Explain two common XSSAuditor corner cases.
Reviewed-by: Chris Palmer <firstname.lastname@example.org>
Commit-Queue: Tom Sepez <email@example.com>
diff --git a/docs/security/faq.md b/docs/security/faq.md
index c367c68..a4f73b8 100644
@@ -144,7 +144,9 @@
The XSSAuditor is not able to defend against persistent XSS or DOM-based XSS.
There will also be a number of infrequently occurring reflected XSS corner
-cases, however, that it will never be able to cover.
+cases, however, that it will never be able to cover. Among these are:
+* Multiple unsanitized variables injected into the page.
+* Unexpected server side transformation or decoding of the payload.
## Why aren't physically-local attacks in Chrome's threat model?