summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy
diff options
context:
space:
mode:
authorMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
committerMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
commit5f8de423f190bbb79a62f804151bc24824fa32d8 (patch)
tree10027f336435511475e392454359edea8e25895d /testing/web-platform/tests/content-security-policy
parent49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff)
downloadUXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.lz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.xz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.zip
Add m-esr52 at 52.6.0
Diffstat (limited to 'testing/web-platform/tests/content-security-policy')
-rw-r--r--testing/web-platform/tests/content-security-policy/OWNERS2
-rw-r--r--testing/web-platform/tests/content-security-policy/README.css27
-rw-r--r--testing/web-platform/tests/content-security-policy/README.html118
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css3
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html36
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html33
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html40
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html40
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html40
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html42
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html43
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html34
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html41
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js5
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html65
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html42
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html69
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html15
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html57
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html71
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html64
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html76
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html43
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html72
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html59
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html34
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html77
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html61
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html21
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html54
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html38
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html36
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html36
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html51
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis60
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html41
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html40
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html41
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html30
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html40
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html39
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html30
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html30
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html31
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html37
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html45
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html26
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html10
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html37
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html31
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html31
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html30
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html30
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html62
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html59
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html20
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html63
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html61
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html66
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html19
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html17
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html20
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html35
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html32
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html128
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html31
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html28
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html31
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html9
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html9
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html14
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html15
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html39
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html28
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html41
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html41
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html41
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html41
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers5
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html28
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-fail.html4
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-pass.html4
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/blue.css3
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/generate-csp-report.html7
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js12
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-image.js4
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-script.js5
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-style.js5
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/post-message.js1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-fail.html4
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-pass.html4
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/script.js2
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/track.vtt1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js5
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js7
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js21
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js21
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js5
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html3
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html3
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html49
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html43
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html50
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html49
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html26
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html26
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html33
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html38
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html37
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html65
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html38
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html43
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html33
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html33
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/xsl-blocked-expected.pngbin0 -> 2840 bytes
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.pngbin0 -> 2840 bytes
-rw-r--r--testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html20
-rw-r--r--testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html63
-rw-r--r--testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html61
-rw-r--r--testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html61
-rw-r--r--testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html68
-rw-r--r--testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html32
-rw-r--r--testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html35
-rw-r--r--testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/font-src/font-blacklisted-ref.html6
-rw-r--r--testing/web-platform/tests/content-security-policy/font-src/font-blacklisted.html9
-rw-r--r--testing/web-platform/tests/content-security-policy/font-src/font-whitelisted-ref.html6
-rw-r--r--testing/web-platform/tests/content-security-policy/font-src/font-whitelisted.html9
-rw-r--r--testing/web-platform/tests/content-security-policy/font-src/fonts.css8
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/deep-allows-none.sub.html37
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html21
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html.headers5
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html20
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html.headers5
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-meta-ignored.sub.html41
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-one-blocked.sub.html37
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-self-allowed.sub.html39
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-allowed.sub.html33
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-banned-top-is-self.sub.html35
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-banned.sub.html37
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none-meta.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none.html.headers5
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-self.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-self.html.headers5
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/single-frame-self-allowed.sub.html35
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/fail-0_1.js3
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html35
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html35
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_10.html21
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_10.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_2.html15
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_2.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_8.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_8.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html21
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/negativeTests.js3
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/pass-0_1.js3
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/positiveTest.js6
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/unreached.js3
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js8
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js8
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js1
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js8
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js1
-rw-r--r--testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.html46
-rw-r--r--testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html44
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.html55
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html44
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.html55
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.html53
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.html68
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html66
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/meta/meta-img-src.html33
-rw-r--r--testing/web-platform/tests/content-security-policy/meta/meta-modified.html35
-rw-r--r--testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html66
-rw-r--r--testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html61
-rw-r--r--testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting/securitypolicyviolation-idl.html55
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js1
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js3
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js18
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js21
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js8
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/inlineTests.js4
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html20
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html20
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html26
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/style-src/3_3.css1
-rw-r--r--testing/web-platform/tests/content-security-policy/style-src/style-src-3_1.html33
-rw-r--r--testing/web-platform/tests/content-security-policy/style-src/style-src-3_1.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/style-src/style-src-3_2.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/style-src/style-src-3_2.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/style-src/style-src-3_3.html37
-rw-r--r--testing/web-platform/tests/content-security-policy/style-src/style-src-3_3.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/style-src/style-src-3_4-import.css3
-rw-r--r--testing/web-platform/tests/content-security-policy/style-src/style-src-3_4.css1
-rw-r--r--testing/web-platform/tests/content-security-policy/style-src/style-src-3_4.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/style-src/style-src-3_4.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/support/alert-pass.js1
-rw-r--r--testing/web-platform/tests/content-security-policy/support/alertAssert.sub.js43
-rw-r--r--testing/web-platform/tests/content-security-policy/support/checkReport.sub.js84
-rw-r--r--testing/web-platform/tests/content-security-policy/support/fail.asis5
-rw-r--r--testing/web-platform/tests/content-security-policy/support/fail.js1
-rw-r--r--testing/web-platform/tests/content-security-policy/support/fail.pngbin0 -> 759 bytes
-rw-r--r--testing/web-platform/tests/content-security-policy/support/inject-image.js5
-rw-r--r--testing/web-platform/tests/content-security-policy/support/logTest.sub.js41
-rw-r--r--testing/web-platform/tests/content-security-policy/support/media/flash.swfbin0 -> 638 bytes
-rw-r--r--testing/web-platform/tests/content-security-policy/support/pass.pngbin0 -> 1689 bytes
-rw-r--r--testing/web-platform/tests/content-security-policy/support/report.py34
-rw-r--r--testing/web-platform/tests/content-security-policy/support/siblingPath.js5
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/including.sub.svg18
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/scripted.svg20
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html51
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html34
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html30
446 files changed, 8460 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/OWNERS b/testing/web-platform/tests/content-security-policy/OWNERS
new file mode 100644
index 000000000..273486074
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/OWNERS
@@ -0,0 +1,2 @@
+@sideshowbarker
+@hillbrad
diff --git a/testing/web-platform/tests/content-security-policy/README.css b/testing/web-platform/tests/content-security-policy/README.css
new file mode 100644
index 000000000..d47a5034b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/README.css
@@ -0,0 +1,27 @@
+
+.code {
+ font-family: monospace;
+ color: darkorange;
+}
+
+.codeTitle {
+ font-family: sans-serif;
+ padding: .3em;
+ margin-bottom: -1em;
+ background: #ffe;
+ border-color: #ccc;
+ border-width: 1px;
+ border-style: groove;
+}
+
+.highlight1 {
+ background: yellow;
+}
+
+.highlight2 {
+ background: pink;
+}
+
+body {
+ font-family: sans-serif;
+}
diff --git a/testing/web-platform/tests/content-security-policy/README.html b/testing/web-platform/tests/content-security-policy/README.html
new file mode 100644
index 000000000..e2c3e38c6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/README.html
@@ -0,0 +1,118 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <title>Introduction to Writing Content Security Policy Tests</title>
+ <link rel="stylesheet" type="text/css" href="README.css">
+ <link rel="stylesheet" type="text/css" href="http://cdnjs.cloudflare.com/ajax/libs/highlight.js/8.1/styles/default.min.css">
+ <script src="http://cdnjs.cloudflare.com/ajax/libs/highlight.js/8.1/highlight.min.js"></script>
+ <script>
+ hljs.initHighlightingOnLoad();
+ </script>
+</head>
+
+<body>
+ <h1>Introduction to Writing Content Security Policy Tests</h1>
+ <p>The CSP test suite uses the standard W3C testharness.js framework, but there are a few additional things you'll need to do because of the unique way CSP works, even if you're already an expert at writing W3C tests. These tests require the use of the
+ <a href="https://github.com/w3c/wptserve">wptserve</a> server (included in the <a href="https://github.com/w3c/web-platform-tests">web-platform-tests repository</a>) to operate correctly.</p>
+
+ <h2>What's different about writing CSP tests?</h2>
+
+ <h3>Headers</h3>
+ <p>Content Security Policy is preferentially set through an HTTP header. This means we can't do our tests just as a simple set of HTML+CSS+JS files. Luckily the wptserver framework provides an easy method to add headers to a file.</p>
+ <p>If my file is named <span class=code>example.html</span> then I can create a file
+ <span class=code>example.html.headers</span> to define the headers that will be served with it. If I need to do template substitutions in the headers, I can instead create a file named <span class=code>example.html.sub.headers</span>.</p>
+
+ <h3>Negative Test Cases and Blocked Script Execution</h3>
+ <p>Another interesting feature of CSP is that it <em>prevents</em> things from happening. It even can and prevent script from running. How do we write tests that detect something didn't happen?</p>
+
+ <h3>Checking Reports</h3>
+ <p>CSP also has a feature to send a report. We ideally want to check that whenever a policy is enforced, a report is sent. This also helps us with the previous problem - if it is difficult to observe something not happening, we can still check that a report fired.</p>
+
+ <h2>Putting it Together</h2>
+ <p>Here's an example of a simple test. (ignore the highlights for now...) This file lives in the
+ <span class=code>/content-security-policy/script-src/</span> directory.</p>
+
+ <p class=codeTitle>script-src-1_1.html</p>
+ <pre><code class="html">&lt;!DOCTYPE HTML&gt;
+&lt;html&gt;
+&lt;head&gt;
+ &lt;script src=&#39;/resources/testharness.js&#39;&gt;&lt;/script&gt;
+ &lt;script src=&#39;/resources/testharnessreport.js&#39;&gt;&lt;/script&gt;
+&lt;/head&gt;
+&lt;body&gt;
+ &lt;h1&gt;Inline script should not run without &#39;unsafe-inline&#39; script-src directive.&lt;/h1&gt;
+ &lt;div id=&#39;log&#39;&gt;&lt;/div&gt;
+
+ &lt;script&gt;
+ test(function() {
+ asset_unreached(&#39;Unsafe inline script ran.&#39;)},
+ &#39;Inline script in a script tag should not run without an unsafe-inline directive&#39;
+ );
+ &lt;/script&gt;
+
+ &lt;img src=&#39;doesnotexist.jpg&#39; onerror=&#39;test(function() { assert_false(true, &quot;Unsafe inline event handler ran.&quot;) }, &quot;Inline event handlers should not run without an unsafe-inline directive&quot;);&#39;&gt;
+
+ &lt;script async defer src=&#39;../support/checkReport.sub.js?reportField=violated-directive&amp;reportValue=<span class=highlight1>script-src%20%27self%27</span>&#39;&gt;&lt;/script&gt;
+
+&lt;/body&gt;
+&lt;/html&gt;
+ </code></pre>
+
+
+ <p>This code includes three tests. The first one in the script block will generate a failure if it runs. The second one, in the onerror handler for the img which does not exist should also generate a failure if it runs. But for a successful CSP implementation, neither of these tests does run. The final test is run by the link to <span class=code>../support/checkReport.sub.js</span>. It will load some script in the page (make sure its not blocked by your policy!) which contacts the server asynchronously and sees if the expected report was sent. This should always run an generate a positive or negative result even if the inline tests are blocked as we expect.</p>
+
+ <p>Now, to acutally exercise these tests against a policy, we'll need to set headers. In the same directory we'll place this file:</p>
+
+ <p class=codeTitle>script-src-1_1.html.sub.headers</p>
+ <pre><code class="html">
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: <span class=highlight2>script-src-1_1</span>={{$id:uuid()}}; Path=<span class=highlight2>/content-security-policy/script-src/</span>
+Content-Security-Policy: <span class=highlight1>script-src 'self'</span>; report-uri <span class=highlight2>..</span>/support/report.py?op=put&reportID={{$id}}
+ </code></pre>
+ <p>This sets some headers to prevent caching (just so we are more likely to see our latest changes if we're actively developing this test) sets a cookie (more on that later) and sets the relevant <span class=code>Content-Security-Policy</span> header for our test case.</p>
+
+ <h4>What about those highlights?</h4>
+ <p>In production code we don't like to repeat ourselves. For this test suite, we'll relax that rule a little bit. Why? It's easier to have many people contributing "safe" files using some template substitutions than require every file to be executable content like Python or PHP which would require much more careful code review. The highlights show where you have to be careful as you repeat yourself in more limited static files.
+ </p>
+
+ <p>The <span class=highlight1>YELLOW</span> highlighted text is information that must be the same between both files for report checking to work correctly. In the html file, we're telling
+ <span class=code>checkReport.sub.js</span> to check the value of the <span class=code>
+ violated-directive</span> key in the report JSON. So it needs to match (after URL encoding) the directive we set in the header.</p>
+
+ <p>The <span class=highlight2>PINK</span> highlighted text is information that must be repeated from the path and filename of your test file into the headers file. The name of the cookie must match the name of the test file without its extension, the path for the cookie must be correct, and the relative path component to the report-uri must also be corrected if you nest your tests more than one directory deep.</p>
+
+ <h2>Check Your Effects!</h2>
+ <p>A good test case should also verify the state of the DOM in addition to checking the report - after all, a browser might send a report without actually blocking the banned content. Note that in a browser without CSP support there will be three failures on the example page as the inline script executes.</p>
+ <p>How exactly you check your effects will depend on the directive, but don't hesitate to use script for testing to see if computed styles are as expected, if layouts changed or if certain elements were added to the DOM. Checking that the report also fired is just the final step of verifing correct behavior.</p>
+
+ <p>Note that avoiding inline script is good style and good habits, but not 100% necessary for every test case. Go ahead and specify 'unsafe-inline' if it makes your life easier.</p>
+
+ <h2>Report Existence Only and Double-Negative Tests</h2>
+ <p>If you want to check that a report exists, or verify that a report <em>wasn't</em> sent for a double-negative test case,
+ you can pass <strong>?reportExists=</strong><em>[true|false]</em> to <span class=code>checkReport.sub.js</span> instead of <strong>reportField</strong> and <strong>reportValue</strong>.</p>
+
+ <h2>How does the magic happen?</h2>
+ <p>Behind the scenes, a few things are going on in the framework.</p>
+ <ol>
+ <li>The {{$id:uuid}} templating marker in the headers file tells the wptserve HTTP server to create a new unique id and assign it to a variable, which we can re-use as {{$id}}.</li>
+ <li>We'll use this UUID in two places:
+ <ol>
+ <li>As a GET parameter to our reporting script, to uniquely identify this instance of the test case so our report can be stored and retrieved.
+ </li>
+ <li>As a cookie value associated with the filename, so script in the page context can learn what UUID the report was sent under.</li>
+ </ol>
+ </li>
+ <li>The report listener is a simple python file that stashes the report value under its UUID and allows it to be retrieved again, exactly once.</li>
+ <li><span class=code>checkReport.sub.js</span> then grabs the current path information and uses that to find the cookie holding the report UUID. It deletes that cookie (otherwise the test suite would overrun the maximum size of a cookie header allowed) then makes an XMLHttpRequest to the report listener to retrieve the report, parse it and verify the contents as per the parameters it was loaded with.</li>
+ </ol>
+
+ <p>Why all these gymnastics? CSP reports are delivered by an <em>anonymous fetch</em>. This means that the browser does not process the response headers, body, or allow any state changes as a result. So we can't pull a trick like just echoing the report contents back in a Set-Cookie header or writing them to local storage.</p>
+
+ <p>Luckily, you shouldn't have to worry about this magic much, as long as you get the incantation correct.</p>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css b/testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css
new file mode 100644
index 000000000..ace543489
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css
@@ -0,0 +1,3 @@
+#test {
+ color: green;
+}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html
new file mode 100644
index 000000000..143777407
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>base-uri-allow</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+base-uri http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self';
+-->
+ <base href="http://www1.{{host}}:{{ports[http][0]}}/">
+ <script>
+ test(function() {
+ if ('{{ports[http][0]}}' == '80' ||
+ '{{ports[http][0]}}' == '443') {
+ assert_equals(document.baseURI, 'http://www1.{{host}}/');
+ } else {
+ assert_equals(document.baseURI, 'http://www1.{{host}}' + ':{{ports[http][0]}}/');
+ }
+
+ log("TEST COMPLETE")
+ });
+
+ </script>
+</head>
+
+<body>
+ <p>Check that base URIs can be set if they do not violate the page's policy.</p>
+ <div id="log"></div>
+ <script async defer src="./content-security-policy/support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers
new file mode 100644
index 000000000..e749d7238
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: base-uri-allow={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: base-uri http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html
new file mode 100644
index 000000000..f2b7c591e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>base-uri-deny</title>
+ <base href="http://www1.{{host}}:{{ports[http][0]}}/">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS document.baseURI is document.location.href","TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+base-uri 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ var base = document.createElement('base');
+ base.href = 'http://www1.{{host}}:{{ports[http][0]}}/';
+ document.head.appendChild(base);
+ if (document.baseURI == document.location.href) {
+ log("PASS document.baseURI is document.location.href");
+ log("TEST COMPLETE");
+ }
+
+ </script>
+</head>
+
+<body>
+ <p>Check that base URIs cannot be set if they violate the page's policy.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=base-uri%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers
new file mode 100644
index 000000000..0312c46d0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: base-uri-deny={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: base-uri 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html
new file mode 100644
index 000000000..19cf6811c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>form-action-src-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ window.addEventListener("message", function(event) {
+ log(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ log("TEST COMPLETE");
+ }, 0);
+ });
+
+ </script>
+</head>
+
+<body>
+ <iframe name="test_target" id="test_iframe"></iframe>
+
+ <form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-pass.html" id="theform" method="post" target="test_target">
+ <input type="text" name="fieldname" value="fieldvalue">
+ <input type="submit" id="submit" value="submit">
+ </form>
+ <p>Tests that allowed form actions work correctly.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+ </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..88cbfda0e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html
new file mode 100644
index 000000000..0960a8a02
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>form-action-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ }, 0);
+ });
+ setTimeout(function() {log("TEST COMPLETE");}, 1);
+
+ </script>
+</head>
+
+<body>
+ <iframe name="test_target" id="test_iframe"></iframe>
+ <form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-fail.html" id="theform" method="post" target="test_target">
+ <input type="text" name="fieldname" value="fieldvalue">
+ <input type="submit" id="submit" value="submit">
+ </form>
+ <p>Tests that blocking form actions works correctly.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=form-action%20&apos;none&apos;"></script>
+
+ </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..29351c008
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html
new file mode 100644
index 000000000..32823d680
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>form-action-src-default-ignored</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; frame-src 'self';
+-->
+ <script>
+ window.addEventListener("message", function(event) {
+ log(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ log("TEST COMPLETE");
+ }, 0);
+ });
+
+ </script>
+</head>
+
+<body>
+ <iframe name="test_target" id="test_iframe"></iframe>
+
+ <form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-pass.html" id="theform" method="post" target="test_target">
+ <input type="text" name="fieldname" value="fieldvalue">
+ <input type="submit" id="submit" value="submit">
+ </form>
+ <p>Tests that default-src does not cascade to form-action.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers
new file mode 100644
index 000000000..1abbcf50c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-default-ignored={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; frame-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html
new file mode 100644
index 000000000..a7d3e584b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>form-action-src-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ window.addEventListener("message", function(event) {
+ log(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ log("TEST COMPLETE");
+ }, 0);
+ });
+
+ </script>
+</head>
+
+<body>
+ <iframe name="test_target" id="test_iframe"></iframe>
+
+ <form action="/common/redirect.py" id="theform" method="get" target="test_target">
+ <input type="text" name="location" value="/content-security-policy/blink-contrib/resources/postmessage-pass.html">
+ <input type="text" name="fieldname" value="fieldvalue">
+ <input type="submit" id="submit" value="submit">
+ </form>
+ <p>Tests that allowed form actions work correctly
+ with GET and a redirect.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+ </body>
+
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..ac8761518
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-get-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html
new file mode 100644
index 000000000..0910eb419
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>form-action-src-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ log("TEST COMPLETE");
+ }, 0);
+ });
+
+ </script>
+</head>
+
+<body>
+ <iframe name="test_target" id="test_iframe"></iframe>
+
+ <form action="/common/redirect.py" id="theform" method="get" target="test_target">
+ <input type="text" name="location" value="/content-security-policy/blink-contrib/resources/postmessage-fail.html">
+ <input type="text" name="fieldname" value="fieldvalue">
+ <input type="submit" id="submit" value="submit">
+ </form>
+ <p>Tests that disallowed form actions are blocked
+ with GET and redirects.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=form-action%20&apos;none&apos;
+"></script>
+ </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..e7a044dbc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-get-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html
new file mode 100644
index 000000000..c362ea6fd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>form-action-src-javascript-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self';
+-->
+ <script nonce='noncynonce'>
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ log("TEST COMPLETE");
+ }, 0);
+ });
+ </script>
+</head>
+
+<body>
+ <form action="javascript:alert_assert(&quot;FAIL!&quot;)" id="theform" method="post">
+ <input type="text" name="fieldname" value="fieldvalue">
+ <input type="submit" id="submit" value="submit">
+ </form>
+ <p>Tests that blocking form actions works correctly. If this test passes, a CSP violation will be generated, and will not see a JavaScript alert.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..ffa2288c0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-javascript-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html
new file mode 100644
index 000000000..e311817eb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>form-action-src-redirect-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ log("TEST COMPLETE");
+ }, 0);
+ });
+ setTimeout(function() {}, 1000);
+
+ </script>
+</head>
+
+<body>
+ <iframe name="test_target" id="test_iframe"></iframe>
+
+ <form id="form1" action="/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-fail.html" method="post" target="test_target">
+ <input type="text" name="fieldname" value="fieldvalue">
+ <input type="submit" id="submit" value="submit">
+ </form>
+ <p>Tests that blocking a POST form with a redirect works correctly. If this test passes, a CSP violation will be generated.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=form-action%20'self'"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..ee767f4a7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-redirect-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html
new file mode 100644
index 000000000..41618d4ef
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>meta-outside-head</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS (1/1)"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'none'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self'">
+ <p>This test checks that Content Security Policy delivered via a meta element is not enforced if the element is outside the document&apos;s head.</p>
+ <script>
+ var aa = "PASS (1/1)";
+ </script>
+ <script src="metaHelper.js"></script>
+ <div id="log"></div>
+ <script src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers
new file mode 100644
index 000000000..3cd335192
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: meta-outside-head={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'none'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js b/testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js
new file mode 100644
index 000000000..9191a39c7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js
@@ -0,0 +1,5 @@
+if (typeof aa != 'undefined') {
+ alert_assert(aa);
+} else {
+ alert_assert("Failed - allowed inline script blocked by meta policy outside head.");
+}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html
new file mode 100644
index 000000000..fe3f95878
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>plugintypes-mismatched-data</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ This tests that plugin content that doesn&apos;t match the declared type doesn&apos;t load, even if the document&apos;s CSP would allow it. This test passes if &quot;FAIL!&quot; isn&apos;t logged.
