Add more information about XSSAuditor limitations

Change-Id: I91e90d653c45fc7a8bebd433f10907a7c35caa0b Reviewed-on: https://chromium-review.googlesource.com/c/1258976Reviewed-by: Chris Palmer <palmer@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#596323}

Add more information about XSSAuditor limitations
Change-Id: I91e90d653c45fc7a8bebd433f10907a7c35caa0b Reviewed-on: https://chromium-review.googlesource.com/c/1258976Reviewed-by: Chris Palmer <palmer@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#596323}
8b198162 · Tom Sepez · Commit Bot · 90c8ebc9 · 8b198162
Commit 8b198162 authored Oct 03, 2018 by Tom Sepez Committed by Commit Bot Oct 03, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 2 deletions

docs/security/faq.md docs/security/faq.md +8 -2

No files found.
--- a/docs/security/faq.md
+++ b/docs/security/faq.md
@@ -157,8 +157,14 @@ Please do not provide links to vulnerable production sites seen in the wild,
 as that forces us to embargo the information in the bug.

 Note that the XSSAuditor is not able to defend against persistent XSS or
-DOM-based XSS. There will also be a number of infrequently occurring reflected
-XSS corner cases that it will never be able to cover. Among these are:
+DOM-based XSS. Nor is it able to defend against injections deep inside
+existing JavaScript blocks, [for
+example](https://bugs.chromium.org/p/chromium/issues/detail?id=135029), since
+the XSSAuditor is part of the HTML parser, not the JavaScript parser.
+
+There will also be a number of infrequently occurring reflected XSS corner
+case in an HTML context that it will never be able to cover. Among
+these are:
 *    Multiple unsanitized variables injected into the page.
 *    Unexpected server side transformation or decoding of the payload.