Explain two common XSSAuditor corner cases.

Change-Id: Idc316c17dec63531abb3b39f4188d368d0aad0b2
Reviewed-on: https://chromium-review.googlesource.com/706253
Reviewed-by: Chris Palmer <palmer@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#507421}
diff --git a/docs/security/faq.md b/docs/security/faq.md
index c367c68..a4f73b8 100644
--- a/docs/security/faq.md
+++ b/docs/security/faq.md
@@ -144,7 +144,9 @@
 The XSSAuditor is not able to defend against persistent XSS or DOM-based XSS.
 There will also be a number of infrequently occurring reflected XSS corner
-cases, however, that it will never be able to cover.
+cases, however, that it will never be able to cover. Among these are:
+*    Multiple unsanitized variables injected into the page.
+*    Unexpected server side transformation or decoding of the payload.
 <a name="TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-"></a>
 ## Why aren't physically-local attacks in Chrome's threat model?