RESOLVED WONTFIX 38613
REGRESSION: XSS Auditor blocks scripts in w3schools interactive shell 
https://bugs.webkit.org/show_bug.cgi?id=38613
Summary REGRESSION: XSS Auditor blocks scripts in w3schools interactive shell
Andy Stevenson
Reported 2010-05-05 16:05:13 PDT
Found the bug in elsewhere but it is easily reproduced on the w3schools site. Simply edit the document.write string... eg. Add a space between '...JavaScript...' to make '...Java Script...' and hit the 'Edit and Click Me >>' button at the top of the pane. The page fails to render properly. This works fine in Safari Version 4.0.5 (6531.22.7) Andy
Attachments
Example (518 bytes, text/html)
2010-05-05 21:46 PDT, Daniel Bates 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2010-05-05 20:30:42 PDT
"Refused to execute a JavaScript script. Source code of script found within request."
Alexey Proskuryakov
Comment 2 2010-05-05 20:34:17 PDT
<rdar://problem/7949226>
Daniel Bates
Comment 3 2010-05-05 21:20:06 PDT
Unfortunately, w3schools.com has an XSS vulnerability that it uses as part of its Tryit Editor. Since the passing of changeset 56295 <http://trac.webkit.org/changeset/56295>, web developers (such as w3schools.com) can opt-out of the XSSAuditor by specifying the HTTP header X-XSS-Protection: 0.
Daniel Bates
Comment 4 2010-05-05 21:46:36 PDT
Created attachment 55201 [details] Example
Alexey Proskuryakov
Comment 5 2010-08-31 10:36:37 PDT
*** Bug 44880 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.