This bug was accidentally filed as a security sensitive bug. This was supposed to be merely a bug in the "security features" bucket.

Could you be more specific about what you mean by "How Often"? Do you mean the number of times per million page loads?  The number of distinct sites that trip this in a given day?  The number of monthly users that see at least one of these? Or something else?

Also, to whom would this be useful? [note what high school English teachers call the weak passive voice in your statement "It would be useful ...:" :) ] The only principal that can do anything about it is the site owner, and there's already a report= mechanism in the X-XSS-Protect header in chromium to get these notifications (along the lines of CSP failures).

We've talked about this in the past and we could never come up with a good definition of what we wanted to measure and to whom it would be useful, so there hasn't been any work here.

If you can present a stronger, more specific argument we'd love to reconsider this.

I am currently doing some light-weight research on XSS filters and I wondered if we could add the following[1]:

Add a new UseCounter Feature e.g., "XSSAuditorBlockedScript"
Add this line to XSSAuditorDelegate::didBlockScript [2]:
> UseCounter::count(m_document, UseCounter::XSSAuditorBlockedScript);

This could give an indication about the prevalence of XSS (modulo false positives, that we can't really track). It could also guide decisions about prioritizing work on the XSSAuditor code in general.

[1]  I'm in fact willing to write the patch myself, but I am new to the chromium codebase and the details of UseCounter.
[2] https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/html/parser/XSSAuditorDelegate.cpp?q=Xssauditor+file:%5Esrc/third_party/WebKit/Source/core/html/parser/&sq=package:chromium&l=103

I'm not sure that would produce any statistically useful data. What would you compare it against to get a baseline?  How would you know how a specific number of events would correlate to "presence"?

+aaj, who I mentioned this to earlier today.

Counting via `UseCounter::count` would automagically count the occurrences of blocked script against a baseline of page views, which seems like a reasonable thing to measure.

fbraun@: Are you planning on implementing an auditor-like thing in Firefox? Or are you doing general research on the prevalence of auditor-detectable XSS on the web? The goal's not clear to me, so it's hard to determine what kind of data would be helpful.

Ok, sorry if I seem difficult, but the hard part isn't writing the patch, it's being sure we are measuring the right thing.  These take several months to roll out to a stable release before we get any data, and if it isn't useful, we repeat the whole cycle over ...

> fbraun@: Are you planning on implementing an auditor-like thing in Firefox? Or are you doing general research on the prevalence of auditor-detectable XSS on the web? The goal's not clear to me, so it's hard to determine what kind of data would be helpful.

There are no official plans. I (personally) would like to get a report-only auditor-like thing into Firefox at some point, to find out if there's a tangible positive user impact.

> Counting via `UseCounter::count` would automagically count the occurrences of blocked script against a baseline of page views, which seems like a reasonable thing to measure.

This would also allow us comparing stats between browsers, once there is progress on the Firefox end.

@tsepez: No worries. Thanks for asking the hard questions :)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/239fdac4d03219287e6f8aef8e7f372f615e2a2b

commit 239fdac4d03219287e6f8aef8e7f372f615e2a2b
Author: mkwst <mkwst@chromium.org>
Date: Mon Sep 26 15:44:04 2016

Add usage counters to XSSAuditor.

BUG= 642747 

Review-Url: https://codereview.chromium.org/2330353007
Cr-Commit-Position: refs/heads/master@{#420892}

[modify] https://crrev.com/239fdac4d03219287e6f8aef8e7f372f615e2a2b/third_party/WebKit/Source/core/frame/UseCounter.h
[modify] https://crrev.com/239fdac4d03219287e6f8aef8e7f372f615e2a2b/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
[modify] https://crrev.com/239fdac4d03219287e6f8aef8e7f372f615e2a2b/third_party/WebKit/Source/core/html/parser/XSSAuditorDelegate.cpp
[modify] https://crrev.com/239fdac4d03219287e6f8aef8e7f372f615e2a2b/tools/metrics/histograms/histograms.xml

mkwst, tsepez - this is fixed now right thanks to c#10?