X-XSS-Protection parser shoud reject '0; mode=block'

Source/platform/network/HTTPParsers.cpp

Index: Source/platform/network/HTTPParsers.cpp
diff --git a/Source/platform/network/HTTPParsers.cpp b/Source/platform/network/HTTPParsers.cpp
index 772188d21ae5cd135882ab668c53a9a25f92c082..32f1dc97cd6324fc21469142d1c5c8cc893a0fc4 100644
--- a/Source/platform/network/HTTPParsers.cpp
+++ b/Source/platform/network/HTTPParsers.cpp
@@ -355,6 +355,7 @@ void findCharsetInMediaType(const String& mediaType, unsigned& charsetPos, unsig
 ReflectedXSSDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL)
 {
     DEFINE_STATIC_LOCAL(String, failureReasonInvalidToggle, ("expected 0 or 1"));
+    DEFINE_STATIC_LOCAL(String, failureReasonInvalidDisable, ("'0' disables protections, and may not be followed by any characters"));
     DEFINE_STATIC_LOCAL(String, failureReasonInvalidSeparator, ("expected semicolon"));
     DEFINE_STATIC_LOCAL(String, failureReasonInvalidEquals, ("expected equals sign"));
     DEFINE_STATIC_LOCAL(String, failureReasonInvalidMode, ("invalid mode directive"));
@@ -368,8 +369,14 @@ ReflectedXSSDisposition parseXSSProtectionHeader(const String& header, String& f
     if (!skipWhiteSpace(header, pos, false))
         return ReflectedXSSUnset;
 
-    if (header[pos] == '0')
-        return AllowReflectedXSS;
+    if (header[pos] == '0') {
+        pos++;
+        skipWhiteSpace(header, pos, false);
+        if (pos == header.length())
+            return AllowReflectedXSS;

[Tom Sepez, 2013/11/28 00:09:15]

I'm almost inclined to suggest getting rid of the early returns and parse out
all the ;-separated options, and in the end barf if AllowReflectedXSS &&
modeDirectiveSeen and so forth.

+        failureReason = failureReasonInvalidDisable;
+        return ReflectedXSSInvalid;
+    }
 
     if (header[pos++] != '1') {
         failureReason = failureReasonInvalidToggle;