+ <object type="application/x-invalid-type" data="data:application/x-webkit-test-netscape,logifloaded" log="FAIL!"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers
new file mode 100644
index 000000000..4e5b31b2a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-mismatched-data={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html
new file mode 100644
index 000000000..bc60994ad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>plugintypes-mismatched-url</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ This tests that plugin content that doesn&apos;t match the declared type doesn&apos;t load, even if the document&apos;s CSP would allow it. This test passes if no iframe is dumped (meaning that no PluginDocument was created).
+ <object type="application/x-invalid-type" data="/plugins/resources/mock-plugin.pl" log="FAIL!"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers
new file mode 100644
index 000000000..38a7450ab
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-mismatched-url={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html
new file mode 100644
index 000000000..eb60d5d4c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>plugintypes-notype-data</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS: object tag onerror handler fired"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there&apos;s a CSP report and &quot;FAIL!&quot; isn&apos;t logged.
+ <object data="data:application/x-webkit-test-netscape" onload="log('FAIL');" onerror="log('PASS: object tag onerror handler fired');"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=plugin-types+application/x-invalid-type"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers
new file mode 100644
index 000000000..ea938378a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-notype-data={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html
new file mode 100644
index 000000000..e9918941f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>plugintypes-notype-url</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there&apos;s an error report is sent.
+ <object data="/plugins/resources/mock-plugin.pl" log="FAIL!"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=plugin-types%20application/x-invalid-type"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers
new file mode 100644
index 000000000..ffe26cdf1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-notype-url={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html
new file mode 100644
index 000000000..222d6500d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>plugintypes-nourl-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+plugin-types application/x-webkit-test-netscape; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if there isn&apos;t a CSP violation sayingthe plugin was blocked.
+ <object type="application/x-webkit-test-netscape"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..7fef2a5b5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-nourl-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types application/x-webkit-test-netscape; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html
new file mode 100644
index 000000000..b5cc5a5a4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>plugintypes-nourl-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+plugin-types text/plain; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if there is a CSP violation sayingthe plugin was blocked.
+ <object type="application/x-webkit-test-netscape"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=plugin-types%20text/plain"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..709bf90df
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-nourl-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types text/plain; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html
new file mode 100644
index 000000000..2a94692ee
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>script-src disallowed wildcard use</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+ <body>
+ <!-- enforcing policy:
+script-src 'nonce-nonce' *; connect-src 'self';
+-->
+ <script nonce="nonce">
+ var t1 = async_test('data: URIs should not match *');
+ t1.step(function() {
+ var script = document.createElement("script");
+ script.src = 'data:application/javascript,';
+ script.addEventListener('load', t1.step_func(function() {
+ assert_unreached('Should not successfully load data URI.');
+ }));
+ script.addEventListener('error', t1.step_func(function() {
+ t1.done();
+ }));
+ document.head.appendChild(script);
+ });
+
+ var t2 = async_test('blob: URIs should not match *');
+ t2.step(function() {
+ var b = new Blob([''], { type: 'application/javascript' });
+ var script = document.createElement('script');
+ script.addEventListener('load', t2.step_func(function() {
+ assert_unreached('Should not successfully load blob URI.');
+ }));
+ script.addEventListener('error', t2.step_func(function() {
+ t2.done();
+ }));
+
+ script.src = URL.createObjectURL(b);
+ document.head.appendChild(script);
+ });
+
+ var t3 = async_test('filesystem URIs should not match *');
+ if (window.webkitRequestFileSystem) {
+ window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) {
+ fs.root.getFile('fail.js', {create: true}, function(fileEntry) {
+ fileEntry.createWriter(function(fileWriter) {
+ var script = document.createElement('script');
+
+ script.addEventListener('load', t3.step_func(function() {
+ assert_unreached('Should not successfully load filesystem URI.');
+ }));
+ script.addEventListener('error', t3.step_func(function() {
+ t3.done();
+ }));
+
+ script.src = fileEntry.toURL('application/javascript');
+ document.body.appendChild(script);
+ });
+ });
+ });
+ } else {
+ t3.done();
+ }
+ </script>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers
new file mode 100644
index 000000000..cd9543913
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-wildcards-disallowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'nonce-nonce' *; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html
new file mode 100644
index 000000000..a7a217448
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scripthash-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/content-security-policy/support/alertAssert.sub.js?alerts=%5B%22PASS%20(1%2F4)%22%2C%22PASS%20(2%2F4)%22%2C%22PASS%20(3%2F4)%22%2C%22PASS%20(4%2F4)%22%5D">
+
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'sha256-IFmozo9WnnsMXVl/Ka8XzJ3Nd8yzS2zA2ME0mwtd+Ck=' 'sha256-jSpTmJKcrnHttKdYM/wCCDJoQY5tdSxNf7zd2prwFfI=' 'sha256-qbgA2XjB2EZKjn/UmK7v/K77t+fvfxA89QT/K9qPNyE=' 'sha256-K+7X5Ip3msvRvyQzf6fkrWZziuhaUIee1aLnlP5nX10='; connect-src 'self';
+-->
+ <script>
+ alert_assert('PASS (1/4)');
+
+ </script>
+ <script>
+ alert_assert('PASS (2/4)');
+
+ </script>
+ <script>
+ alert_assert('PASS (3/4)');
+
+ </script>
+ <script>
+ alert_assert('PASS (4/4)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the effect of a valid script-hash value. It passes if no CSP violation is generated, and the alert_assert() is executed.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..e0fe373b6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripthash-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'sha256-IFmozo9WnnsMXVl/Ka8XzJ3Nd8yzS2zA2ME0mwtd+Ck=' 'sha256-jSpTmJKcrnHttKdYM/wCCDJoQY5tdSxNf7zd2prwFfI=' 'sha256-qbgA2XjB2EZKjn/UmK7v/K77t+fvfxA89QT/K9qPNyE=' 'sha256-K+7X5Ip3msvRvyQzf6fkrWZziuhaUIee1aLnlP5nX10='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html
new file mode 100644
index 000000000..ac7b2c02f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html
@@ -0,0 +1,69 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scripthash-basic-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script>
+ var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]');
+ var expected_alerts = ["PASS (1/1)"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo='; connect-src 'self';
+-->
+ <script>
+ alert_assert('PASS (1/1)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (1/4)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (2/4)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (3/4)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (4/4)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the effect of a valid script-hash value, with one valid script and several invalid ones. It passes if one alert is executed and a CSP violation is reported.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo=&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..6a92e06f4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripthash-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html
new file mode 100644
index 000000000..a11a224ae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>script-hash allowed from default-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+
+ <script>done();</script>
+ </head>
+
+ <body>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers
new file mode 100644
index 000000000..d8893af41
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripthash-default-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: default-src 'self' 'sha256-sc3CeiHrlck5tH2tTC4MnBYFnI9D5zp8f9odqnmGQjE='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html
new file mode 100644
index 000000000..545099e08
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html
@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scripthash-ignore-unsafeinline</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script>
+ var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]');
+ var expected_alerts = ["PASS (1/1)"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo=' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ alert_assert('PASS (1/1)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (1/1)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests that a valid hash value disables inline JavaScript, even if &apos;unsafe-inline&apos; is present.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo=&apos;%20&apos;unsafe-inline&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers
new file mode 100644
index 000000000..fb3fc7655
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripthash-ignore-unsafeinline={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' unsafe-inline' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html
new file mode 100644
index 000000000..bd1e0365c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html
@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scripthash-unicode-normalization</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+
+ <!-- enforcing policy:
+script-src 'self' 'nonce-nonceynonce' 'sha256-dWTP4Di8KBjaiXvQ5mRquI9OoBSo921ahYxLfYSiuT8='; connect-src 'self';
+-->
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+</head>
+
+<body>
+ <!-- The following two scripts contain two separate code points (U+00C5
+ and U+212B, respectively) which, depending on your text editor, might be
+ rendered the same.However, their difference is important because, under
+ NFC normalization, they would become the same code point, which would be
+ against the spec. This test, therefore, validates that the scripts have
+ *different* hash values. -->
+ <script nonce="nonceynonce">
+ var matchingContent = 'Ã…';
+ var nonMatchingContent = 'â„«';
+
+ // This script should have a hash value of
+ // sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c=
+ var scriptContent1 = "window.finish('" + matchingContent + "');";
+
+ // This script should have a hash value of
+ // sha256-iNjjXUXds31FFvkAmbC74Sxnvreug3PzGtu16udQyqM=
+ var scriptContent2 = "window.finish('" + nonMatchingContent + "');";
+
+ var script1 = document.createElement('script');
+ var script2 = document.createElement('script');
+
+ script1.test = async_test("Only matching content runs even with NFC normalization.");
+
+ var failure = function() {
+ assert_unreached();
+ }
+
+ window.finish = function(content) {
+ if (content == matchingContent) {
+ script1.test.step(function() {
+ script1.test.done();
+ });
+ } else {
+ script1.test.step(function() {
+ assert_unreached("nonMatchingContent script ran");
+ });
+ }
+ }
+
+ script1.onerror = failure;
+
+ document.body.appendChild(script2);
+ script2.textContent = scriptContent2;
+ document.body.appendChild(script1);
+ script1.textContent = scriptContent1;
+ </script>
+
+ <p>
+ This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers
new file mode 100644
index 000000000..a23724f8a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripthash-unicode-normalization={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'nonce-nonceynonce' 'sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html
new file mode 100644
index 000000000..2a1321d24
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html
@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scriptnonce-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script nonce="noncynonce">
+ function log(msg) {
+ test(function() {
+ assert_unreached(msg)
+ });
+ }
+
+ </script>
+ <script nonce="noncynonce">
+ var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)"]');
+ var expected_alerts = ["PASS (1/2)", "PASS (2/2)"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/=nonce'; connect-src 'self';
+-->
+ <script nonce="noncynonce">
+ alert_assert('PASS (1/2)');
+
+ </script>
+ <script nonce="noncy+/=nonce">
+ alert_assert('PASS (2/2)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the effect of a valid script-nonce value. It passes if no CSP violation is generated and the alerts are executed.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..a69c927c9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scriptnonce-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'nonce-noncynonce' 'nonce-noncy+/=nonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html
new file mode 100644
index 000000000..2b333cbea
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html
@@ -0,0 +1,76 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scriptnonce-and-scripthash</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script nonce="nonceynonce">
+ function log(msg) {
+ test(function() {
+ assert_unreached(msg)
+ });
+ }
+
+ </script>
+ <script nonce="nonceynonce">
+ var t_alert = async_test('Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]');
+ var expected_alerts = ["PASS (1/3)", "PASS (2/3)", "PASS (3/3)"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self';
+-->
+ <script nonce="nonceynonce">
+ alert_assert('PASS (1/3)');
+
+ </script>
+ <script>
+ alert_assert('PASS (2/3)');
+
+ </script>
+ <script nonce="nonceynonce">
+ alert_assert('PASS (3/3)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (1/2)');
+
+ </script>
+ <script nonce="notanonce">
+ alert_assert('FAIL (2/2)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the combined use of script hash and script nonce. It passes if a CSP violation is generated and the three alerts show PASS.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;sha1-MfuEFRkC2LmR31AMy9KW2ZLDegA=&apos;%20&apos;sha1-p70t5PXyndLfjKNjbyBBOL1gFiM=&apos;%20&apos;nonce-nonceynonce&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers
new file mode 100644
index 000000000..afa33e6df
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scriptnonce-and-scripthash={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html
new file mode 100644
index 000000000..4815ca100
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scriptnonce-basic-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self';
+-->
+ <script nonce="noncynonce">
+ alert_assert('PASS (closely-quoted nonce)');
+
+ </script>
+ <script nonce=" noncynonce ">
+ alert_assert('PASS (nonce w/whitespace)');
+
+ </script>
+ <script nonce="noncynonce noncynonce">
+ alert_assert('FAIL (1/3)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (2/3)');
+
+ </script>
+ <script nonce="noncynonceno?">
+ alert_assert('FAIL (3/3)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the effect of a valid script-nonce value. It passes if a CSP violation is generated, and the two PASS alerts are executed.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;nonce-noncynonce&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..ee4e8b3f0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scriptnonce-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html
new file mode 100644
index 000000000..d1b97dfb9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scriptnonce-ignore-unsafeinline</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script nonce='noncynonce'>
+ function log(msg) {
+ test(function() {
+ assert_unreached(msg)
+ });
+ }
+
+ </script>
+ <script nonce='noncynonce'>
+ var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)"]');
+ var expected_alerts = ["PASS (1/2)", "PASS (2/2)"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/=nonce' 'unsafe-inline'; connect-src 'self';
+-->
+ <script nonce="noncynonce">
+
+
+ </script>
+ <script nonce="noncynonce">
+ alert_assert('PASS (1/2)');
+
+ </script>
+ <script nonce="noncy+/=nonce">
+ alert_assert('PASS (2/2)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (1/1)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests that a valid nonce disables inline JavaScript, even if &apos;unsafe-inline&apos; is present.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;nonce-noncynonce&apos;%20&apos;nonce-noncy+/=nonce&apos;%20&apos;unsafe-inline&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers
new file mode 100644
index 000000000..01f7e185a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scriptnonce-ignore-unsafeinline={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/=nonce' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html
new file mode 100644
index 000000000..a17f1fb5c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scriptnonce-redirect</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script nonce="noncynonce">
+ function log(msg) {
+ test(function() {
+ assert_unreached(msg)
+ });
+ }
+
+ </script>
+ <script nonce="noncynonce">
+ var t_alert = async_test('Expecting alerts: ["PASS"]');
+ var expected_alerts = ["PASS"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This tests whether a deferred script load caused by a redirect is properly allowed by a nonce.
+ <script nonce="noncynonce" src="/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/alert-pass.js"></script>
+ <script nonce="noncynonce">
+
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers
new file mode 100644
index 000000000..8d71f88d5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scriptnonce-redirect={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html
new file mode 100644
index 000000000..82cad0347
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>securitypolicyviolation-block-cross-origin-image-from-script</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ var x = document.createElement('script');
+ x.src = 'http://{{host}}:{{ports[http][0]}}/content-security-policy/support/inject-image.js';
+ document.body.appendChild(x);
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers
new file mode 100644
index 000000000..723ed281f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: securitypolicyviolation-block-cross-origin-image-from-script={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html
new file mode 100644
index 000000000..9b7dc32e1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>securitypolicyviolation-block-cross-origin-image</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ var img = document.createElement('img');
+ img.src = 'http://{{host}}:{{ports[http][0]}}/security/resources/abe.png';
+ document.body.appendChild(img);
+ log("TEST COMPLETE");
+
+ </script>
+ <p>Check that a SecurityPolicyViolationEvent strips detail from cross-origin blocked URLs.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers
new file mode 100644
index 000000000..d701a476f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: securitypolicyviolation-block-cross-origin-image={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html
new file mode 100644
index 000000000..33facfbc3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>securitypolicyviolation-block-image-from-script</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ var script = document.createElement('script');
+ script.src = '../support/inject-image.js';
+ document.body.appendChild(script);
+ log("TEST COMPLETE");
+
+ </script>
+ <p>Check that a SecurityPolicyViolationEvent is fired upon blocking an image injected via script.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers
new file mode 100644
index 000000000..6b6084dc5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: securitypolicyviolation-block-image-from-script={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html
new file mode 100644
index 000000000..3e62e2d35
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>securitypolicyviolation-block-image</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ var img = document.createElement('img');
+ img.src = '../support/fail.png';
+ img.onerror = function() {
+ log("TEST COMPLETE");
+ };
+ img.onload = function() {
+ log("FAIL");
+ };
+ document.body.appendChild(img);
+
+ </script>
+ <p>Check that a SecurityPolicyViolationEvent is fired upon blocking an image.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers
new file mode 100644
index 000000000..1f4f84578
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: securitypolicyviolation-block-image={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html
new file mode 100644
index 000000000..282b18502
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html
@@ -0,0 +1,77 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>stylehash-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script>
+ var t_alert = async_test('Expecting alerts: ["PASS (1/4): The \'#p1\' element\'s text is green, which means the style was correctly applied.","PASS (2/4): The \'#p2\' element\'s text is green, which means the style was correctly applied.","PASS (3/4): The \'#p3\' element\'s text is green, which means the style was correctly applied.","PASS (4/4): The \'#p4\' element\'s text is green, which means the style was correctly applied."]');
+ var expected_alerts = ["PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied.", "PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied.", "PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied.", "PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied."];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+style-src 'sha256-pAKi9r4/WB7fHydbE3F3t8i8602ij2JN8zHJpL2T5BM=' 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw=' 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcSt' 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9KqwvCSapSz5CVoUGHQcxv43UQg=='; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p id="p1">This tests the result of a valid style hash. It passes if this text is green, and a &quot;PASS&quot; alert for p1 is fired.</p>
+ <p id="p2">This tests the result of a valid style hash. It passes if this text is green, and a &quot;PASS&quot; alert for p2 is fired.</p>
+ <p id="p3">This tests the result of a valid style hash. It passes if this text is green, and a &quot;PASS&quot; alert for p3 is fired.</p>
+ <p id="p4">This tests the result of a valid style hash. It passes if this text is green, and a &quot;PASS&quot; alert for p4 is fired.</p>
+ <style>p#p1 { color: green; }</style>
+ <style>p#p2 { color: green; }</style>
+ <style>p#p3 { color: green; }</style>
+ <style>p#p4 { color: green; }</style>
+ <script>
+ var color = window.getComputedStyle(document.querySelector('#p1')).color;
+ if (color === "rgb(0, 128, 0)")
+ alert_assert("PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied.");
+ else
+ alert_assert("FAIL (1/4): The '#p1' element's text is " + color + ", which means the style was incorrectly applied.");
+ var color = window.getComputedStyle(document.querySelector('#p2')).color;
+ if (color === "rgb(0, 128, 0)")
+ alert_assert("PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied.");
+ else
+ alert_assert("FAIL (2/4): The '#p2' element's text is " + color + ", which means the style was incorrectly applied.");
+ var color = window.getComputedStyle(document.querySelector('#p3')).color;
+ if (color === "rgb(0, 128, 0)")
+ alert_assert("PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied.");
+ else
+ alert_assert("FAIL (3/4): The '#p3' element's text is " + color + ", which means the style was incorrectly applied.");
+ var color = window.getComputedStyle(document.querySelector('#p4')).color;
+ if (color === "rgb(0, 128, 0)")
+ alert_assert("PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied.");
+ else
+ alert_assert("FAIL (4/4): The '#p4' element's text is " + color + ", which means the style was incorrectly applied.");
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..2b519e85e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: stylehash-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: style-src 'self' 'sha256-pAKi9r4/WB7fHydbE3F3t8i8602ij2JN8zHJpL2T5BM=' 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw=' 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcSt' 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9KqwvCSapSz5CVoUGHQcxv43UQg=='; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html
new file mode 100644
index 000000000..274db0140
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>stylehash-basic-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script>
+ var t_alert = async_test('Expecting alerts: ["PASS: The \'p\' element\'s text is green, which means the style was correctly applied."]');
+ var expected_alerts = ["PASS: The 'p' element's text is green, which means the style was correctly applied."];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+style-src 'sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo='; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <style>p { color: green; }</style>
+ <style>p { color: red; }</style>
+ <style>p { color: purple; }</style>
+ <style>p { color: blue; }</style>
+</head>
+
+<body>
+ <p>
+ This tests the effect of a valid style-hash value, with one valid style and several invalid ones. It passes if the valid style is applied and a CSP violation is generated.
