wrong). We
fixed it last time by not firing until the entire prefix was right.
We fix it this time by always firing, even when the prefix is
wrong.  As a result, the removed test would fail even though
things are safe.


Bug=719092
==========

[Tom Sepez, 2017-05-08 22:10:50]

Description was changed from

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the fragment, so it can't influence
behaviour. 

See https://codereview.chromium.org/1179633002 for context. The
problem was the the auditor would sometimes fire on fragment
prefix matches (when right) and sometimes not (when wrong). We
fixed it last time by not firing until the entire prefix was right.
We fix it this time by always firing, even when the prefix is
wrong.  As a result, the removed test would fail even though
things are safe.


Bug=719092
==========

to

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the fragment, so it can't influence
behaviour. 

See https://codereview.chromium.org/1179633002 for context. The
problem was the the auditor would sometimes fire on fragment
prefix matches (when right) and sometimes not (when wrong). We
fixed it last time by not firing until the entire prefix was right.
We fix it this time by always firing, even when the prefix is
wrong.  As a result, the removed test as written would fail even
though things are safe.

Bug=719092
==========

[Tom Sepez, 2017-05-08 22:12:02]

Description was changed from

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the fragment, so it can't influence
behaviour. 

See https://codereview.chromium.org/1179633002 for context. The
problem was the the auditor would sometimes fire on fragment
prefix matches (when right) and sometimes not (when wrong). We
fixed it last time by not firing until the entire prefix was right.
We fix it this time by always firing, even when the prefix is
wrong.  As a result, the removed test as written would fail even
though things are safe.

Bug=719092
==========

to

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the path/query/fragment, so they won't
influence behaviour. 

See https://codereview.chromium.org/1179633002 for context. The
problem was the the auditor would sometimes fire on fragment
prefix matches (when right) and sometimes not (when wrong). We
fixed it last time by not firing until the entire prefix was right.
We fix it this time by always firing, even when the prefix is
wrong.  As a result, the removed test as written would fail even
though things are safe.

Bug=719092
==========

[Tom Sepez, 2017-05-08 22:12:54]

Description was changed from

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the path/query/fragment, so they won't
influence behaviour. 

See https://codereview.chromium.org/1179633002 for context. The
problem was the the auditor would sometimes fire on fragment
prefix matches (when right) and sometimes not (when wrong). We
fixed it last time by not firing until the entire prefix was right.
We fix it this time by always firing, even when the prefix is
wrong.  As a result, the removed test as written would fail even
though things are safe.

Bug=719092
==========

to

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the path/query/fragment, so they won't
influence behaviour. 

See https://codereview.chromium.org/1179633002 for context. The
problem was the the auditor would sometimes fire on fragment
prefix matches (when right) and sometimes not (when wrong),
and might leak info as a result.

We fixed it last time by not firing until the entire prefix was right.
We fix it this time by always firing, even when the prefix is
wrong.  As a result, the removed test as written would fail even
though things are safe.

Bug=719092
==========

[Tom Sepez, 2017-05-08 22:22:04]

Description was changed from

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the path/query/fragment, so they won't
influence behaviour. 

See https://codereview.chromium.org/1179633002 for context. The
problem was the the auditor would sometimes fire on fragment
prefix matches (when right) and sometimes not (when wrong),
and might leak info as a result.

We fixed it last time by not firing until the entire prefix was right.
We fix it this time by always firing, even when the prefix is
wrong.  As a result, the removed test as written would fail even
though things are safe.

Bug=719092
==========

to

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the path/query/fragment, so they won't
influence behaviour. 

See https://codereview.chromium.org/1179633002 for context. The
problem was the the auditor would sometimes fire on fragment
prefix matches (when right) and sometimes not (when wrong),
and might leak info as a result.

We fixed it last time by not firing until the entire fragment was right.
We fix it this time by always firing, even when the prefix is
wrong.  As a result, the removed test as written would fail even
though things are safe.

Bug=719092
==========

[Tom Sepez, 2017-05-08 22:22:31]

Description was changed from

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the path/query/fragment, so they won't
influence behaviour. 

