Not sure if this is considered a bug or not, or if the handling of branches with process success message has changed, but it doesn't seem to work anymore with a standard branch to page on chrome.
It is reporting:
Refused to execute a JavaScript script. Source code of script found within request
I have used this in the past and it used to work. (talking 3.2, but either apex/chrome/both has changed since then)
Anyway, researching the error leads me to this blog from chromium: http://blog.chromium.org/2010/01/security-in-depth-new-security-features.html
We've been hard at work adding proactive security features to Google Chrome, and we're particularly excited about five new security features that make it easier for developers to build secure web sites.
I think this relates to:
*Reflective XSS Protection*
One of the most difficult parts of building a secure web site is protecting against cross-site scripting (XSS) vulnerabilities. In Google Chrome 4, we've added an experimental feature to help mitigate one form of XSS, reflective XSS. The XSS filter checks whether a script that's about to run on a web page is also present in the request that fetched that web page. If the script is present in the request, that's a strong indication that the web server might have been tricked into reflecting the script.
The XSS filter is similar to those found in Internet Explorer 8 and NoScript. Instead of being layered on top of the browser like those filters, our XSS filter is integrated into WebKit, which Google Chrome uses to render webpages. Integrating the XSS filter into the rendering engine has two benefits: (1) the filter can catch scripts right before they are executed, making it easier to detect some tricky attack variations, and (2) the filter can be used by every WebKit-based browser, including Safari and Epiphany.
We are aware of a few ways to bypass the filter, but, on balance, we think that the filter is providing enough benefit to enable it by default in this release. If you discover a new way to bypass the filter, please let us know. We're very interested in improving the filter in subsequent releases. We're grateful to the security researchers who have helped us with the filter thus far (especially Eduardo "Sirdarckcat" Vela), and we welcome even more participation.>
Looking at one of the sample database applications, i notice if i insert a script into the success message of the customers DML page, it works without issue. Upon further inspection, i see there is a new branch type - based on application item; and this doesn't post the success message in the URL which is likely why it is working.
I can see this security measure is good to prevent XSS, but perhaps there is some other good way to handle allowing a script to be in the success message in a standard branch (it seems like a slight pain to force creating a page item to store the branch page)