+ </p>
+ <script>
+ var color = window.getComputedStyle(document.querySelector('p')).color;
+ if (color === "rgb(0, 128, 0)")
+ alert_assert("PASS: The 'p' element's text is green, which means the style was correctly applied.");
+ else
+ alert_assert("FAIL: The 'p' element's text is " + color + ", which means the style was incorrectly applied.");
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo=&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..ac9ca4e87
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: stylehash-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: style-src 'self' 'sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo='; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html
new file mode 100644
index 000000000..159338c6d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>stylehash allowed from default-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+
+ <body>
+ <p id="p">Test</p>
+ <style>p#p { color: green; }</style>
+ <script>
+ var color = window.getComputedStyle(document.querySelector('#p')).color;
+ assert_equals(color, "rgb(0, 128, 0)");
+ done();
+ </script>
+
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers
new file mode 100644
index 000000000..8efe9d965
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: stylehash-default-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: default-src 'self' 'sha256-SXMrww9+PS7ymkxYbv91id+HfXeO7p1uCY0xhNb4MIw='; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html
new file mode 100644
index 000000000..c8622ba24
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html
@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>stylenonce-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'self' nonce-noncynonce' 'nonce-noncy+/=nonce'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script></script>
+ <style nonce="noncynonce">
+ #test1 {
+ color: green;
+ }
+
+ </style>
+ <style>
+ #test1 {
+ color: red;
+ }
+
+ </style>
+ <style nonce="noncynonce">
+ #test2 {
+ color: green;
+ }
+
+ </style>
+</head>
+
+<body>
+ <p id="test1">This text should be green.</p>
+ <p id="test2">This text should also be green.</p>
+ <script>
+ var el = document.querySelector('#test1');
+ test(function() {
+ assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)")
+ });
+ var el = document.querySelector('#test2');
+ test(function() {
+ assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)")
+ });
+
+ </script>
+ <p>Style correctly whitelisted via a 'nonce-*' expression in 'style-src' should be applied to the page.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;nonce-noncynonce&apos;%20&apos;nonce-noncy+/=nonce&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..28c85c91a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: stylenonce-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: style-src 'self' 'nonce-noncynonce' 'nonce-noncy+/=nonce'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html
new file mode 100644
index 000000000..43204f64d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>stylenonce-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <link rel="stylesheet" type="text/css" href="allowed.css">
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script></script>
+ <style nonce="noncynonce">
+ #test {
+ color: red;
+ }
+
+ </style>
+</head>
+
+<body>
+ <p id="test">This text should be green.</p>
+ <script>
+ var el = document.querySelector('#test');
+ test(function() {
+ assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)")
+ });
+
+ </script>
+ <p>Style that does not match a 'nonce-*' expression in 'style-src' should not be applied to the page.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..e51a02dd0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: stylenonce-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html
new file mode 100644
index 000000000..912a29e0b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>blob-urls-do-not-match-self</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline'; connect-src 'self'; child-src 'self';
+-->
+</head>
+
+<body>
+ <p>
+ blob: URLs are same-origin with the page in which they were created, but explicitly do not match the &apos;self&apos; or '*' source in CSP directives because they are more akin to 'unsafe-inline' content.
+ </p>
+ <script>
+ function fail() {
+ alert_assert("FAIL!");
+ }
+ var b = new Blob(['fail();'], {
+ type: 'application/javascript'
+ });
+ var script = document.createElement('script');
+ script.src = URL.createObjectURL(b);
+ document.body.appendChild(script);
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;self&apos;%20&apos;unsafe-inline&apos;%20&apos;&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers
new file mode 100644
index 000000000..cbfc8d4e4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: blob-urls-do-not-match-self={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; child-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html
new file mode 100644
index 000000000..819c1a699
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>blob-urls-match-blob</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS (1/1)"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' blob:; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>
+ blob: URLs are same-origin with the page in which they were created, but match only if the blob: scheme is specified.
+ </p>
+ <script>
+ function pass() {
+ log("PASS (1/1)");
+ }
+ var b = new Blob(['pass();'], {
+ type: 'application/javascript'
+ });
+ var script = document.createElement('script');
+ script.src = URL.createObjectURL(b);
+ document.body.appendChild(script);
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers
new file mode 100644
index 000000000..be74e61a7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: blob-urls-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' blob:; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html
new file mode 100644
index 000000000..66b86f195
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+ <title>combine-header-and-meta-policies</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing multiple policies:
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'
+Content-Security-Policy: img-src 'none'
+-->
+</head>
+
+<body>
+<p>Test passes if both style and image are blocked and a report is generated for the
+ style block from the header-supplied policy.</p>
+
+ <script>
+ var img = document.createElement('img');
+ img.src = '../support/fail.png';
+ img.onerror = function() {
+ log("TEST COMPLETE");
+ };
+ img.onload = function() {
+ log("FAIL");
+ };
+ document.body.appendChild(img);
+
+ </script>
+ <style>
+ body {
+ background-color: blue;
+ }
+
+ </style>
+ <script>
+ var el = document.querySelector('body');
+ test(function() {
+ assert_equals(window.getComputedStyle(el).color, "rgb(0, 0, 0)")
+ });
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers
new file mode 100644
index 000000000..b1f0e7f01
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: combine-header-and-meta-policies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis
new file mode 100644
index 000000000..a14be5cd9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis
@@ -0,0 +1,60 @@
+HTTP/1.1 200 OK
+Content-Type: text/html
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: combine-multiple-policies=d0140e7d-3800-4842-b66d-370840a4569a; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID=d0140e7d-3800-4842-b66d-370840a4569a
+Content-Security-Policy: img-src 'none'
+
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+ <title>combine-multiple-policies</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing multiple policies:
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; styls-src 'self'
+Content-Security-Policy: img-src 'none'
+-->
+</head>
+
+<body>
+ This test checks that we enforce all the supplied policies. This test passe if it doesn&apos;t alert fail and if the style doesn&apos;t apply.
+ Check that a SecurityPolicyViolationEvent is fired upon blocking an image.
+ <script>
+ var img = document.createElement('img');
+ img.src = '../support/fail.png';
+ img.onerror = function() {
+ log("TEST COMPLETE");
+ };
+ img.onload = function() {
+ log("FAIL");
+ };
+ document.body.appendChild(img);
+
+ </script>
+ <style>
+ body {
+ background-color: blue;
+ }
+
+ </style>
+ <script>
+ var el = document.querySelector('body');
+ test(function() {
+ assert_equals(window.getComputedStyle(el).color, "rgb(0, 0, 0)")
+ });
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html
new file mode 100644
index 000000000..2beb00d02
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-beacon-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ if (typeof navigator.sendBeacon != 'function') {
+ t_log.set_status(t_log.NOTRUN, "No navigator.sendBeacon, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ try {
+ var es = navigator.sendBeacon("http://{{host}}:{{ports[http][0]}}/cors/resources/status.py");
+ log("Pass");
+ } catch (e) {
+ log("Fail");
+ }
+ var report = document.createElement("script");
+ report.src = "../support/checkReport.sub.js?reportExists=false";
+ report.async = true;
+ report.defer = true;
+ document.body.appendChild(report);
+
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..bd3eda40a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-beacon-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html
new file mode 100644
index 000000000..f68d3c384
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-beacon-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ if (typeof navigator.sendBeacon != 'function') {
+ t_log.set_status(t_log.NOTRUN, "No navigator.sendBeacon, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ try {
+ var es = navigator.sendBeacon("http://www1.{{host}}:{{ports[http][0]}}/security/contentSecurityPolicy/echo-report.php");
+ log("Pass");
+ } catch (e) {
+ log("Fail");
+ }
+ var report = document.createElement("script");
+ report.src = "../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=connect-src%20&apos;self&apos;";
+ report.async = true;
+ report.defer = true;
+ document.body.appendChild(report);
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..69ded8da7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-beacon-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html
new file mode 100644
index 000000000..3d03100e3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-beacon-redirect-to-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline';
+-->
+ <script></script>
+</head>
+
+<body>
+ <p>The beacon should not follow the redirect to http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png and send a CSP violation report.</p>
+ <p>Verify that a CSP connect-src directive blocks redirects.</p>
+ <script>
+ if (typeof navigator.sendBeacon != 'function') {
+ var t = async_test();
+ t.set_status(t.NOTRUN, "No navigator.sendBeacon, cannot run test.");
+ t.phase = t.phases.HAS_RESULT;
+ t.done();
+ } else {
+ navigator.sendBeacon(
+ "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png",
+ "ping");
+ var report = document.createElement("script");
+ report.src = "../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=connect-src%20&apos;self&apos;";
+ report.async = true;
+ report.defer = true;
+ document.body.appendChild(report);
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..2c69d0dc8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-beacon-redirect-to-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html
new file mode 100644
index 000000000..b3a65f1c1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-eventsource-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var es = new EventSource("http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/simple-event-stream");
+ log("Pass");
+ } catch (e) {
+ log("Fail");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..eff5c546a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-eventsource-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html
new file mode 100644
index 000000000..5be570c46
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-eventsource-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var es = new EventSource("http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/simple-event-stream");
+ // Firefox doesn't throw an exception and takes some time to close async
+ if (es.readyState == EventSource.CONNECTING) {
+ setTimeout( function() {
+ es.readyState != EventSource.CLOSED ? log("Fail") : log("Pass");
+ }, 2);
+ } else if (es.readyState == EventSource.CLOSED) {
+ log("Pass");
+ } else {
+ log("Fail");
+ }
+
+ } catch (e) {
+ log("Pass");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=connect-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..ac37816a4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-eventsource-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html
new file mode 100644
index 000000000..a3ba4bad0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-eventsource-redirect-to-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS EventSource() did not follow the disallowed redirect.","TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline';
+-->
+ <script></script>
+</head>
+
+<body>
+ <script>
+ var es;
+ try {
+ es = new EventSource("/common/redirect.py?location= http://www.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/simple-event-stream");
+ } catch (e) {
+ log("FAIL " + "EventSource() should not throw an exception.");
+ }
+ es.onload = function() {
+ log("FAIL " + "EventSource() should fail to follow the disallowed redirect.");
+ log("TEST COMPLETE");
+ };
+ es.onerror = function() {
+ log("PASS " + "EventSource() did not follow the disallowed redirect.");
+ log("TEST COMPLETE");
+ };
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=connect-src%20&apos;self&apos;/security/contentSecurityPolicy/resources/redir.php"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..c63c8a9de
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-eventsource-redirect-to-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}/security/contentSecurityPolicy/resources/redir.php; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html
new file mode 100644
index 000000000..4e8499bd4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-websocket-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var ws = new WebSocket("ws://127.0.0.1:8880/echo");
+ log("Pass");
+ } catch (e) {
+ log("Fail");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..707435174
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-websocket-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html
new file mode 100644
index 000000000..68f86dec6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-websocket-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var ws = new WebSocket("ws://localhost:8880/echo");
+ log("Fail");
+ } catch (e) {
+ log("Pass");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=connect-src%20ws://127.0.0.1:8880"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..69036f5bd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-websocket-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html
new file mode 100644
index 000000000..a2ad12186
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-xmlhttprequest-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var xhr = new XMLHttpRequest;
+ xhr.open("GET", "http://{{host}}:{{ports[http][0]}}/xmlhttprequest/resources/get.txt", true);
+ log("Pass");
+ } catch (e) {
+ log("Fail");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..dbabcad7a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-xmlhttprequest-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html
new file mode 100644
index 000000000..014bb21ae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-xmlhttprequest-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var xhr = new XMLHttpRequest;
+ xhr.open("GET", "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png", true);
+ xhr.send();
+ xhr.onload = function() {
+ log("Fail");
+ }
+ xhr.onerror = function() {
+ log("Pass");
+ }
+ } catch (e) {
+ log("Pass");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=connect-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..d338034cf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-xmlhttprequest-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html
new file mode 100644
index 000000000..6fc0769b6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-xmlhttprequest-redirect-to-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS XMLHttpRequest.send() did not follow the disallowed redirect.","TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline';
+-->
+ <script id="inject_here"></script>
+</head>
+
+<body>
+ <script>
+ var xhr = new XMLHttpRequest;
+ try {
+ xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+ } catch (e) {
+ log("FAIL " + "XMLHttpRequest.open() should not throw an exception.");
+ }
+ xhr.onload = function() {
+ //cons/**/ole.log(xhr.responseText);
+ if(xhr.responseText == "FAIL") {
+ log("FAIL " + "XMLHttpRequest.send() should fail to follow the disallowed redirect.");
+ } else {
+ log("PASS " + "XMLHttpRequest.send() did not follow the disallowed redirect.");
+ }
+ log("TEST COMPLETE");
+ };
+ xhr.onerror = function() {
+ log("PASS " + "XMLHttpRequest.send() did not follow the disallowed redirect.");
+ log("TEST COMPLETE");
+ };
+ xhr.send();
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=connect-src%20&apos;self&apos;/security/contentSecurityPolicy/resources/redir.php"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..452104ecd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-xmlhttprequest-redirect-to-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html
new file mode 100644
index 000000000..f5859087a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>default-src-inline-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script>
+ <!-- enforcing policy:
+default-src 'self' about: 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body onload="alert_assert(&apos;PASS 2 of 2&apos;)">
+ <script>
+ alert_assert('PASS 1 of 2');
+
+ </script>
+ <!--iframe src="javascript:alert_assert(&apos;PASS 2 of 3&apos;)"></iframe-->
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..f223f0661
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: default-src-inline-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: default-src 'self' about: 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html
new file mode 100644
index 000000000..ad66a9d1f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>default-src-inline-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <!-- enforcing policy:
+default-src 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if the inline scripts don't create failing tests and a CSP report is sent.
+ <script>
+ test(function() {
+ assert_unreached('FAIL inline script ran')
+ });
+
+ </script>
+ <script src="resources/document-write-alert-fail.js"></script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=default-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..63ea706f9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: default-src-inline-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: default-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html
new file mode 100644
index 000000000..4336b729b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>duplicate-directive</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS (1/1)"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline'; script-src 'none'; connect-src 'self';
+-->
+
+ <script>
+ alert_assert('PASS (1/1)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the effect of duplicated directives. It passes if the alert_assert() is executed.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers
new file mode 100644
index 000000000..eefd7197f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: duplicate-directive={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; script-src 'none'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html
new file mode 100644
index 000000000..88da806a8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS (1 of 2)","PASS (2 of 2)"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ eval("alert_assert('PASS (1 of 2)')");
+
+ </script>
+ <script>
+ window.eval("alert_assert('PASS (2 of 2)')");
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..6bf55a116
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html
new file mode 100644
index 000000000..599b01c31
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-blocked-and-sends-report</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS: eval() blocked."]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'self'; report-uri resources/save-report.php?test=eval-blocked-and-sends-report.html; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ eval("alert_assert('FAIL')");
+ } catch (e) {
+ log('PASS: eval() blocked.');
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;self&apos;%20&apos;unsafe-inline&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers
new file mode 100644
index 000000000..f197e41de
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-blocked-and-sends-report={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html
new file mode 100644
index 000000000..449f9d192
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html
@@ -0,0 +1,10 @@
+
+<iframe src="about:blank"></iframe>
+Eval should be blocked in the iframe, but inline script should be allowed.
+<script>
+ window.onload = function() {
+ frames[0].log("<script>alert_assert(/PASS/); eval('alert_assert(/FAIL/);');<\/script>");
+ frames[0].document.close();
+ }
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers
new file mode 100644
index 000000000..224f25ba7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-blocked-in-about-blank-iframe={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html
new file mode 100644
index 000000000..229667e7d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS EvalError","PASS EvalError"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ eval("alert_assert('FAIL (1 of 2)')");
+ } catch (e) {
+ log("PASS EvalError");
+ }
+
+ </script>
+ <script>
+ try {
+ window.eval("alert_assert('FAIL (1 of 2)')");
+ } catch (e) {
+ log("PASS EvalError");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;unsafe-inline&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..124f56bfa
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html
new file mode 100644
index 000000000..66fa95d31
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-scripts-setInterval-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';
+-->
+</head>
+<pre>
+<script>
+ {
+}
+var id_string = setInterval("clearInterval(id_string); alert_assert('PASS 1 of 2')", 0);
+if (id_string == 0)
+ log('FAIL: Return value for string (should not be 0): ' + id_string);
+var id_function = setInterval(function() {
+ clearInterval(id_function);
+ alert_assert('PASS 2 of 2');
+}, 0);
+if (id_function == 0)
+ document.write('FAIL: Return value for function (should not be 0): ' + id_function);
+</script>
+</pre>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..f13ba4c64
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-scripts-setInterval-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html
new file mode 100644
index 000000000..45d873c80
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-scripts-setInterval-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+<pre>
+<script>
+ {
+}
+var id = setInterval("alert_assert('FAIL')", 0);
+if (id != 0)
+ log('FAIL: Return value for string (should be 0): ' + id);
+var id = setInterval(function() {
+ clearInterval(id);
+ alert_assert('PASS');
+}, 0);
+if (id == 0)
+ document.write('FAIL: Return value for function (should not be 0): ' + id);
+</script>
+</pre>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..1bd6b636d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-scripts-setInterval-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html
new file mode 100644
index 000000000..9b2e595e5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-scripts-setTimeout-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';
+-->
+</head>
+<pre>
+<script>
+ {
+}
+var id = setTimeout("alert_assert('PASS 1 of 2')", 0);
+if (id == 0)
+ log('FAIL: Return value for string (should not be 0): ' + id);
+var id = setTimeout(function() {
+ alert_assert('PASS 2 of 2');
+}, 0);
+if (id == 0)
+ document.write('FAIL: Return value for function (should not be 0): ' + id);
+</script>
+</pre>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..4d664d600
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-scripts-setTimeout-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html
new file mode 100644
index 000000000..72ed2ce1a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-scripts-setTimeout-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+<pre>
+<script>
+ {
+}
+var id = setTimeout("alert_assert('FAIL')", 0);
+if (id != 0)
+ log('FAIL: Return value for string (should be 0): ' + id);
+var id = setTimeout(function() {
+ alert_assert('PASS');
+}, 0);
+if (id == 0)
+ document.write('FAIL: Return value for function (should not be 0): ' + id);
+</script>
+</pre>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..81537fe3e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-scripts-setTimeout-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html
new file mode 100644
index 000000000..f9e814a1e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>filesystem-urls-do-not-match-self</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>
+ filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the &apos;self&apos; or &apos;*&apos; source in CSP directives because they are more akin to 'unsafe-inline' content..
