189551 2018-09-12 09:32:18 -0700 XSS auditor breaks srcdoc example in live-dom-viewer 2021-09-21 14:31:39 -0700 1 1 1 Unclassified WebKit DOM WebKit Nightly Build Unspecified Unspecified RESOLVED DUPLICATE 230499 P2 Normal --- 1 simon.fraser webkit-unassigned ap bfulgham cdumez dbates sam simon.fraser oldest_to_newest 1458980 0 simon.fraser 2018-09-12 09:32:18 -0700 http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A%3Cstyle%3E%0Abody%20%7B%20background%3A%20aqua%20%7D%0A%3C%2Fstyle%3E%0A%3Ciframe%20srcdoc%3D%22%3Cdiv%20style%3Dbackground%3Ablue%3Bheight%3A30px%3E%3C%2Fdiv%3E%22%3E There should be a blue div inside the iframe, but we don't seem to parse the srcdoc correctly. 1459189 1 sam 2018-09-12 18:05:29 -0700 I'm pretty sure this isn't a parsing issue and is more likely the XSS Auditor kicking in. The same example renders fine in the Tryit Editor -> https://www.w3schools.com/code/tryit.asp?filename=FV8MYTW7FYTI. 1459197 2 simon.fraser 2018-09-12 18:21:51 -0700 Ah yes, inspector says: The XSS Auditor refused to execute a script in 'http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A%3Cstyle%3E%0Abody%20%7B%20background%3A%20aqua%20%7D%0A%3C%2Fstyle%3E%0A%3Ciframe%20srcdoc%3D%22%3Cdiv%20style%3Dbackground%3Ablue%3Bheight%3A30px%3E%3C%2Fdiv%3E%22%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header. 1795776 3 bfulgham 2021-09-21 14:31:39 -0700 This is fixed when the XSS Auditor is removed (Bug 230499). *** This bug has been marked as a duplicate of bug 230499 ***