I just noticed a typo in the test file full-block-iframe-no-inherit.php: <?php header("X-XSS-Protection: full-block"); ?> But since there is no full-block directive, what is meant is <?php header("X-XSS-Protection: 1; mode=block"); ?>
Created attachment 170746 [details] Patch Heh.
Comment on attachment 170746 [details] Patch Why didn't this test fail without this change? Should we add a new test that covers the invalid header case?
(In reply to comment #2) > (From update of attachment 170746 [details]) > Why didn't this test fail without this change? I think the test looked only for non-application to the iframe, not application to the parent frame. > Should we add a new test that covers the invalid header case? Uh, yes. Want me to fold those into this patch?
> Want me to fold those into this patch? Up to you. I'd probably do it in one patch, but it's not super important.
Comment on attachment 170746 [details] Patch Clearing flags on attachment: 170746 Committed r132563: <http://trac.webkit.org/changeset/132563>
All reviewed patches have been landed. Closing bug.