+ </p>
+ <script>
+ if(!window.webkitRequestFileSystem) {
+ t_log = async_test();
+ t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ function fail() {
+ alert_assert("FAIL!");
+ }
+ window.webkitRequestFileSystem(
+ TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) {
+ fs.root.getFile('fail.js', {
+ create: true
+ }, function(fileEntry) {
+ fileEntry.createWriter(function(fileWriter) {
+ fileWriter.onwriteend = function(e) {
+ var script = document.createElement('script');
+ script.src = fileEntry.toURL('application/javascript');
+ document.body.appendChild(script);
+ };
+ // Create a new Blob and write it to pass.js.
+ var b = new Blob(['fail();'], {
+ type: 'application/javascript'
+ });
+ fileWriter.write(b);
+ });
+ });
+ });
+ var s = document.createElement('script');
+ s.async = true;
+ s.defer = true;
+ s.src = "../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;self&apos;%20&apos;unsafe-inline&apos;%20&apos;*&apos;"
+ document.lastChild.appendChild(s);
+ }
+
+
+ </script>
+ <div id="log"></div>
+
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers
new file mode 100644
index 000000000..a68e2a3df
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: filesystem-urls-do-not-match-self={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html
new file mode 100644
index 000000000..99e8592e5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>filesystem-urls-match-filesystem</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS (1/1)"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>
+ filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the &apos;self&apos; or &apos;*&apos; source in CSP directives because they are more akin to 'unsafe-inline' content, but should match filesystem: source.
+ </p>
+ <script>
+ if(!window.webkitRequestFileSystem) {
+ t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ function pass() {
+ log("PASS (1/1)");
+ }
+ window.webkitRequestFileSystem(
+ TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) {
+ fs.root.getFile('pass.js', {
+ create: true
+ }, function(fileEntry) {
+ fileEntry.createWriter(function(fileWriter) {
+ fileWriter.onwriteend = function(e) {
+ var script = document.createElement('script');
+ script.src = fileEntry.toURL('application/javascript');
+ document.body.appendChild(script);
+ };
+ // Create a new Blob and write it to pass.js.
+ var b = new Blob(['pass();'], {
+ type: 'application/javascript'
+ });
+ fileWriter.write(b);
+ });
+ });
+ });
+ var s = document.createElement('script');
+ s.async = true;
+ s.defer = true;
+ s.src = "../support/checkReport.sub.js?reportExists=false"
+ document.lastChild.appendChild(s);
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers
new file mode 100644
index 000000000..f9956ede8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: filesystem-urls-match-filesystem={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' filesystem:; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html
new file mode 100644
index 000000000..a363ce911
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>frame-src-about-blank-allowed-by-default</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+
+ <!-- enforcing policy:
+frame-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>These frames should not be blocked by Content-Security-Policy.
+ It&apos;s pointless to block about:blank iframes because
+ blocking a frame just results in displaying about:blank anyway!
+ </p>
+ <iframe src="about:blank"></iframe>
+ <object type="text/html" data="about:blank"></object>
+
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers
new file mode 100644
index 000000000..ba1169956
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: frame-src-about-blank-allowed-by-default={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: frame-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html
new file mode 100644
index 000000000..e4c47392c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>frame-src-about-blank-allowed-by-scheme</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+
+ <!-- enforcing policy:
+frame-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>This frame should not be blocked by Content-Security-Policy.
+ </p>
+ <iframe src="about:blank"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers
new file mode 100644
index 000000000..e23b82a93
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: frame-src-about-blank-allowed-by-scheme={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: frame-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html
new file mode 100644
index 000000000..1d34679c8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <title>frame-src-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+
+ var t_alert = async_test('Expecting alerts: ["PASS"]');
+ var expected_alerts = ["PASS"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+Content-Security-Policy: frame-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>
+ This iframe should be allowed.
+ </p>
+ <script>
+ window.wasPostTestScriptParsed = true;
+ var loads = 0;
+
+ function loadEvent() {
+ loads++;
+ log("PASS " + "IFrame #" + loads + " generated a load event.");
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="/content-security-policy/blink-contrib/resources/postmessage-pass.html" onload="loadEvent()"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..05247b402
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: frame-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: frame-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html
new file mode 100644
index 000000000..fe7555aeb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>frame-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+frame-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>
+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
+ </p>
+ <script>
+ window.wasPostTestScriptParsed = true;
+ var loads = 0;
+
+ function loadEvent() {
+ loads++;
+ log("PASS " + "IFrame #" + loads + " generated a load event.");
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=frame-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..bd0e6d17f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: frame-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: frame-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html
new file mode 100644
index 000000000..5238e7c0f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html
@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>frame-src-cross-origin-load</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.","PASS IFrame %232 generated a load event.","PASS IFrame %233 generated a load event."]'></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+
+ var t_alert = async_test('Expecting alerts: ["PASS","PASS"]');
+ var expected_alerts = ["PASS", "PASS"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_alert.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+frame-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>
+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
+ </p>
+ <script>
+ window.wasPostTestScriptParsed = true;
+ var loads = 0;
+
+ function loadEvent() {
+ loads++;
+ log("PASS " + "IFrame #" + loads + " generated a load event.");
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="resources/postmessage-pass.html" onload="loadEvent()"></iframe>
+ <iframe src="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-pass.html" onload="loadEvent()"></iframe>
+ <iframe src="http://www2.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=frame-src%20&apos;self&apos;http://www1.{{host}}:{{ports[http][0]}}"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers
new file mode 100644
index 000000000..0970bbebf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: frame-src-cross-origin-load={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: frame-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html
new file mode 100644
index 000000000..92cd088c5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>function-constructor-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ (new Function("alert_assert('PASS')"))();
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..dd80ebacc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: function-constructor-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html
new file mode 100644
index 000000000..be0c57477
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>function-constructor-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS EvalError"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ (new Function("alert_assert('FAIL')"))();
+ } catch (e) {
+ log("PASS EvalError");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;unsafe-inline&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..eb7da39cb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: function-constructor-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html
new file mode 100644
index 000000000..8bacdd305
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<script>
+ {}
+
+ function createLink(rel, src) {
+ var link = document.createElement('link');
+ link.rel = rel;
+ link.href = src;
+ document.head.appendChild(link);
+ }
+ window.addEventListener('DOMContentLoaded', function() {
+ createLink('icon', 'http://localhost/foo?q=from_icon'); {}
+ });
+
+</script>
+<p>Use callbacks to show that favicons are loaded as allowed by CSP when link tags are dynamically added to the page.</p>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..b7d557b52
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: icon-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src http://localhost; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html
new file mode 100644
index 000000000..978f25f63
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<script>
+ function createLink(rel, src) {
+ var link = document.createElement('link');
+ link.rel = rel;
+ link.href = src;
+ document.head.appendChild(link);
+ }
+ window.addEventListener('DOMContentLoaded', function() {
+ createLink('icon', 'http://localhost/foo?q=from_icon'); {}
+ });
+
+</script>
+<p>Use callbacks to show that favicons are not loaded in violation of CSP when link tags are dynamically added to the page.</p>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..c4dc69985
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: icon-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html
new file mode 100644
index 000000000..f3d1e1424
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html
@@ -0,0 +1 @@
+<iframe src="resources/sandboxed-eval.php"></iframe>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers
new file mode 100644
index 000000000..2cb1c7214
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: iframe-inside-csp={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html
new file mode 100644
index 000000000..c087692db
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>image-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+img-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <img src="../support/pass.png" onload="alert_assert(this.width == 168 ? 'PASS' : 'FAIL')">
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..3b85fc689
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: image-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html
new file mode 100644
index 000000000..e572070ef
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>image-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if it doesn&apos;t alert FAIL and does alert PASS.
+ <img src="../support/pass.png" onload='alert_assert("FAIL")' onerror='alert_assert("PASS")'>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..c58bb88bb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: image-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html
new file mode 100644
index 000000000..6482654cd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>image-full-host-wildcard-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+img-src http://*.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <img src="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/pass.png" onload="alert_assert(this.width == 168 ? 'PASS' : 'FAIL')">
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..0f384f093
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: image-full-host-wildcard-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src http://*.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html
new file mode 100644
index 000000000..8ec6fe433
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>injected-inline-script-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["Pass 1 of 2","Pass 2 of 2"]'></script>
+ <!-- enforcing policy:
+ script-src 'self' 'unsafe-inline'; connect-src 'self';
+ -->
+</head>
+
+<body>
+ <script src="resources/inject-script.js"></script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..7f3453924
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: injected-inline-script-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html
new file mode 100644
index 000000000..bee3f9abd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>injected-inline-script-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <!-- enforcing policy:
+script-src 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script src="resources/inject-script.js"></script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20'self'"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..e90dec673
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: injected-inline-script-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html
new file mode 100644
index 000000000..f52289e49
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>injected-inline-style-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS: 2 stylesheets on the page."]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <div id="test1">
+ FAIL 1/2
+ </div>
+ <div id="test2">
+ FAIL 2/2
+ </div>
+ <script src="resources/inject-style.js"></script>
+ <script>
+ if (document.styleSheets.length === 2)
+ log("PASS: 2 stylesheets on the page.");
+ else
+ document.write("FAIL: " + document.styleSheets.length + " stylesheets on the page (should be 2).");
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..8a48dc248
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: injected-inline-style-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html
new file mode 100644
index 000000000..1ed46cb65
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>injected-inline-style-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <div id="test1">
+ PASS 1/2
+ </div>
+ <div id="test2">
+ PASS 2/2
+ </div>
+ <script src="resources/inject-style.js"></script>
+ <script>
+ log(document.styleSheets.length == 0 ? "PASS" : "FAIL");
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..d3f0a5efb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: injected-inline-style-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html
new file mode 100644
index 000000000..efb5043ad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html
@@ -0,0 +1,128 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>inline-style-allowed-while-cloning-objects</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ window.onload = function() {
+ window.nodes = document.getElementById('nodes');
+ window.node1 = document.getElementById('node1');
+ window.node1.style.background = "yellow";
+ window.node1.style.color = "red";
+ window.node2 = document.getElementById('node1').cloneNode(true);
+ window.node2.id = "node2";
+ window.node3 = document.getElementById('node3');
+ window.node3.style.background = "blue";
+ window.node3.style.color = "green";
+ window.node4 = document.getElementById('node3').cloneNode(false);
+ window.node4.id = "node4";
+ window.node4.innerHTML = "Node #4";
+ nodes.appendChild(node1);
+ nodes.appendChild(node2);
+ nodes.appendChild(node3);
+ nodes.appendChild(node4);
+ test(function() {
+ assert_equals(node1.style.background.match(/yellow/)[0], "yellow")
+ });
+ test(function() {
+ assert_equals(node2.style.background.match(/yellow/)[0], "yellow")
+ });
+ test(function() {
+ assert_equals(node3.style.background.match(/blue/)[0], "blue")
+ });
+ test(function() {
+ assert_equals(node4.style.background.match(/blue/)[0], "blue")
+ });
+ test(function() {
+ assert_equals(node1.style.color, "red")
+ });
+ test(function() {
+ assert_equals(node2.style.color, "red")
+ });
+ test(function() {
+ assert_equals(node3.style.color, "green")
+ });
+ test(function() {
+ assert_equals(node4.style.color, "green")
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(node1).background, window.getComputedStyle(node2).background)
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(node3).background, window.getComputedStyle(node4).background)
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(node1).color, window.getComputedStyle(node2).color)
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(node3).color, window.getComputedStyle(node4).color)
+ });
+ window.ops = document.getElementById('ops');
+ ops.style.color = 'red';
+ window.clonedOps = ops.cloneNode(true);
+ window.violetOps = document.getElementById('violetOps');
+ violetOps.style.background = 'rgb(238, 130, 238)';
+ document.getElementsByTagName('body')[0].appendChild(clonedOps);
+ test(function() {
+ assert_equals(ops.style.background, "")
+ });
+ test(function() {
+ assert_equals(ops.style.color, "red")
+ });
+ test(function() {
+ assert_equals(clonedOps.style.background, "")
+ });
+ test(function() {
+ assert_equals(violetOps.style.background.match(/rgb\(238, 130, 238\)/)[0], "rgb(238, 130, 238)")
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(clonedOps).background, window.getComputedStyle(ops).background)
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(clonedOps).color, window.getComputedStyle(ops).color)
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(ops).background, window.getComputedStyle(violetOps).background)
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(clonedOps).background, window.getComputedStyle(violetOps).background)
+ });
+ test(function() {
+ assert_equals(ops.id, "ops")
+ });
+ test(function() {
+ assert_equals(ops.id, clonedOps.id)
+ });
+ };
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This test ensures that styles can be set by object.cloneNode()
+ </p>
+ <div id="nodes">
+ This is a div (nodes)
+ <div id="node1"> This is a div. (node 1 or 2)</div>
+ <div id="node3"> This is a div. (node 3 or 4)</div>
+ </div>
+ <div id="ops" style="background: rgb(238, 130, 238)">
+ Yet another div.
+ </div>
+ <div id="violetOps">
+ Yet another div.
+ </div>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers
new file mode 100644
index 000000000..963fa1751
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-allowed-while-cloning-objects={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html
new file mode 100644
index 000000000..bf5ac125d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>inline-style-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+ <style>
+ .target {
+ background-color: blue;
+ }
+
+ </style>
+</head>
+
+<body class="target">
+ <script>
+ log(document.styleSheets.length > 0 ? 'PASS' : 'FAIL');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..8ff58f55f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html
new file mode 100644
index 000000000..ab446040a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>inline-style-attribute-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body style="background-color: blue;">
+ <script>
+ log(document.body.style.length > 0 ? 'PASS' : 'FAIL');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..7d765e2b6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-attribute-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html
new file mode 100644
index 000000000..90efe9fe7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>inline-style-attribute-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body style="background-color: blue;">
+ <script>
+ log(document.body.style.length > 0 ? 'FAIL' : 'PASS');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..0b1ec14c1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-attribute-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html
new file mode 100644
index 000000000..b002af987
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html style="background-color: blue;">
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="style-src 'self'">
+ <title>inline-style-attribute-on-html</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>Even though this page has a CSP policy the blocks inline style, the style attribute on the HTML element still takes effect because it preceeds the meta element.
+ </p>
+ <script>
+ log(document.documentElement.style.length > 0 ? 'PASS' : 'FAIL');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers
new file mode 100644
index 000000000..66bf93faa
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-attribute-on-html={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html
new file mode 100644
index 000000000..3f7756e44
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>inline-style-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+ <style>
+ .target {
+ background-color: blue;
+ }
+
+ </style>
+</head>
+
+<body class="target">
+ <script>
+ log(document.styleSheets.length > 0 ? 'FAIL' : 'PASS');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..0b8306326
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html
new file mode 100644
index 000000000..fe6d2b1c2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html
@@ -0,0 +1,9 @@
+<link rel="manifest" href="manifest.test/manifest.json">
+<script>
+ {
+ testRunner.getManifestThen(function() {
+ alert_assert("Pass");
+ });
+ }
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..3fbdc7337
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: manifest-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: manifest-src *; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html
new file mode 100644
index 000000000..fe6d2b1c2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html
@@ -0,0 +1,9 @@
+<link rel="manifest" href="manifest.test/manifest.json">
+<script>
+ {
+ testRunner.getManifestThen(function() {
+ alert_assert("Pass");
+ });
+ }
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..4d6e5e395
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: manifest-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: manifest-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html
new file mode 100644
index 000000000..4cb4002d9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html
@@ -0,0 +1,14 @@
+<video></video>
+<script src="../../../media-resources/media-file.js"></script>
+<script src="../../../media-resources/video-test.js"></script>
+<script>
+ waitForEvent('loadedmetadata', function() {
+ alert_assert('PASS');
+ endTestLater();
+ });
+ // Find a supported media file.
+ var mediaFile = findMediaFile("video", "content/test");
+ var mimeType = mimeTypeForFile(mediaFile);
+ video.src = "http://{{host}}:{{ports[http][0]}}/resources/load-and-stall.cgi?name=../../../media/" + mediaFile + "&mimeType=" + mimeType + "&stallAt=100000";
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..b0401f7c7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: media-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: media-src http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html
new file mode 100644
index 000000000..57c8d5f65
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html
@@ -0,0 +1,15 @@
+<video></video>
+<script src="../../../media-resources/media-file.js"></script>
+<script src="../../../media-resources/video-test.js"></script>
+<p>This test passes if it doesn&apos;t alert failure.</p>
+<script>
+ waitForEvent('loadedmetadata', function() {
+ alert_assert('FAIL');
+ });
+ addEventListener('load', endTestLater, false);
+ // Find a supported media file.
+ var mediaFile = findMediaFile("video", "content/test");
+ var mimeType = mimeTypeForFile(mediaFile);
+ video.src = "http://{{host}}:{{ports[http][0]}}/resources/load-and-stall.cgi?name=../../../media/" + mediaFile + "&mimeType=" + mimeType + "&stallAt=100000";
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..86c56953d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: media-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: media-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html
new file mode 100644
index 000000000..c8036ce17
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html
@@ -0,0 +1,39 @@
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>media-src-track-block</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+media-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ function loaded() {
+ alert_assert("FAIL");
+ }
+
+ function errored() {
+ alert_assert("PASS");
+ }
+
+ function start() {
+ var track = document.querySelector('track');
+ track.track.mode = "hidden";
+ track.setAttribute('src', 'resources/track.vtt');
+ }
+
+ </script>
+</head>
+
+<body onload="start()">
+ <video>
+ <track kind="captions" onload="loaded()" onerror="errored()">
+ </video>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=media-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers
new file mode 100644
index 000000000..85c496e74
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: media-src-track-block={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: media-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html
new file mode 100644
index 000000000..358b7af1a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-in-svg-foreignobject</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>This test ensures that objects inside SVG foreignobject elements are beholden to the same policy as the rest of the document. This test passes if there i a CSP violation saying the plugin was blocked.</p>
+ <svg>
+ <foreignobject>
+ <object xmlns="http://www.w3.org/1999/xhtml" data="/plugins/resources/mock-plugin.pl">
+ </object>
+ </foreignobject>
+ </svg>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=object-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers
new file mode 100644
index 000000000..a196a1558
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-in-svg-foreignobject={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html
new file mode 100644
index 000000000..d77027840
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-applet-archive-codebase</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ var len = navigator.mimeTypes.length;
+ var allTypes = "";
+ var appletMimeType = "application/x-java-applet";
+ for (var i = 0; i < len; i++) {
+ allTypes += navigator.mimeTypes[i].type + ';';
+ }
+ if (allTypes.indexOf(appletMimeType) == -1) {
+ t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ var s = document.createElement('script');
+ s.src = "../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=object-src%20&apos;none&apos;";
+ document.body.appendChild(s);
+ }
+
+ </script>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <applet code="TestThingie" archive="archive.jar" codebase="/plugins/codebase/" id="appletObject" onload="log('FAIL')" onerror="log('PASS')"></applet>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers
new file mode 100644
index 000000000..0b71a188b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-applet-archive-codebase={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html
new file mode 100644
index 000000000..69c71986e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-applet-archive</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ var len = navigator.mimeTypes.length;
+ var allTypes = "";
+ var appletMimeType = "application/x-java-applet";
+ for (var i = 0; i < len; i++) {
+ allTypes += navigator.mimeTypes[i].type + ';';
+ }
+ if (allTypes.indexOf(appletMimeType) == -1) {
+ t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ var s = document.createElement('script');
+ s.src = "../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=object-src%20&apos;none&apos;";
+ document.body.appendChild(s);
+ }
+
+ </script>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <applet code="TestThingie" archive="/plugins/archive.jar" id="appletObject" onload="log('FAIL')" onerror="log('PASS')"></applet>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers
new file mode 100644
index 000000000..4bd5ec149
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-applet-archive={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html
new file mode 100644
index 000000000..6121dad56
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-applet-archive-code-codebase</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ var len = navigator.mimeTypes.length;
+ var allTypes = "";
+ var appletMimeType = "application/x-java-applet";
+ for (var i = 0; i < len; i++) {
+ allTypes += navigator.mimeTypes[i].type + ';';
+ }
+ if (allTypes.indexOf(appletMimeType) == -1) {
+ t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ var s = document.createElement('script');
+ s.src = "../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=object-src%20&apos;none&apos;";
+ document.body.appendChild(s);
+ }
+
+ </script>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <applet code="code.class" codebase="/plugins/codebase/"></applet>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers
new file mode 100644
index 000000000..1ced1a8e2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-applet-code-codebase={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html
new file mode 100644
index 000000000..af598bfd1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-applet-code</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ var len = navigator.mimeTypes.length;
+ var allTypes = "";
+ var appletMimeType = "application/x-java-applet";
+ for (var i = 0; i < len; i++) {
+ allTypes += navigator.mimeTypes[i].type + ';';
+ }
+ if (allTypes.indexOf(appletMimeType) == -1) {
+ t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ var s = document.createElement('script');
+ s.src = "../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=object-src%20&apos;none&apos;";
+ document.body.appendChild(s);
+ }
+
+ </script>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <applet code="/plugins/code.class"></applet>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers
new file mode 100644
index 000000000..44bd725f8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-applet-code={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html
new file mode 100644
index 000000000..2e2bef25d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-no-url-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if there isn&apos;t a CSP violation saying the plugin was blocked.
