There exists a known false positive in the Google Chrome XSS Auditor concerning a textarea with some js-ish text, for example action="":
The XSS Auditor refused to execute a script in 'https://www.dokuwiki.org/sandbox:chrome_xss_auditor?do=edit' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
The error message indicates that it could be resolved with either an X-XSS-Protection-header or an Content-Security-Policy-header. Indeed a related question on SO suggests deactivating XSS-Protection with header("X-XSS-Protection: 0");.
However I feel somewhat uneasy about simply deactivating that XSS-Protection and tried to handle this problem using a Content-Security-Policy-header:
header('Content-Security-Policy: script-src * \'unsafe-inline\' \'unsafe-eval\'');
But unfortunately that did not affect the problem.
My question is: Why did it fail and how can I use a Content-Security-Policy-header to handle the issue without deactivating XSS-Protection completely?
PS: for reference see also https://github.com/splitbrain/dokuwiki/issues/1182