See https://codereview.chromium.org/1179633002 for context. The
problem was the the auditor would sometimes fire on fragment
prefix matches (when right) and sometimes not (when wrong),
and might leak info as a result.

We fixed it last time by not firing until the entire fragment was right.
We fix it this time by always firing, even when the prefix is
wrong.  As a result, the removed test as written would fail even
though things are safe.

Bug=719092
==========

to

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the path/query/fragment, so they won't
influence behaviour. 

See https://codereview.chromium.org/1179633002 for context. The
problem was the the auditor would sometimes fire on fragment
prefix matches (when right) and sometimes not (when wrong),
and might leak info as a result.

We fixed it last time by not firing until the entire fragment was right.
We fix it this time by always firing, even when the prefix is wrong.
As a result, the removed test as written would fail even
though things are safe.

Bug=719092
==========

[commit-bot: I haz the power, 2017-05-08 22:46:03]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-05-08 22:46:06]

Dry run: Try jobs failed on following builders:
  chromium_presubmit on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/chromium_presub...)

[Mike West, 2017-05-09 09:26:58]

The CQ bit was checked by mkwst@chromium.org to run a CQ dry run

[Mike West, 2017-05-09 09:27:18]

LGTM, assuming that the red bots are issues with the bots and not issues with
the patch (I spot-checked a few...)

[commit-bot: I haz the power, 2017-05-09 09:27:20]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-05-09 09:38:23]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-05-09 09:38:23]

Dry run: Try jobs failed on following builders:
  chromium_presubmit on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/chromium_presub...)

[Tom Sepez, 2017-05-09 16:06:02]

The CQ bit was checked by tsepez@chromium.org

[commit-bot: I haz the power, 2017-05-09 16:06:54]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-05-09 16:17:25]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-05-09 16:17:26]

Try jobs failed on following builders:
  chromium_presubmit on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/chromium_presub...)

[Tom Sepez, 2017-05-09 16:28:02]

Description was changed from

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the path/query/fragment, so they won't
influence behaviour. 

See https://codereview.chromium.org/1179633002 for context. The
problem was the the auditor would sometimes fire on fragment
prefix matches (when right) and sometimes not (when wrong),
and might leak info as a result.

We fixed it last time by not firing until the entire fragment was right.
We fix it this time by always firing, even when the prefix is wrong.
As a result, the removed test as written would fail even
though things are safe.

Bug=719092
==========

to

==========
XSSAuditor: truncate form action attribute like other src-like attributes

Adds a missing flag.

As a result of adding the flag, the issue that inspired the test
form-action-token-fragment.html becomes moot.  We're no longer
considering any part of the path/query/fragment, so they won't
influence behaviour. 

See https://codereview.chromium.org/1179633002 for context. The
problem was the the auditor would sometimes fire on fragment
prefix matches (when right) and sometimes not (when wrong),
and might leak info as a result.

We fixed it last time by not firing until the entire fragment was right.
We fix it this time by always firing, even when the prefix is wrong.
As a result, the removed test as written would fail even
though things are safe.

BUG=719092
==========

[Tom Sepez, 2017-05-09 16:48:51]

The CQ bit was checked by tsepez@chromium.org

[Tom Sepez, 2017-05-09 16:48:52]

The patchset sent to the CQ was uploaded after l-g-t-m from mkwst@chromium.org
Link to the patchset: https://codereview.chromium.org/2868973003/#ps20001
(title: "rebase, update expectation")

[commit-bot: I haz the power, 2017-05-09 16:49:40]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-05-09 22:45:07]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-05-09 22:45:08]

Try jobs failed on following builders:
  linux_chromium_chromeos_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[Tom Sepez, 2017-05-11 18:10:59]

The CQ bit was checked by tsepez@chromium.org

[commit-bot: I haz the power, 2017-05-11 18:11:46]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-05-11 20:13:58]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-05-11 20:13:59]

Try jobs failed on following builders:
  linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)