+ <object type="application/x-webkit-test-netscape"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..3746103fe
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-no-url-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html
new file mode 100644
index 000000000..ad3eebcae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-no-url-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <object type="application/x-webkit-test-netscape"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=object-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..dba0ece70
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-no-url-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html
new file mode 100644
index 000000000..dace2c417
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-url-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if there is no CSP violation saying the plugin was blocked.
+ <object data="/content-security-policy/support/pass.png"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..bce19c1de
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-url-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html
new file mode 100644
index 000000000..4f12d747b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-url-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <object data="/plugins/resources/mock-plugin.pl"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=object-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..1447fd0fc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-url-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html
new file mode 100644
index 000000000..a43e4be27
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html
@@ -0,0 +1 @@
+<iframe src="resources/alert-pass.html"></iframe>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers
new file mode 100644
index 000000000..ff37e37ee
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: policy-does-not-affect-child={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html
new file mode 100644
index 000000000..dea8a87a3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-blocked-data-uri</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; report-uri resources/save-report.php?test=report-blocked-data-uri.html; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==">
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers
new file mode 100644
index 000000000..8530a1cc4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-blocked-data-uri={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html
new file mode 100644
index 000000000..ed2cd2a74
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-cross-origin-no-cookies</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; report-uri http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID=; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self';
+-->
+ <script src="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/set-cookie.js"></script>
+</head>
+
+<body>
+ <!-- This image will generate a CSP violation report. -->
+ <img src="resources/abe.png">
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;&amp;noCookies=true"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers
new file mode 100644
index 000000000..5a7122975
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-cross-origin-no-cookies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self'; report-uri http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html
new file mode 100644
index 000000000..cb001a220
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-disallowed-from-meta</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri /content-security-policy/support/report.py?op=put&reportID=5ada7c32-1c46-4b79-a95f-af33fcf95f8e">
+</head>
+
+<body>
+ This image should be blocked, but should not show up in the violation report because meta policies MUST ignore report-uri.
+ <img src="../resources/abe.png" onerror="alert_assert('PASS')" onload="alert_assert('FAIL')">
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers
new file mode 100644
index 000000000..4c620525a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-disallowed-from-meta=5ada7c32-1c46-4b79-a95f-af33fcf95f8e; Path=/content-security-policy/blink-contrib \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html
new file mode 100644
index 000000000..e90cb066b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-cross-origin-no-cookies</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; report-uri http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID=; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self';
+-->
+ <script src="/content-security-policy/blink-contrib/resources/set-cookie.js"></script>
+</head>
+
+<body>
+ <!-- This image will generate a CSP violation report. -->
+ <img src="resources/abe.png">
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;&amp;noCookies=true"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers
new file mode 100644
index 000000000..4655de254
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-same-origin-with-cookies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html
new file mode 100644
index 000000000..cf3f72f1e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-uri-from-inline-javascript</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; report-uri resources/save-report.php?test=report-uri-from-inline-javascript.html; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ // This script block will trigger a violation report.
+ var i = document.createElement('img');
+ i.src = 'resources/abe.png';
+ document.body.appendChild(i);
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers
new file mode 100644
index 000000000..c37a9ff8d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-uri-from-inline-javascript={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html
new file mode 100644
index 000000000..790a75bda
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-uri-from-javascript</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; report-uri resources/save-report.php?test=report-uri-from-javascript.html; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script src="resources/inject-image.js"></script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers
new file mode 100644
index 000000000..ed6560118
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-uri-from-javascript={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html
new file mode 100644
index 000000000..9ffb835f2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html
@@ -0,0 +1,6 @@
+<script src="resources/report-test.js"></script>
+<script>
+ // This script block will trigger a violation report.
+ alert_assert('FAIL');
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers
new file mode 100644
index 000000000..1416ea7f1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-uri={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self'; report-uri resources/save-report.php?test=report-uri.html; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-fail.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-fail.html
new file mode 100644
index 000000000..c0fb8173d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-fail.html
@@ -0,0 +1,4 @@
+<script>
+ alert('FAIL');
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-pass.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-pass.html
new file mode 100644
index 000000000..50e753d0d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-pass.html
@@ -0,0 +1,4 @@
+<script>
+ alert('PASS');
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/blue.css b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/blue.css
new file mode 100644
index 000000000..54aeecc12
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/blue.css
@@ -0,0 +1,3 @@
+.target {
+ background-color: blue;
+}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js
new file mode 100644
index 000000000..5e78ca0da
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js
@@ -0,0 +1 @@
+document.write("<script>test(function () { assert_unreached('FAIL inline script from document.write ran') });</script>");
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/generate-csp-report.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/generate-csp-report.html
new file mode 100644
index 000000000..887f44f48
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/generate-csp-report.html
@@ -0,0 +1,7 @@
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'; report-uri save-report.php?test=generate-csp-report.html">
+<script>
+ // This script block will trigger a violation report.
+ alert('FAIL');
+
+</script>
+<script src="go-to-echo-report.js"></script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js
new file mode 100644
index 000000000..e220f2a47
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js
@@ -0,0 +1,12 @@
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+window.onload = function() {
+ var test = window.location.pathname.replace(/^.+\//, '');
+ var match = window.location.search.match(/^\?test=([^&]+)/);
+ if (match)
+ test = match[1];
+ window.location = "/security/contentSecurityPolicy/resources/echo-report.php?test=" + test;
+}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-image.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-image.js
new file mode 100644
index 000000000..1e1f93b39
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-image.js
@@ -0,0 +1,4 @@
+// This script block will trigger a violation report.
+var i = document.createElement('img');
+i.src = '/security/resources/abe.png';
+document.body.appendChild(i);
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-script.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-script.js
new file mode 100644
index 000000000..155371985
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-script.js
@@ -0,0 +1,5 @@
+document.write("<script>alert_assert('Pass 1 of 2');</script>");
+
+var s = document.createElement('script');
+s.textContent = "alert_assert('Pass 2 of 2');";
+document.body.appendChild(s);
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-style.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-style.js
new file mode 100644
index 000000000..532645a45
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-style.js
@@ -0,0 +1,5 @@
+document.write("<style>#test1 { display: none; }</style>");
+
+var s = document.createElement('style');
+s.textContent = "#test2 { display: none; }";
+document.body.appendChild(s);
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/post-message.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/post-message.js
new file mode 100644
index 000000000..69daa31d2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/post-message.js
@@ -0,0 +1 @@
+postMessage("importScripts allowed");
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-fail.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-fail.html
new file mode 100644
index 000000000..a0308ad98
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-fail.html
@@ -0,0 +1,4 @@
+<script>
+ window.parent.postMessage('FAIL', '*');
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-pass.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-pass.html
new file mode 100644
index 000000000..700167b5d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-pass.html
@@ -0,0 +1,4 @@
+<script>
+ window.parent.postMessage('PASS', '*');
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/script.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/script.js
new file mode 100644
index 000000000..54eaf530c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/script.js
@@ -0,0 +1,2 @@
+var result = document.getElementById("result");
+result.firstChild.nodeValue = result.attributes.getNamedItem("text").value;
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers
new file mode 100644
index 000000000..1d5fbba17
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers
@@ -0,0 +1 @@
+Set-Cookie: report-cookie=true \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js
new file mode 100644
index 000000000..28937d05d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js
@@ -0,0 +1,23 @@
+onconnect = function (event) {
+ var port = event.ports[0];
+ var xhr = new XMLHttpRequest;
+ xhr.onerror = function () {
+ port.postMessage("xhr blocked");
+ port.postMessage("TEST COMPLETE");
+ };
+ xhr.onload = function () {
+ if (xhr.responseText == "FAIL") {
+ port.postMessage("xhr allowed");
+ } else {
+ port.postMessage("xhr blocked");
+ }
+ port.postMessage("TEST COMPLETE");
+ };
+ try {
+ xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+ xhr.send();
+ } catch (e) {
+ port.postMessage("xhr blocked");
+ port.postMessage("TEST COMPLETE");
+ }
+} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js
new file mode 100644
index 000000000..28937d05d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js
@@ -0,0 +1,23 @@
+onconnect = function (event) {
+ var port = event.ports[0];
+ var xhr = new XMLHttpRequest;
+ xhr.onerror = function () {
+ port.postMessage("xhr blocked");
+ port.postMessage("TEST COMPLETE");
+ };
+ xhr.onload = function () {
+ if (xhr.responseText == "FAIL") {
+ port.postMessage("xhr allowed");
+ } else {
+ port.postMessage("xhr blocked");
+ }
+ port.postMessage("TEST COMPLETE");
+ };
+ try {
+ xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+ xhr.send();
+ } catch (e) {
+ port.postMessage("xhr blocked");
+ port.postMessage("TEST COMPLETE");
+ }
+} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers
new file mode 100644
index 000000000..ac7368c32
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: connect-src 'none' \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream
new file mode 100644
index 000000000..e467657bc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream
@@ -0,0 +1 @@
+data: hello
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers
new file mode 100644
index 000000000..9bb8badca
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers
@@ -0,0 +1 @@
+Content-Type: text/event-stream
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/track.vtt b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/track.vtt
new file mode 100644
index 000000000..365e9ae15
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/track.vtt
@@ -0,0 +1 @@
+Subtitles!
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js
new file mode 100644
index 000000000..9aa87129a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js
@@ -0,0 +1,5 @@
+var id = 0;
+try {
+ id = eval("1 + 2 + 3");
+} catch (e) {}
+postMessage(id === 0 ? "eval blocked" : "eval allowed");
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers
new file mode 100644
index 000000000..afdcc7c01
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js
new file mode 100644
index 000000000..03d9bf4cb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js
@@ -0,0 +1,7 @@
+var fn = function() {
+ postMessage('Function() function blocked');
+}
+try {
+ fn = new Function("", "postMessage('Function() function allowed');");
+} catch (e) {}
+fn();
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers
new file mode 100644
index 000000000..afdcc7c01
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js
new file mode 100644
index 000000000..65ec6f446
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js
@@ -0,0 +1,6 @@
+try {
+ importScripts("/content-security-policy/blink-contrib/resources/post-message.js");
+ postMessage("importScripts allowed");
+} catch (e) {
+ postMessage("importScripts blocked");
+}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers
new file mode 100644
index 000000000..57616b1fc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js
new file mode 100644
index 000000000..22819d57a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js
@@ -0,0 +1,21 @@
+var xhr = new XMLHttpRequest;
+xhr.onerror = function () {
+ postMessage("xhr blocked");
+ postMessage("TEST COMPLETE");
+};
+xhr.onload = function () {
+ //cons/**/ole.log(xhr.responseText);
+ if (xhr.responseText == "FAIL") {
+ postMessage("xhr allowed");
+ } else {
+ postMessage("xhr blocked");
+ }
+ postMessage("TEST COMPLETE");
+};
+try {
+ xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+ xhr.send();
+} catch (e) {
+ postMessage("xhr blocked");
+ postMessage("TEST COMPLETE");
+} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers
new file mode 100644
index 000000000..ac7368c32
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: connect-src 'none' \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js
new file mode 100644
index 000000000..73359a39e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js
@@ -0,0 +1,21 @@
+var xhr = new XMLHttpRequest;
+xhr.onerror = function () {
+ postMessage("xhr blocked");
+ postMessage("TEST COMPLETE");
+};
+xhr.onload = function () {
+ //cons/**/ole.log(xhr.responseText);
+ if (xhr.responseText == "FAIL") {
+ postMessage("xhr allowed");
+ } else {
+ postMessage("xhr blocked");
+ }
+ postMessage("TEST COMPLETE");
+};
+try {
+ xhr.open("GET", "/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+ xhr.send();
+} catch (e) {
+ postMessage("xhr blocked");
+ postMessage("TEST COMPLETE");
+} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js
new file mode 100644
index 000000000..a16827edd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js
@@ -0,0 +1,5 @@
+var id = 0;
+try {
+ id = setTimeout("postMessage('handler invoked')", 100);
+} catch (e) {}
+postMessage(id === 0 ? "setTimeout blocked" : "setTimeout allowed");
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers
new file mode 100644
index 000000000..57616b1fc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html
new file mode 100644
index 000000000..c755504b1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html
@@ -0,0 +1,3 @@
+
+This test passes if it does alert pass.
+<iframe src="data:text/html,&lt;script&gt;alert_assert(&apos;PASS&apos;);&lt;/script&gt;"></iframe>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers
new file mode 100644
index 000000000..4c7945728
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: sandbox-allow-scripts-subframe={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: sandbox allow-scripts; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html
new file mode 100644
index 000000000..3bdaa12ea
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html
@@ -0,0 +1,6 @@
+
+This test passes if it does alert pass.
+<script>
+ alert_assert('PASS');
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers
new file mode 100644
index 000000000..b6df57d17
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: sandbox-allow-scripts={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: sandbox allow-scripts; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html
new file mode 100644
index 000000000..5ddccfaa3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html
@@ -0,0 +1,3 @@
+
+This test passes if it doesn&apos;t alert fail.
+<iframe src="data:text/html,&lt;script&gt;alert_assert(&apos;FAIL&apos;);&lt;/script&gt;"></iframe>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers
new file mode 100644
index 000000000..5287112d6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: sandbox-empty-subframe={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: sandbox; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html
new file mode 100644
index 000000000..4e04e9875
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html
@@ -0,0 +1,6 @@
+
+This test passes if it doesn&apos;t alert fail.
+<script>
+ alert_assert('FAIL');
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers
new file mode 100644
index 000000000..f7d31c959
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: sandbox-empty={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: sandbox; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html
new file mode 100644
index 000000000..cf4aab201
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>script-src-overrides-default-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script>
+ <!-- enforcing policy:
+default-src about:; script-src 'self' 'unsafe-inline' 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body onload="alert_assert(&apos;PASS 2 of 2&apos;)">
+ <script>
+ alert_assert('PASS 1 of 2');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers
new file mode 100644
index 000000000..5d3456433
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-overrides-default-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: default-src about:; script-src 'self' 'unsafe-inline'; style-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html
new file mode 100644
index 000000000..5f388622c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-connect-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src 'self';
+-->
+
+</head>
+<p>This test loads a worker, from a guid.
+ The worker should be blocked from loading with a child-src policy of 'self'
+ as the blob: scheme must be specified explicitly.
+ A report should be sent to the report-uri specified
+ with this resource.</p>
+<body>
+ <script>
+ try {
+ var blob = new Blob([
+ "postMessage('FAIL');" +
+ "postMessage('TEST COMPLETE');"
+ ],
+ {type : 'application/javascript'});
+ var url = URL.createObjectURL(blob);
+ var worker = new Worker(url);
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ worker.onerror = function(event) {
+ alert_assert('TEST COMPLETE');
+ event.preventDefault();
+ }
+ } catch (e) {
+ alert_assert('TEST COMPLETE');
+ }
+ function timeout() {
+ alert_assert('TEST COMPLETE');
+ }
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=child-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers
new file mode 100644
index 000000000..05843484b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: self-doesnt-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html
new file mode 100644
index 000000000..17da111a8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>shared-worker-connect-src-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["xhr allowed","TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+
+</head>
+
+<body>
+ <script>
+ if(typeof SharedWorker != 'function') {
+ t_alert.set_status(t_alert.NOTRUN, "No SharedWorker, cannot run test.");
+ t_alert.phase = t_alert.phases.HAS_RESULT;
+ t_alert.done();
+ } else {
+ try {
+ var worker = new SharedWorker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js');
+ worker.port.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+ var report = document.createElement("script");
+ report.src = "../support/checkReport.sub.js?reportExists=false";
+ report.async = true;
+ report.defer = true;
+ document.body.appendChild(report);
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..eefff95c6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: shared-worker-connect-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html
new file mode 100644
index 000000000..63225bf27
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html
@@ -0,0 +1,50 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>shared-worker-connect-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["xhr blocked","TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src *; script-src 'self' 'unsafe-inline';
+-->
+
+</head>
+
+<body>
+ <p>This test loads a shared worker, delivered with its own
+ policy. The worker should be blocked from making an XHR
+ as that policy specifies a connect-src 'none', though
+ this resource's policy is connect-src *. No report
+ should be sent since the worker's policy doesn't specify
+ a report-uri.</p>
+ <script>
+ if(typeof SharedWorker != 'function') {
+ t_alert.set_status(t_alert.NOTRUN, "No SharedWorker, cannot run test.");
+ t_alert.phase = t_alert.phases.HAS_RESULT;
+ t_alert.done();
+ } else {
+ try {
+ var worker = new SharedWorker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js');
+ worker.port.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+ var report = document.createElement("script");
+ report.src = "../support/checkReport.sub.js?reportExists=false";
+ report.async = true;
+ report.defer = true;
+ document.body.appendChild(report);
+ }
+
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..bb4fb4c90
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: shared-worker-connect-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src *; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html
new file mode 100644
index 000000000..b60eccb9b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>source-list-parsing-paths-03</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' example.com/js/; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>This test passes if the source expression does not throw an &quot;invalid source&quot; error.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers
new file mode 100644
index 000000000..58e7a22df
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: source-list-parsing-paths-03={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' example.com/js/; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html
new file mode 100644
index 000000000..50b76688f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>srcdoc-doesnt-bypass-script-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/alertAssert.sub.js?alerts=%5B%5D"></script>
+ <!-- enforcing policy:
+script-src 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if it doesn&apos;t alert fail.
+ <iframe srcdoc="&lt;script&gt;window.parent.alert_assert(&apos;FAIL&apos;)&lt;/script&gt;"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers
new file mode 100644
index 000000000..e2ffd1185
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: srcdoc-doesnt-bypass-script-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html
new file mode 100644
index 000000000..fac12b52a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-connect-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src *;
+-->
+
+</head>
+<p>This test loads a worker, from a guid.
+ The worker should be blocked from loading with a child-src policy of *
+ as the blob: scheme must be specified explicitly.
