Lesson "A3 : Reflected Cross-Site Scripting" does not work on latest Chrome versions #2
Description
FYI the latest versions of Google Chrome (tested on version 48.0.2564.97) do not allow scripts in the query string. Here's the error shown in the console:
The XSS Auditor refused to execute a script in 'http://192.168.99.100:8899/lucky.php?name=%3Cscript%3Ealert%28%22toto%22%29%3C%2Fscript%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
This is a good thing, but might be worth putting a warning on the lesson :-)