+ A report should be sent to the report-uri specified
+ with this resource.</p>
+<body>
+ <script>
+ try {
+ var blob = new Blob([
+ "postMessage('FAIL');" +
+ "postMessage('TEST COMPLETE');"
+ ],
+ {type : 'application/javascript'});
+ var url = URL.createObjectURL(blob);
+ var worker = new Worker(url);
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ worker.onerror = function(event) {
+ event.preventDefault();
+ alert_assert('TEST COMPLETE');
+ }
+ } catch (e) {
+ alert_assert('TEST COMPLETE');
+ }
+ function timeout() {
+ alert_assert('TEST COMPLETE');
+ }
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=child-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers
new file mode 100644
index 000000000..9f7db5b0f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: star-doesnt-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src *; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html
new file mode 100644
index 000000000..176a8e3ef
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>style-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+ <link rel="stylesheet" href="resources/blue.css">
+</head>
+
+<body>
+ <script>
+ log(document.styleSheets.length > 0 ? 'PASS' : 'FAIL');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..cdf394548
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: style-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html
new file mode 100644
index 000000000..847e05b6a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>style-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+ <link rel="stylesheet" href="resources/blue.css">
+</head>
+
+<body>
+ <script>
+ log(document.styleSheets.length > 0 ? 'FAIL' : 'PASS');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..54c3272a3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: style-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html
new file mode 100644
index 000000000..923149199
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-connect-src-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["xhr allowed"]'></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+
+</head>
+
+<body>
+ <script>
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js');
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..92ef91f0d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-connect-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html
new file mode 100644
index 000000000..054132290
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-connect-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["xhr blocked","TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src *; script-src 'self' 'unsafe-inline';
+-->
+
+</head>
+<p>This test loads a worker, which is delivered with its own
+ policy. The worker should be blocked from making an XHR
+ as that policy specifies a connect-src 'none', though
+ this resource's policy is connect-src *. No report
+ should be sent since the worker's policy doesn't specify
+ a report-uri.</p>
+<body>
+ <script>
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js');
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..e302aa84a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-connect-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src *; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html
new file mode 100644
index 000000000..ac96e0f4d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-eval-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["eval blocked"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>This test loads a worker, delivered with its own policy.
+ The eval() call in the worker should be forbidden by that
+ policy. No report should be generated because the worker
+ policy does not set a report-uri (although this parent
+ resource does).</p>
+ <script>
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-eval.js');
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..8964f80ab
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-eval-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html
new file mode 100644
index 000000000..b290b82f6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-connect-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["xhr blocked","TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline' blob:;
+-->
+
+</head>
+<p>This test loads a worker, from a guid.
+ The worker should be blocked from making an XHR
+ to www1 as this resource's policy is connect-src 'self
+ and a guid Worker should inherit is parent's policy.
+ A report should be sent to the report-uri specified
+ with this resource.</p>
+<body>
+ <script>
+ try {
+ var blob = new Blob([
+ "var xhr = new XMLHttpRequest;" +
+ "xhr.onerror = function () {" +
+ " postMessage('xhr blocked');" +
+ " postMessage('TEST COMPLETE');" +
+ "};" +
+ "xhr.onload = function () {" +
+ " if (xhr.responseText == 'FAIL') {" +
+ " postMessage('xhr allowed');" +
+ " } else {" +
+ " postMessage('xhr blocked');" +
+ " }" +
+ " postMessage('TEST COMPLETE');" +
+ "};" +
+ "try { " +
+ " xhr.open(" +
+ " 'GET'," +
+ " 'http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis'," +
+ " true" +
+ " );" +
+ " xhr.send();" +
+ "} catch (e) {" +
+ " postMessage('xhr blocked');" +
+ " postMessage('TEST COMPLETE');" +
+ "}"],
+ {type : 'application/javascript'});
+ var url = URL.createObjectURL(blob);
+ var worker = new Worker(url);
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=connect-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers
new file mode 100644
index 000000000..d94d31ace
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-from-guid={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline' blob:; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html
new file mode 100644
index 000000000..1db574780
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-function-function-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["Function() function blocked"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <p>This test loads a worker, delivered with its own policy.
+ The Function constructor should be forbidden by that
+ policy. No report should be generated because the worker
+ policy does not set a report-uri (although this parent
+ resource does).</p>
+ <script>
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-function-function.js');
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..b012518ec
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-function-function-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html
new file mode 100644
index 000000000..9ec49c030
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-importscripts-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-eval' 'unsafe-inline' 127.0.0.1:8000; connect-src 'self';
+-->
+ <script></script>
+</head>
+
+<body>
+ <script>
+ window.wasPostTestScriptParsed = true;
+ var result = '';
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-importscripts.js');
+ worker.onmessage = function(event) {
+ result = event.data;
+ test(function() {
+ assert_equals(result, 'importScripts blocked')
+ });
+ log("TEST COMPLETE");
+ };
+ } catch (e) {
+ result = e;
+ test(function() {
+ assert_equals(result, 'importScripts blocked')
+ });
+ log("TEST COMPLETE");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..04de51d14
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-importscripts-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html
new file mode 100644
index 000000000..9caf77224
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-script-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ try {
+ var foo = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/post-message.js');
+ foo.onmessage = function(event) {
+ alert_assert("PASS");
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers
new file mode 100644
index 000000000..76e5a3ba2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-script-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html
new file mode 100644
index 000000000..119121ca5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-set-timeout-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["setTimeout blocked"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-set-timeout.js');
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..fb6b3d0a2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-set-timeout-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-blocked-expected.png b/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-blocked-expected.png
new file mode 100644
index 000000000..b5daa8555
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-blocked-expected.png
Binary files differ
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.png b/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.png
new file mode 100644
index 000000000..b5daa8555
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.png
Binary files differ
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html
new file mode 100644
index 000000000..9222a8ddc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>child-src-about-blank-allowed-by-default</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+
+ <!-- enforcing policy:
+child-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>These frames should not be blocked by Content-Security-Policy.
+ It&apos;s pointless to block about:blank iframes because
+ blocking a frame just results in displaying about:blank anyway!
+ </p>
+ <iframe src="about:blank"></iframe>
+ <object type="text/html" data="about:blank"></object>
+
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html.sub.headers
new file mode 100644
index 000000000..68b2fb2fb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: child-src-about-blank-allowed-by-default={{$id:uuid()}}; Path=/content-security-policy/child-src
+Content-Security-Policy: child-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html
new file mode 100644
index 000000000..d94eff684
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>child-src-about-blank-allowed-by-scheme</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+
+ <!-- enforcing policy:
+child-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>This frame should not be blocked by Content-Security-Policy.
+ </p>
+ <iframe src="about:blank"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html.sub.headers
new file mode 100644
index 000000000..9ff84d67d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: child-src-about-blank-allowed-by-scheme={{$id:uuid()}}; Path=/content-security-policy/child-src
+Content-Security-Policy: child-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html
new file mode 100644
index 000000000..12a075adb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <title>child-src-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+
+ var t_alert = async_test('Expecting alerts: ["PASS"]');
+ var expected_alerts = ["PASS"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_alert.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+Content-Security-Policy: child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>
+ This iframe should be allowed.
+ </p>
+ <script>
+ window.wasPostTestScriptParsed = true;
+ var loads = 0;
+
+ function loadEvent() {
+ loads++;
+ log("PASS " + "IFrame #" + loads + " generated a load event.");
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="/content-security-policy/blink-contrib/resources/postmessage-pass.html" onload="loadEvent()"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..7eb8d76f9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: child-src-allowed={{$id:uuid()}}; Path=/content-security-policy/child-src
+Content-Security-Policy: child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html
new file mode 100644
index 000000000..e32cc0af0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>child-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+
+ function alert_assert(msg) {
+ t_log.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_log.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_log.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+child-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>
+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
+ </p>
+ <script>
+ window.wasPostTestScriptParsed = true;
+ var loads = 0;
+
+ function loadEvent() {
+ loads++;
+ log("PASS " + "IFrame #" + loads + " generated a load event.");
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=child-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..961d18a7d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: child-src-blocked={{$id:uuid()}}; Path=/content-security-policy/child-src
+Content-Security-Policy: child-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html
new file mode 100644
index 000000000..b681253ae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>child-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+
+ function alert_assert(msg) {
+ t_log.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_log.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_log.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+frame-src 'none'; child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>
+ A more permissive child-src should not relax restrictions from a less-
+ permissive frame-src. Directives still combine for least privilege, even when
+ one obsoletes another.
+ </p>
+ <script>
+ window.wasPostTestScriptParsed = true;
+ var loads = 0;
+
+ function loadEvent() {
+ loads++;
+ log("PASS " + "IFrame #" + loads + " generated a load event.");
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=frame-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html.sub.headers
new file mode 100644
index 000000000..9c3ce8426
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: child-src-conflicting-frame-src={{$id:uuid()}}; Path=/content-security-policy/child-src
+Content-Security-Policy: frame-src 'none'; child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html
new file mode 100644
index 000000000..b6f3e5164
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>child-src-cross-origin-load</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.","PASS IFrame %232 generated a load event.","PASS IFrame %233 generated a load event."]'></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+
+ var t_alert = async_test('Expecting alerts: ["PASS","PASS"]');
+ var expected_alerts = ["PASS", "PASS"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_alert.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+child-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>
+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
+ </p>
+ <script>
+ window.wasPostTestScriptParsed = true;
+ var loads = 0;
+
+ function loadEvent() {
+ loads++;
+ log("PASS " + "IFrame #" + loads + " generated a load event.");
+ if (loads == 3)
+ log("TEST COMPLETE");
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="/content-security-policy/blink-contrib/resources/postmessage-pass.html" onload="loadEvent()"></iframe>
+ <iframe src="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-pass.html" onload="loadEvent()"></iframe>
+ <iframe src="http://www2.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=child-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html.sub.headers
new file mode 100644
index 000000000..53527c1ad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: child-src-cross-origin-load={{$id:uuid()}}; Path=/content-security-policy/child-src
+Content-Security-Policy: child-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html
new file mode 100644
index 000000000..361d09742
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <title>child-src-worker-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ try {
+ var foo = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/post-message.js');
+ foo.onmessage = function(event) {
+ alert_assert("PASS");
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..4ddb39e84
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: child-src-worker-allowed={{$id:uuid()}}; Path=/content-security-policy/child-src
+Content-Security-Policy: child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html
new file mode 100644
index 000000000..8ed6b157a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <title>child-src-worker-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+child-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ try {
+ var foo = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/post-message.js');
+ foo.onerror = function(event) {
+ event.preventDefault();
+ alert_assert("PASS");
+ }
+ foo.onmessage = function(event) {
+ alert_assert("FAIL");
+ };
+ } catch (e) {
+ alert_assert("PASS");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=child-src%20&apos;none&apos;"></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..685d6dcf5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: child-src-worker-blocked={{$id:uuid()}}; Path=/content-security-policy/child-src
+Content-Security-Policy: child-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/font-src/font-blacklisted-ref.html b/testing/web-platform/tests/content-security-policy/font-src/font-blacklisted-ref.html
new file mode 100644
index 000000000..fdfbdd93d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/font-src/font-blacklisted-ref.html
@@ -0,0 +1,6 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>csp font-src: blacklisted</title>
+<link href="fonts.css" rel="stylesheet" type="text/css">
+         
+<p>The test passes if the line above are boxes in the test and glyphs in the reference.</p> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/font-src/font-blacklisted.html b/testing/web-platform/tests/content-security-policy/font-src/font-blacklisted.html
new file mode 100644
index 000000000..a430a417d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/font-src/font-blacklisted.html
@@ -0,0 +1,9 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta http-equiv="Content-Security-Policy" content="font-src 'none'">
+<title>csp font-src: blacklisted</title>
+<link rel="mismatch" href="font-blacklisted-ref.html">
+<link rel="help" href="https://www.w3.org/TR/CSP2/#directive-font-src">
+<link href="fonts.css" rel="stylesheet" type="text/css">
+         
+<p>The test passes if the line above are boxes in the test and glyphs in the reference.</p> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/font-src/font-whitelisted-ref.html b/testing/web-platform/tests/content-security-policy/font-src/font-whitelisted-ref.html
new file mode 100644
index 000000000..25ad3bd75
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/font-src/font-whitelisted-ref.html
@@ -0,0 +1,6 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>csp font-src: whitelisted</title>
+<link href="fonts.css" rel="stylesheet" type="text/css">
+         
+<p>The test passes if the line above shows the same glyphs in the reference.</p> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/font-src/font-whitelisted.html b/testing/web-platform/tests/content-security-policy/font-src/font-whitelisted.html
new file mode 100644
index 000000000..f3558f766
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/font-src/font-whitelisted.html
@@ -0,0 +1,9 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta http-equiv="Content-Security-Policy" content="font-src 'self'">
+<title>csp font-src: whitelisted</title>
+<link rel="match" href="font-whitelisted-ref.html">
+<link rel="help" href="https://www.w3.org/TR/CSP2/#directive-font-src">
+<link href="fonts.css" rel="stylesheet" type="text/css">
+         
+<p>The test passes if the line above shows the same glyphs in the reference.</p> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/font-src/fonts.css b/testing/web-platform/tests/content-security-policy/font-src/fonts.css
new file mode 100644
index 000000000..30dd02cdb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/font-src/fonts.css
@@ -0,0 +1,8 @@
+@font-face {
+ font-family: 'Halflings';
+ src: url('/tools/runner/fonts/glyphicons-halflings-regular.woff') format('woff');
+}
+
+body {
+ font-family: 'Halflings', Fallback, sans-serif;
+} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/deep-allows-none.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/deep-allows-none.sub.html
new file mode 100644
index 000000000..1926007d3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/deep-allows-none.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>single-frame-self-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; frame-src 'self';
+-->
+ <script>
+ function onMessage(event) {
+ if(event.data == "start test") {
+ startTest();
+ } else {
+ alert_assert(event.data);
+ }
+ }
+
+ window.addEventListener(
+ "message",
+ onMessage,
+ false);
+
+ function startTest() {
+ window.frames['frame1'].frames['deepframe'].postMessage("hello deep frame", "*");
+ }
+ function done() { alert_assert("PASS"); }
+ setTimeout(done(), 1);
+ </script>
+</head>
+<body>
+ <iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html?subframe=http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-none.html' name="frame1"></iframe>
+ <div id="log"></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html
new file mode 100644
index 000000000..6b9c91c93
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+ <p>Reporting Frame...</p>
+ <script>
+ function onMessage(event) {
+ var p = document.createElement(p);
+ p.textContent = event.data;
+ document.body.appendChild(p);
+ window.parent.postMessage(event.data, "*");
+ }
+
+ window.addEventListener(
+ "message",
+ onMessage,
+ false
+ );
+ </script>
+ <iframe src='{{GET[subframe]}}' name="deepframe"></iframe>
+</body>
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html.headers
new file mode 100644
index 000000000..f0eb936b3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: frame-ancestors 'self'
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html
new file mode 100644
index 000000000..d51e0d532
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<body>
+ <p>Reporting Frame...</p>
+ <script>
+ function onMessage(event) {
+ var p = document.createElement(p);
+ p.textContent = event.data;
+ document.body.appendChild(p);
+ window.parent.postMessage(event.data, "*");
+ }
+ window.addEventListener(
+ "message",
+ onMessage,
+ false
+ );
+ </script>
+ <iframe src='{{GET[subframe]}}' name="deepframe"></iframe>
+</body>
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html.headers
new file mode 100644
index 000000000..734aa227f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: frame-ancestors *
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-meta-ignored.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-meta-ignored.sub.html
new file mode 100644
index 000000000..47bb0244b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-meta-ignored.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>multiple-frames-self-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["hello frame1","hello frame2"]'></script>
+ <!-- enforcing policy:
+connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; frame-src 'self';
+-->
+ <script>
+ var startTestCtr = 0;
+ function onMessage(event) {
+ if(event.data == "start test") {
+ startTestCtr++;
+ if(startTestCtr == 2) {
+ startTest();
+ }
+ } else {
+ alert_assert(event.data);
+ }
+ }
+
+ window.addEventListener(
+ "message",
+ onMessage,
+ false);
+
+ function startTest() {
+ window.frames['frame1'].postMessage("hello frame1", "*");
+ window.frames['frame2'].postMessage("hello frame2", "*");
+ }
+ </script>
+</head>
+<body>
+ <iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-self.html' name="frame1"></iframe>
+ <iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-none-meta.html' name="frame2"></iframe>
+ <div id="log"></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-one-blocked.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-one-blocked.sub.html
new file mode 100644
index 000000000..3857a173c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-one-blocked.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>multiple-frames-self-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["hello frame2"]'></script>
+ <!-- enforcing policy:
+connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; frame-src 'self';
+-->
+ <script>
+ function onMessage(event) {
+ if(event.data == "start test") {
+ startTest();
+ } else {
+ alert_assert(event.data);
+ }
+ }
+
+ window.addEventListener(
+ "message",
+ onMessage,
+ false);
+
+ function startTest() {
+ window.frames['frame1'].postMessage("hello frame1", "*");
+ window.frames['frame2'].postMessage("hello frame2", "*");
+ }
+ </script>
+</head>
+<body>
+ <iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-none.html' name="frame1"></iframe>
+ <iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-self.html' name="frame2"></iframe>
+ <div id="log"></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-self-allowed.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-self-allowed.sub.html
new file mode 100644
index 000000000..485b6eb0f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-self-allowed.sub.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>multiple-frames-self-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["hello frame1","hello frame2"]'></script>
+ <!-- enforcing policy:
+connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; frame-src 'self';
+-->
+ <script>
+ var startTestCtr = 0;
+ function onMessage(event) {
+ if(event.data == "start test") {
+ startTestCtr++;
+ if(startTestCtr == 2) {
+ startTest();
+ }
+ } else {
+ alert_assert(event.data);
+ }
+ }
+ window.addEventListener(
+ "message",
+ onMessage,
+ false);
+ function startTest() {
+ window.frames['frame1'].postMessage("hello frame1", "*");
+ window.frames['frame2'].postMessage("hello frame2", "*");
+ }
+ </script>
+</head>
+<body>
+ <iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-self.html' name="frame1"></iframe>
+ <iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-self.html' name="frame2"></iframe>
+ <div id="log"></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-allowed.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-allowed.sub.html
new file mode 100644
index 000000000..a49049d13
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-allowed.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>single-frame-self-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["hello deep frame"]'></script>
+ <!-- enforcing policy:
+connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; frame-src 'self';
+-->
+ <script>
+ function onMessage(event) {
+ if(event.data == "start test") {
+ startTest();
+ } else {
+ alert_assert(event.data);
+ }
+ }
+ window.addEventListener(
+ "message",
+ onMessage,
+ false);
+ function startTest() {
+ window.frames['frame1'].frames['deepframe'].postMessage("hello deep frame", "*");
+ }
+ </script>
+</head>
+<body>
+ <iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html?subframe=http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-self.html' name="frame1"></iframe>
+ <div id="log"></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-banned-top-is-self.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-banned-top-is-self.sub.html
new file mode 100644
index 000000000..ced262fd7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-banned-top-is-self.sub.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>single-frame-self-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; frame-src 'self';
+-->
+ <script>
+ function onMessage(event) {
+ if(event.data == "start test") {
+ startTest();
+ } else {
+ alert_assert(event.data);
+ }
+ }
+ window.addEventListener(
+ "message",
+ onMessage,
+ false);
+ function startTest() {
+ window.frames['frame1'].frames['deepframe'].postMessage("hello deep frame", "*");
+ }
+ function done() { alert_assert("PASS"); }
+ setTimeout(done(), 1);
+ </script>
+</head>
+<body>
+ <iframe src='http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html?subframe=http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-self.html' name="frame1"></iframe>
+ <div id="log"></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-banned.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-banned.sub.html
new file mode 100644
index 000000000..e58f0ba8d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-banned.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>single-frame-self-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; frame-src 'self';
+-->
+ <script>
+ function onMessage(event) {
+ if(event.data == "start test") {
+ startTest();
+ } else {
+ alert_assert(event.data);
+ }
+ }
+
+ window.addEventListener(
+ "message",
+ onMessage,
+ false);
+
+ function startTest() {
+ window.frames['frame1'].frames['deepframe'].postMessage("hello deep frame", "*");
+ }
+ function done() { alert_assert("PASS"); }
+ setTimeout(done(), 1);
+ </script>
+</head>
+<body>
+ <iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html?subframe=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-self.html' name="frame1"></iframe>
+ <div id="log"></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none-meta.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none-meta.html
new file mode 100644
index 000000000..c0d079f01
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none-meta.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="frame-ancestors 'none'">
+</head>
+<body>
+ <p>Reporting Frame...</p>
+ <script>
+ function onMessage(event) {
+ var p = document.createElement(p);
+ p.textContent = event.data;
+ document.body.appendChild(p);
+ window.parent.postMessage(event.data, "*");
+ }
+ window.addEventListener(
+ "message",
+ onMessage,
+ false
+ );
+ window.parent.postMessage("start test", "*");
+ </script>
+</body>
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none.html
new file mode 100644
index 000000000..e38d99a6c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<body>
+ <p>Reporting Frame...</p>
+ <script>
+ function onMessage(event) {
+ var p = document.createElement(p);
+ p.textContent = event.data;
+ document.body.appendChild(p);
+ window.parent.postMessage(event.data, "*");
+ }
+
+ window.addEventListener(
+ "message",
+ onMessage,
+ false
+ );
+
+ window.parent.postMessage("start test", "*");
+ </script>
+</body>
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none.html.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none.html.headers
new file mode 100644
index 000000000..18bfb8156
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none.html.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: frame-ancestors 'none'
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-self.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-self.html
new file mode 100644
index 000000000..7c1186e77
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-self.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<body>
+ <p>Reporting Frame...</p>
+ <script>
+ function onMessage(event) {
+ var p = document.createElement(p);
+ p.textContent = event.data;
+ document.body.appendChild(p);
+ window.parent.postMessage(event.data, "*");
+ }
+
+ window.addEventListener(
+ "message",
+ onMessage,
+ false
+ );
+
+ window.parent.postMessage("start test", "*");
+ </script>
+</body>
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-self.html.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-self.html.headers
new file mode 100644
index 000000000..f0eb936b3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-self.html.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: frame-ancestors 'self'
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/single-frame-self-allowed.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/single-frame-self-allowed.sub.html
new file mode 100644
index 000000000..3a9b4552e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/single-frame-self-allowed.sub.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>single-frame-self-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["hello frame1"]'></script>
+ <!-- enforcing policy:
+connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; frame-src 'self';
+-->
+ <script>
+ function onMessage(event) {
+ if(event.data == "start test") {
+ startTest();
+ } else {
+ alert_assert(event.data);
+ }
+ }
+
+ window.addEventListener(
+ "message",
+ onMessage,
+ false);
+
+ function startTest() {
+ window.frames['frame1'].postMessage("hello frame1", "*");
+ }
+ </script>
+</head>
+<body>
+ <iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-self.html' name="frame1"></iframe>
+ <div id="log"></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/fail-0_1.js b/testing/web-platform/tests/content-security-policy/generic/fail-0_1.js
new file mode 100644
index 000000000..5c580273d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/fail-0_1.js
@@ -0,0 +1,3 @@
+(function () {
+ scriptsrc1.step(function() { assert_unreached('Unsafe inline script ran.') });
+})();
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html
new file mode 100644
index 000000000..c3778f816
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html
@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>default-src should cascade to img-src directive</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='../support/siblingPath.js'></script>
+</head>
+<body>
+ <h1>default-src should cascade to img-src directive</h1>
+ <div id='log'></div>
+
+ <script>
+ var imgsrc = async_test("Verify cascading of default-src to img-src policy");
+ var onerrorFired = false;
+ </script>
+
+ <img id='imgfail' src=''
+ onload='imgsrc.step(function() { assert_unreached("Image load was not blocked."); });'
+ onerror='onerrorFired = true;'>
+ <img src='../support/pass.png'
+ onload='imgsrc.step(function() { assert_true(true, "Image load was blocked."); });'>
+
+ <script>
+ document.getElementById('imgfail').src = buildSiblingPath('www1', '../support/fail.png');
+ onload = function() {
+ imgsrc.step(function() { assert_true(onerrorFired, "onerror handler for blocked img didn't fire");});
+ imgsrc.done();
+ }
+ </script>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=default-src%20%27self%27%20%27unsafe-inline%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html.sub.headers
new file mode 100644
index 000000000..61bdc0a30
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_1-img-src={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html
new file mode 100644
index 000000000..740b2a553
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html
@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>default-src should cascade to script-src directive</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='../support/siblingPath.js'></script>
+</head>
+<body>
+ <h1>default-src should cascade to script-src directive</h1>
+ <div id='log'></div>
+
+ <script>
+ var scriptsrc1 = async_test("Verify cascading of default-src to script-src policy: block");
+ var scriptsrc2 = async_test("Verify cascading of default-src to script-src policy: allow");
+ var allowedScriptRan = false;
+ </script>
+
+ <script src='pass-0_1.js'></script>
+
+ <script>
+ var inlineScript = document.createElement('script');
+ inlineScript.src = buildSiblingPath('www1', 'fail-0_1.js');
+ document.getElementById('log').appendChild(inlineScript);
+ onload = function() {
+ scriptsrc1.done();
+ scriptsrc2.step( function() { assert_true(allowedScriptRan, "allowed script didn't run") });
+ scriptsrc2.done();
+ }
+ </script>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=default-src%20%27self%27%20%27unsafe-inline%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html.sub.headers
new file mode 100644
index 000000000..b3ff8c460
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_1-script-src={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html
new file mode 100644
index 000000000..703e50b44
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html
@@ -0,0 +1,21 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>test implicit port number matching (requires port 80)</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script>
+ var head = document.getElementsByTagName('head')[0];
+ var script = document.createElement('script');
+ script.type = 'text/javascript';
+ script.src = "http://www." + location.hostname + "/content-security-policy/generic/positiveTest.js";
+ head.appendChild(script);
+ </script>
+</head>
+<body>
+ <h1>test implicit port number matching (requires port 80)</h1>
+ <div id='log'></div>
+
+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html.sub.headers
new file mode 100644
index 000000000..c58b0536f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_10={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: script-src 'self' www.{{host}} 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html
new file mode 100644
index 000000000..c66640de3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>implicit port number matching fails with a different port</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='negativeTests.js'></script>
+ <script>
+ var head = document.getElementsByTagName('head')[0];
+ var script = document.createElement('script');
+ script.type = 'text/javascript';
+ script.src = "http://www." + location.hostname + ":{{ports[http][1]}}/content-security-policy/generic/unreached.js";
+ head.appendChild(script);
+ </script>
+</head>
+<body>
+ <h1>implicit port number matching fails with a different port</h1>
+ <div id='log'></div>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27%20www.{{host}}%20%27unsafe-inline%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html.sub.headers
new file mode 100644
index 000000000..e8fcf07c2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_10_1={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: script-src 'self' www.{{host}} 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html
new file mode 100644
index 000000000..130bfadad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>'self' keyword positive test</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='positiveTest.js'></script>
+</head>
+<body>
+ <h1>'self' keyword positive test</h1>
+ <div id='log'></div>
+
+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html.sub.headers
new file mode 100644
index 000000000..776112de6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_2={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: script-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html
new file mode 100644
index 000000000..9d274ea59
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>'self' fails with a different port</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='negativeTests.js'></script>
+ <script>
+ var head = document.getElementsByTagName('head')[0];
+ var script = document.createElement('script');
+ script.type = 'text/javascript';
+ script.src = "http://" + location.hostname + ":{{ports[http][1]}}/content-security-policy/generic/unreached.js";
+ head.appendChild(script);
+ </script>
+</head>
+<body>
+ <h1>'self' fails with a different port</h1>
+ <div id='log'></div>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27%20%27unsafe-inline%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html.sub.headers
new file mode 100644
index 000000000..769ccc154
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_2_2={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html
new file mode 100644
index 000000000..ff4b8db8a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>'self' fails with a different host (including sub-host e.g. foo.com as self with content from bar.foo.com)</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='negativeTests.js'></script>
+ <script>
+ var head = document.getElementsByTagName('head')[0];
+ var script = document.createElement('script');
+ script.type = 'text/javascript';
+ script.src = "http://www." + location.hostname + ":" + location.port + "/content-security-policy/generic/unreached.js";
+ head.appendChild(script);
+ </script>
+</head>
+<body>
+ <h1>'self' fails with a different host (including sub-host e.g. foo.com as self with content from bar.foo.com)</h1>
+ <div id='log'></div>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27%20%27unsafe-inline%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html.sub.headers
new file mode 100644
index 000000000..0a8defccd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_2_3={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html
new file mode 100644
index 000000000..2e7df3776
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>test wildcard host name matching (*.web-platform.test is good)</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='wildcardHostTest.js'></script>
+ <script>
+ var head = document.getElementsByTagName('head')[0];
+ var script = document.createElement('script');
+ script.type = 'text/javascript';
+ script.src = "http://www." + location.hostname + ":" + location.port + "/content-security-policy/generic/wildcardHostTestSuceeds.js";
+ head.appendChild(script);
+ </script>
+</head>
+<body>
+ <h1>test wildcard host name matching (*.web-platform.test is good)</h1>
+ <div id='log'></div>
+
+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html.sub.headers
new file mode 100644
index 000000000..34756f9db
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_8={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: script-src 'self' *.{{host}}:{{ports[http][0]}} 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html
new file mode 100644
index 000000000..167b4458d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html
@@ -0,0 +1,21 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>test wildcard host name matching (www*.web-platform.test is bad, *www.web-platform.test is bad)</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='wildcardHostTestFailure.js'></script>
+ <script>
+ var head = document.getElementsByTagName('head')[0];
+ var script = document.createElement('script');
+ script.type = 'text/javascript';
+ script.src = "http://www." + location.hostname + ":" + location.port + "/content-security-policy/generic/wildcardHostTestSuceeds.js";
+ head.appendChild(script);
+ </script>
+</head>
+<body>
+ <h1>test wildcard host name matching (www*.web-platform.test is bad, *www.web-platform.test is bad)</h1>
+ <div id='log'></div>
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27%20*w.{{host}}:{{ports[http][0]}}%20w*.{{host}}:{{ports[http][0]}}%20%27unsafe-inline%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html.sub.headers
new file mode 100644
index 000000000..57a038a05
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_8_1={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: script-src 'self' *w.{{host}}:{{ports[http][0]}} w*.{{host}}:{{ports[http][0]}} 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html
new file mode 100644
index 000000000..cadeb178f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>test wildcard port number matching</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='wildcardPortTest.js'></script>
+ <script>
+ var head = document.getElementsByTagName('head')[0];
+ var script = document.createElement('script');
+ script.type = 'text/javascript';
+ script.src = "http://" + location.hostname + ":{{ports[http][1]}}/content-security-policy/generic/wildcardPortTestSuceeds.js";
+ head.appendChild(script);
+ </script>
+</head>
+<body>
+ <h1>test wildcard port number matching</h1>
+ <div id='log'></div>
+
+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html.sub.headers
new file mode 100644
index 000000000..2f2336009
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_9={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: script-src 'self' {{host}}:* 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/negativeTests.js b/testing/web-platform/tests/content-security-policy/generic/negativeTests.js
new file mode 100644
index 000000000..44b4d7f68
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/negativeTests.js
@@ -0,0 +1,3 @@
+var t1 = async_test("Prevents access to external scripts.");
+
+onload = function() {t1.done();}
diff --git a/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html
new file mode 100644
index 000000000..933986800
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>no default src doesn't behave exactly like *</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"> </script>
+ <script src='positiveTest.js'></script>
+ <!-- enforcing policy: foobar; report-uri ...
+ -->
+</head>
+<body>
+ <h1>no default src doesn't behave exactly like *</h1>
+ This page has a CSP header but an unknown directive.
+ This should have no impact on an img loaded from a data:
+ uri, or an inline script, although that would be blocked by a default-src policy of *.
+ <br>
+ <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAKgAAABACAIAAAABPqsMAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH1QoMCC8h3if5rgAAAB10RVh0Q29tbWVudABDcmVhdGVkIHdpdGggVGhlIEdJTVDvZCVuAAAGD0lEQVR42u2aa0yTVxiA39ILxa4KIkKrVCCIitzrqkAXQiXDSFjQHyZDBRRdtoDzgooao5uaoInID4hRJFC8RBOzxQuKigyYokuDSB0WlaJQlQrITRCwte1+nKVhpbT9aGUue59fb84573dO+uR7v/drS4OfAPkf4oQfAYpHUDyC4hEUj6B4BMUjKB5B8QiKR1A8guIRFI+geATFIygeQfEIikdQPEIVxmd1GsN+w9hBrV7bN9Kn7FHWqmqLHxY3vW2ycIWtS7Yeiz9G4h0VO47eO2rj1p4cz7WhayW+kuCZwdNdpjsznIe0Q53vO1X9qsbOxrr2uprWmrb+Nofn/lvQPqs/W5oVb0KBrCDrVpZGpzE7++iHR8Ezg0ms6FIsPL7Qho+Ali3O3h+zn81gW1n5M82BuVjqqZEpyjyVeMrs1CL+IqN1AAj0CBTNElm9YGFiYc7SHKvmHJ6Lpd7K/cF0YvK5/KV+S3eLd/tP9weAlNAUaYO0qrXKJGtd2DoS6A16J5oTGZG9llnYKDEgcUPEBhI/636WL8uvelHV1t82rB1mM9geHA8fV58QzxAhTxjjE+PAXCz15ku92cLIZXFr1tWEe4UDwLk/z635dc3oWWe6s3q72o3tBgD7qvYdiD0AAH0jfbxc3sjHkfF2LF9dvsx/GQDcbLmZdCHJwkrH5mKpp8CAZiC7IpvEUd5RJrMrFqwg1pU9ykO/H2rpbQEAV7brygUrLVxz8ezFJNh2cxtVc/bkonhq3Ht5jwReX3iNV+elDVIDGKQNUpNxs0x1nkoCZY+S6mHsyUXxE30oGP7R/3tP9Y7ziyNP91J5KQCUNpTqDXoAkPhKBNME412ne6ibBEEzg6iewZ5cFE8NY4XveN8xejw1LJV0cxXPK169ewUAL9+9vP38NgA40ZxSQ1OtlpDCxMI50+ZMrPxMIBfFU4DD5ByOO2zyoRPSwtJIUPyw2DhojNPC0mhg/jU67488AxgAQMgTNv/YfPXbq5miTNEskQvDxep57MnFrt56V890YvK4vFif2D1f7QlwDyCDcafjKl9UkjhmTkx1WjUA9Az38HP5H3Qfxvb5saWx1a3VZjfdsmRL7te5pGAY0Rl0ii7FnbY7l55cqnxRSZ4ajs1F8WbEW8bkXU6aJCXFvEBWsKl80+iVBcsLMr7MAIDT8tOpl8Yt+JGzIw9KDkp8JWYLg7JHmXUr68rTKw7PRfEUxJ98cHJz+Wbjbc1lcdXb1RwmBwCEhcJ6df3oxUKesO67OgAY0g55HfUa0AxYuLJgmmD53OVigTiCFxHgHkCn0UfP7rq960jtkU+Ri+LH/ZGmf6S/pbelVlVb0lDS2Nk4ejY9PL3omyIAkHfIw06EjU2Xfy8P8QwBgI1XNxbVF9l4EheGi5AvTJibkB6R7jHFAwAMYBAXi016C4fn4jPe1p807q6/G+0dbWMTHl0cTfVIbmy3suQy8jZxUXFx1cVVk5OLXb0lAtwDbLROXgWNvaHt9I70ZlzPILFYIJ60XBRvCcvfytm/ntDU9fc/AEjdnrTcTwrjv2udTqOnhKaQOOlC0uWnl8dbmTA3oSy5DABSQlP2/rZXZ9BR2mjejHkksNwbOjwX73jzxPvH87l8AOh433Gt+ZqFlTeUN9SDagDgc/nx/vGUdpnCnJIXn0fiB+0PJi0X73jrdfvso7Mf9R8trNQZdGfkZ3ZG7yRZ15uvG6dUW1W1qtp6db2iS9HW36YeUA9qBrV6LYfJ8XPzk/hKMkWZfm5+ZLHJS4E9udjVT7Crd3dxb89qZ9FZABB0POhx12PL6+fPmN+U0QQAGp2Gn8vvHu6m9JWR2bbcnlws9RNkdchqYl32WmbVOgA8efvk/qv7AMCis5KDkyntpdFpcu7mJP+SPIFz2pOLpd5SnS9pKLExpeRhSeTsSABYH74+X5ZPBgV5gijvqAheRKBHoI+rD4/L47K4TDpzWDv8ZvCNoktR3Vp9vvF8+0D72Avak4ulHsFSj6B4BMUjKB5B8QiKR1A8guIRFI+geATFo3gExSMoHkHxCIpHUDyC4hEUj6B45HPmL9so2ZKs94sNAAAAAElFTkSuQmCC'>
+ <script>
+ var allowedScriptRan = true;
+ </script>
+
+ <div id='log'></div>
+
+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers
new file mode 100644
index 000000000..a7337acce
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: no-default-src={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: foobar; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/generic/pass-0_1.js b/testing/web-platform/tests/content-security-policy/generic/pass-0_1.js
new file mode 100644
index 000000000..3a08dd562
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/pass-0_1.js
@@ -0,0 +1,3 @@
+(function () {
+ allowedScriptRan = true;
+})();
diff --git a/testing/web-platform/tests/content-security-policy/generic/positiveTest.js b/testing/web-platform/tests/content-security-policy/generic/positiveTest.js
new file mode 100644
index 000000000..63c999196
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/positiveTest.js
@@ -0,0 +1,6 @@
+onload = function() {
+ test(function() {
+ assert_true(true, 'Script ran.')},
+ "Allows scripts from the same host."
+ );
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/unreached.js b/testing/web-platform/tests/content-security-policy/generic/unreached.js
new file mode 100644
index 000000000..893fb5eba
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/unreached.js
@@ -0,0 +1,3 @@
+onload = function() {
+ t1.step(function() {assert_unreached("Script should not have ran.");});
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js
new file mode 100644
index 000000000..da3e2790f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js
@@ -0,0 +1,8 @@
+wildcardHostTestRan = false;
+
+onload = function() {
+ test(function() {
+ assert_true(wildcardHostTestRan, 'Script should have ran.')},
+ "Wildcard host matching works."
+ );
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js
new file mode 100644
index 000000000..75ec8cf80
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js
@@ -0,0 +1,8 @@
+wildcardHostTestRan = false;
+
+onload = function() {
+ test(function() {
+ assert_false(wildcardHostTestRan, 'Script should not have ran.')},
+ "Wildcard host matching works."
+ );
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js
new file mode 100644
index 000000000..8b115d7fc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js
@@ -0,0 +1 @@
+wildcardHostTestRan = true;
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js
new file mode 100644
index 000000000..3cd1d2eae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js
@@ -0,0 +1,8 @@
+wildcardPortTestRan = false;
+
+onload = function() {
+ test(function() {
+ assert_true(wildcardPortTestRan, 'Script should have ran.')},
+ "Wildcard port matching works."
+ );
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js
new file mode 100644
index 000000000..0138deb2e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js
@@ -0,0 +1 @@
+wildcardPortTestRan = true; \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.html
new file mode 100644
index 000000000..edf04fb19
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>img element src attribute must match src list.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>img element src attribute must match src list.</h1>
+ <p>
+ <div id='log'></div>
+
+ <script type="text/javascript">
+ var t1 = async_test("img-src for relative path should load.");
+ var t2 = async_test("img-src from unapproved domains should not load");
+ var t3 = async_test("img-src from approved domains should load");
+ </script>
+
+ <img src='/content-security-policy/support/pass.png'
+ onerror='t1.step(function() { assert_unreached("The img should have loaded."); t1.done() });'
+ onload='t1.done();'>
+
+ <img src='http://www1.web-platform.test/content-security-policy/support/fail.png'
+ onerror='t2.done();'
+ onload='t2.step(function() { assert_unreached("Image from unapproved domain was loaded."); t2.done()} );'>
+
+ <div id='t3'></div>
+
+ <script>
+ var t3img = document.createElement('img');
+ t3img.onerror = function() {t3.step(function() { assert_unreached(); t3.done();})}
+ t3img.onload = function() {t3.done();}
+ t3img.src = location.protocol + '//www.' + location.hostname + ':' + location.port +
+ '/content-security-policy/support/pass.png';
+ var t3div = document.getElementById('t3');
+ t3div.appendChild(t3img);
+
+ var report = document.createElement('script');
+ report.src = '../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27self%27%20www.' + location.hostname + (location.port ? ':' + location.port : '');
+ t3div.appendChild(report);
+
+ </script>
+
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.html.sub.headers
new file mode 100644
index 000000000..543e48c14
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: img-src-4_1={{$id:uuid()}}; Path=/content-security-policy/img-src/
+Content-Security-Policy: img-src 'self' www.{{host}}:{{ports[http][0]}}; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html
new file mode 100644
index 000000000..d912b86bb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html
@@ -0,0 +1,44 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Video element src attribute must match src list - positive test</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Video element src attribute must match src list - positive test</h1>
+ <div id='log'></div>
+
+ <script>
+ var src_test = async_test("In-policy async video src");
+ var source_test = async_test("In-policy async video source element");
+
+ function media_loaded(t) {
+ t.done();
+ }
+
+ function media_error_handler(t) {
+ t.step( function () {
+ assert_unreached("Media error handler should be triggered for non-allowed domain.");
+ });
+ t.done();
+ }
+ </script>
+
+ <video id="videoObject" width="320" height="240" controls
+ onloadeddata="media_loaded(source_test)">
+ <source id="videoSourceObject"
+ type="video/mp4"
+ onerror="media_error_handler(source_test)"
+ src="/media/white.mp4">
+ </video>
+ <video id="videoObject2" width="320" height="240" controls
+ onerror="media_error_handler(src_test)"
+ onloadeddata="media_loaded(src_test)"
+ src="/media/white.mp4">
+
+ <script async defer src="../support/checkReport.sub.js?reportExists=false">
+ </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html.sub.headers
new file mode 100644
index 000000000..9361207e8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: media-src-7_1={{$id:uuid()}}; Path=/content-security-policy/media-src/
+Content-Security-Policy: script-src * 'unsafe-inline'; media-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.html
new file mode 100644
index 000000000..61d4b1425
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.html
@@ -0,0 +1,55 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Video element src attribute must match src list - negative test</title>
+ <meta name=timeout content=long>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Video element src attribute must match src list - negative test</h1>
+ <div id='log'></div>
+
+ <script>
+ var src_test = async_test("Disallowed async video src");
+ var source_test = async_test("Disallowed async video source element");
+
+ // we assume tests are run from 'hostname' and 'www.hostname' or 'www2.hostname' is a valid alias
+ var mediaURL = location.protocol +
+ "//www2." +
+ location.hostname +
+ ":" +
+ location.port +
+ "/media/white.mp4";
+
+ function media_loaded(t) {
+ t.step( function () {
+ assert_unreached("Media error handler should be triggered for non-allowed domain.");
+ });
+ t.done();
+ }
+
+ function media_error_handler(t) {
+ t.done();
+ }
+ </script>
+
+ <video id="videoObject" width="320" height="240" controls
+ onloadeddata="media_loaded(source_test)">
+ <source id="videoSourceObject"
+ type="video/mp4"
+ onerror="media_error_handler(source_test)">
+ </video>
+ <video id="videoObject2" width="320" height="240" controls
+ onerror="media_error_handler(src_test)"
+ onloadeddata="media_loaded(src_test)">
+
+ <script>
+ document.getElementById("videoSourceObject").src = mediaURL;
+ document.getElementById("videoObject2").src = mediaURL;
+ </script>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=media-src%20%27self%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.html.sub.headers
new file mode 100644
index 000000000..036da8673
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: media-src-7_1_2={{$id:uuid()}}; Path=/content-security-policy/media-src/
+Content-Security-Policy: script-src * 'unsafe-inline'; media-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html
new file mode 100644
index 000000000..7509d7b05
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html
@@ -0,0 +1,44 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Audio element src attribute must match src list - positive test</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Audio element src attribute must match src list - positive test</h1>
+ <div id='log'></div>
+
+ <script>
+ var src_test = async_test("In-policy audio src");
+ var source_test = async_test("In-policy audio source element");
+
+ function media_loaded(t) {
+ t.done();
+ }
+
+ function media_error_handler(t) {
+ t.step( function () {
+ assert_unreached("Media error handler should be triggered for non-allowed domain.");
+ });
+ t.done();
+ }
+ </script>
+
+ <audio id="audioObject" width="320" height="240" controls
+ onloadeddata="media_loaded(source_test)">
+ <source id="audioSourceObject"
+ type="audio/mpeg"
+ onerror="media_error_handler(source_test)"
+ src="/media/sound_5.mp3">
+ </audio>
+ <audio id="audioObject2" width="320" height="240" controls
+ onerror="media_error_handler(src_test)"
+ onloadeddata="media_loaded(src_test)"
+ src="/media/sound_5.mp3">
+
+ <script async defer src="../support/checkReport.sub.js?reportExists=false">
+ </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html.sub.headers
new file mode 100644
index 000000000..0f59cd9ff
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: media-src-7_2={{$id:uuid()}}; Path=/content-security-policy/media-src/
+Content-Security-Policy: script-src * 'unsafe-inline'; media-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.html
new file mode 100644
index 000000000..9b6134296
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.html
@@ -0,0 +1,55 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Audio element src attribute must match src list - negative test</title>
+ <meta name=timeout content=long>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Audio element src attribute must match src list - negative test</h1>
+ <div id='log'></div>
+
+ <script>
+ var src_test = async_test("Disallaowed audio src");
+ var source_test = async_test("Disallowed audio source element");
+
+ // we assume tests are run from 'hostname' and 'www.hostname' or 'www2.hostname' is a valid alias
+ var mediaURL = location.protocol +
+ "//www2." +
+ location.hostname +
+ ":" +
+ location.port +
+ "/media/sound_5.mp3";
+
+ function media_loaded(t) {
+ t.step( function () {
+ assert_unreached("Media error handler should be triggered for non-allowed domain.");
+ });
+ t.done();
+ }
+
+ function media_error_handler(t) {
+ t.done();
+ }
+ </script>
+
+ <audio id="audioObject" width="320" height="240" controls
+ onloadeddata="media_loaded(source_test)">
+ <source id="audioSourceObject"
+ type="audio/mpeg"
+ onerror="media_error_handler(source_test)">
+ </audio>
+ <audio id="audioObject2" width="320" height="240" controls
+ onerror="media_error_handler(src_test)"
+ onloadeddata="media_loaded(src_test)">
+
+ <script>
+ document.getElementById("audioSourceObject").src = mediaURL;
+ document.getElementById("audioObject2").src = mediaURL;
+ </script>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=media-src%20%27self%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.html.sub.headers
new file mode 100644
index 000000000..685978de3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: media-src-7_2_2={{$id:uuid()}}; Path=/content-security-policy/media-src/
+Content-Security-Policy: script-src * 'unsafe-inline'; media-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.html
new file mode 100644
index 000000000..321877082
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.html
@@ -0,0 +1,53 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Video track src attribute must match src list - positive test</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Video track src attribute must match src list - positive test</h1>
+ <div id='log'></div>
+
+ <script>
+ var source_test = async_test("In-policy track element");
+
+ var trackURL = location.protocol +
+ "//www." +
+ location.hostname +
+ ":" +
+ location.port +
+ "/media/foo.vtt";
+
+ function media_loaded(t) {
+ t.done();
+ }
+
+ function media_error_handler(t) {
+ t.step( function () {
+ assert_unreached("Error handler called for allowed track source.");
+ });
+ t.done();
+ }
+ </script>
+
+ <video id="videoObject" width="320" height="240" controls
+ onloadeddata="media_loaded(source_test)" crossorigin>
+ <source id="audioSourceObject"
+ type="audio/mpeg"
+ src="/media/white.mp4">
+ <track id="trackObject"
+ kind="subtitles"
+ srclang="en"
+ label="English"
+ onerror="media_error_handler(source_test)">
+ </video>
+ <script>
+ document.getElementById("trackObject").src = trackURL;
+ </script>
+
+ <script async defer src="../support/checkReport.sub.js?reportExists=false">
+ </script>
+
+</body>
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.html.sub.headers b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.html.sub.headers
new file mode 100644
index 000000000..b764189ad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: media-src-7_3={{$id:uuid()}}; Path=/content-security-policy/media-src/
+Content-Security-Policy: script-src * 'unsafe-inline'; media-src 'self' www.{{host}}:{{ports[http][0]}}; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.html
new file mode 100644
index 000000000..597ac7f8f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.html
@@ -0,0 +1,68 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Video track src attribute must match src list - negative test</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Video track src attribute must match src list - negative test</h1>
+ <div id='log'></div>
+
+ <script>
+ var source_test =
+ async_test("Disallowed track element onerror handler fires.");
+
+ var trackURL = location.protocol +
+ "//www." +
+ location.hostname +
+ ":" +
+ location.port +
+ "/media/foo.vtt";
+
+ function media_loaded(t) {
+ t.step( function () {
+ assert_unreached("Disllowed track source loaded.");
+ });
+ t.done();
+ }
+
+ function media_error_handler(t) {
+ t.done();
+ }
+ </script>
+
+ <video id="videoObject" width="320" height="240" controls
+ onerror="media_error_handler(source_test)"
+ crossorigin>
+ <source id="audioSourceObject"
+ type="audio/mpeg"
+ src="/media/white.mp4">
+ <track default
+ id="trackObject"
+ kind="subtitles"
+ srclang="en"
+ label="English"
+ onerror="media_error_handler(source_test)"
+ onload="media_loaded(source_test)"
+ onloadeddata="media_loaded(source_test)">
+ </video>
+ <script>
+ document.getElementById("trackObject").src = trackURL;
+ source_test.step(function() {
+ source_test.set_status(source_test.FAIL);
+ });
+
+ setTimeout(function() {
+ if(source_test.phase != source_test.phases.COMPLETE) {
+ source_test.step( function () { assert_unreached("Onerror event never fired for track element."); });
+ source_test.done();
+ }
+ }, 2 * 1000);
+ </script>
+
+ <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=media-src%20%27self%27">
+ </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.html.sub.headers
new file mode 100644
index 000000000..2cfe51fe8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: media-src-7_3_2={{$id:uuid()}}; Path=/content-security-policy/media-src/
+Content-Security-Policy: script-src * 'unsafe-inline'; media-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html
new file mode 100644
index 000000000..b83511930
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html
@@ -0,0 +1,66 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Video element src attribute must match src list - positive test</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Video element in media-src list - redirect test</h1>
+ <div id='log'></div>
+
+ <p>This test tests a buggy interaction in Chrome 46. Two hosts (self and www2) are both allowed
+ as media-src, but only one (self) is allowed for connect-src. If a video src starts on
+ an allowed host (self), and is redirected to another allowed media-src host, it should succeed. But a bug
+ causes the redirect to be done in a fetch context to which connect-src is being applied instead, so
+ the load is blocked. (This test passes in Firefox 45, modulo an event listener not firing.)</p>
+
+ <script>
+ var src_test = async_test("In-policy async video src");
+ var src_redir_test = async_test("in-policy async video src w/redir")
+ var source_test = async_test("In-policy async video source element");
+ var source_redir_test = async_test("In-policy async video source element w/redir");
+
+ function media_loaded(t) {
+ t.done();
+ }
+
+ function media_error_handler(t) {
+ t.step( function () {
+ assert_unreached("Media error handler shouldn't be triggered for allowed domain.");
+ });
+ t.done();
+ }
+ </script>
+
+ <video id="videoObject" width="320" height="240" controls
+ onloadeddata="media_loaded(source_test)">
+ <source id="videoSourceObject"
+ type="video/mp4"
+ onerror="media_error_handler(source_test)"
+ src="http://www2.{{host}}:{{ports[http][0]}}/media/white.mp4">
+ </video>
+
+ <video id="videoObject2" width="320" height="240" controls
+ onerror="media_error_handler(src_test)"
+ onloadeddata="media_loaded(src_test)"
+ src="http://www2.{{host}}:{{ports[http][0]}}/media/white.mp4">
+
+ <video id="videoObject3" width="320" height="240" controls
+ onloadeddata="media_loaded(source_redir_test)">
+ <source id="videoSourceObject"
+ type="video/mp4"
+ onerror="media_error_handler(source_test)"
+ src="/common/redirect.py?location=http://www2.{{host}}:{{ports[http][0]}}/media/white.mp4">
+ </video>
+
+ <video id="videoObject2" width="320" height="240" controls
+ onerror="media_error_handler(src_redir_test)"
+ onloadeddata="media_loaded(src_redir_test)"
+ src="/common/redirect.py?location=http://www2.{{host}}:{{ports[http][0]}}/media/white.mp4">
+
+ <script async defer src="../support/checkReport.sub.js?reportExists=false">
+ </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html.sub.headers
new file mode 100644
index 000000000..4ce3e428a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: media-src-redir-bug={{$id:uuid()}}; Path=/content-security-policy/media-src/
+Content-Security-Policy: script-src * 'unsafe-inline'; media-src http://www2.{{host}}:{{ports[http][0]}}/ 'self'; connect-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/meta/meta-img-src.html b/testing/web-platform/tests/content-security-policy/meta/meta-img-src.html
new file mode 100644
index 000000000..bc7ffd66a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/meta/meta-img-src.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <meta id="meta_csp" http-equiv="Content-Security-Policy" content="img-src 'none'">
+ <title>meta-img-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
+</head>
+
+<body>
+<p>Test passes if the image is blocked.</p>
+
+ <script>
+ function testImgSrc() {
+ var img = document.createElement('img');
+ img.src = '../support/fail.png';
+ img.onerror = function() {
+ log("PASS");
+ };
+ img.onload = function() {
+ log("FAIL");
+ };
+ document.body.appendChild(img);
+ }
+ testImgSrc();
+ log("TEST COMPLETE");
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/meta/meta-modified.html b/testing/web-platform/tests/content-security-policy/meta/meta-modified.html
new file mode 100644
index 000000000..d03115f31
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/meta/meta-modified.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <meta id="meta_csp" http-equiv="Content-Security-Policy" content="img-src 'none'">
+ <title>meta-modified</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS", "PASS","TEST COMPLETE"]'></script>
+</head>
+
+<body>
+<p>Test passes if the image is blocked both before and after policy modification.</p>
+
+ <script>
+ function testImgSrc() {
+ var img = document.createElement('img');
+ img.src = '../support/fail.png';
+ img.onerror = function() {
+ log("PASS");
+ };
+ img.onload = function() {
+ log("FAIL");
+ };
+ document.body.appendChild(img);
+ }
+ testImgSrc();
+ document.getElementById("meta_csp").setAttribute("content", "img-src *");
+ testImgSrc();
+ log("TEST COMPLETE");
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html b/testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html
new file mode 100644
index 000000000..db29fd394
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html
@@ -0,0 +1,66 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <title>Objects loaded using data attribute of &lt;object&gt; tag are blocked unless their host is listed as an allowed source in the object-src directive</title>
+ <meta name=timeout content=long>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body onLoad="object_loaded()">
+ <h1>Objects loaded using data attribute of &lt;object&gt; tag are blocked unless their host is listed as an allowed source in the object-src directive</h1>
+ <div id="log"></div>
+
+ <script>
+ var relativeMediaURL = "/support/media/flash.swf";
+ var pageURL = window.location.toString();
+ var temp1 = pageURL.split("//");
+ var temp2 = temp1[1].substring(0, temp1[1].lastIndexOf("/object-src/"));
+ var mediaURL = "http://www2." + temp2 + relativeMediaURL;
+ var htmlStr = "<object id='flashObject' type='application/x-shockwave-flash' data='" + mediaURL + "' width='200' height='200'></object>";
+ document.write(htmlStr);
+ </script>
+
+ <script>
+ var len = navigator.mimeTypes.length;
+ var allTypes = "";
+ var flashMimeType = "application/x-shockwave-flash";
+ for (var i = 0; i < len; i++) {
+ allTypes += navigator.mimeTypes[i].type;
+ }
+
+ var hasMimeType = allTypes.indexOf(flashMimeType) != -1;
+
+ <!-- The actual test. -->
+ var test1 = async_test("Async SWF load test")
+
+ function object_loaded() {
+ var elem = document.getElementById("flashObject");
+ var is_loaded = false;
+ try {
+ <!-- The Flash Player exposes values to JavaScript if a SWF has successfully been loaded. -->
+ var pct_loaded = elem.PercentLoaded();
+ is_loaded = true;
+ } catch (e) {}
+
+ if (hasMimeType) {
+ test1.step(function () {
+ assert_false(is_loaded, "External object loaded.")
+ });
+ var s = document.createElement('script');
+ s.async = true;
+ s.defer = true;
+ s.src = "../support/checkReport.sub.js?reportField=violated-directive&reportValue=object-src%20%27self%27"
+ document.lastChild.appendChild(s);
+ } else {
+ test1.set_status(test1.NOTRUN, "No Flash Player, cannot run test.");
+ test1.phase = test1.phases.HAS_RESULT;
+ }
+ test1.done();
+ }
+ </script>
+
+</body>
+
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html.sub.headers
new file mode 100644
index 000000000..83fe95d34
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-2_1={{$id:uuid()}}; Path=/content-security-policy/object-src/
+Content-Security-Policy: script-src * 'unsafe-inline'; object-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html b/testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html
new file mode 100644
index 000000000..a868834ac
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html
@@ -0,0 +1,61 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Objects loaded using src attribute of &lt;embed&gt; tag are blocked unless their host is listed as an allowed source in the object-src directive</title>
+ <meta name=timeout content=long>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body onLoad="object_loaded()">
+ <h1>Objects loaded using src attribute of &lt;embed&gt; tag are blocked unless their host is listed as an allowed source in the object-src directive</h1>
+ <div id="log"></div>
+
+ <script>
+ var relativeMediaURL = "/support/media/flash.swf";
+ var pageURL = window.location.toString();
+ var temp1 = pageURL.split("//");
+ var temp2 = temp1[1].substring (0, temp1[1].lastIndexOf("/object-src/"));
+ var mediaURL = "http://www2." + temp2 + relativeMediaURL;
+ var htmlStr = "<embed id='flashObject' type='application/x-shockwave-flash' src='" + mediaURL + "' width='200' height='200'></object>";
+ document.write (htmlStr);
+ </script>
+
+ <script>
+ var len = navigator.mimeTypes.length;
+ var allTypes = "";
+ var flashMimeType = "application/x-shockwave-flash";
+ for ( var i=0;i<len;i++ ) {
+ allTypes+=navigator.mimeTypes[i].type;
+ }
+
+ var hasMimeType = allTypes.indexOf(flashMimeType) != -1;
+
+ <!-- The actual test. -->
+ var test1 = async_test("Async SWF load test")
+
+ function object_loaded() {
+ var elem = document.getElementById("flashObject");
+ var is_loaded = false;
+ try {
+ <!-- The Flash Player exposes values to JavaScript if a SWF has successfully been loaded. -->
+ var pct_loaded = elem.PercentLoaded();
+ is_loaded = true;
+ } catch (e) {}
+
+ if (hasMimeType) {
+ test1.step(function() {assert_false(is_loaded, "External object loaded.")});
+ var s = document.createElement('script');
+ s.async = true;
+ s.defer = true;
+ s.src = "../support/checkReport.sub.js?reportField=violated-directive&reportValue=object-src%20%27self%27"
+ document.lastChild.appendChild(s);
+ } else {
+ //test1.step(function() {});
+ test1.set_status(test1.NOTRUN, "No Flash Player, cannot run test.");
+ test1.phase = test1.phases.HAS_RESULT;
+ }
+ test1.done();
+ }
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html.sub.headers
new file mode 100644
index 000000000..0ee665ea3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-2_2={{$id:uuid()}}; Path=/content-security-policy/object-src/
+Content-Security-Policy: script-src * 'unsafe-inline'; object-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/securitypolicyviolation-idl.html b/testing/web-platform/tests/content-security-policy/reporting/securitypolicyviolation-idl.html
new file mode 100644
index 000000000..225951285
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/securitypolicyviolation-idl.html
@@ -0,0 +1,55 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>SecurityPolicyViolationEvent IDL Tests</title>
+<link rel="author" title="Louay Bassbouss" href="http://www.fokus.fraunhofer.de">
+<link rel="help" href="http://w3c.github.io/presentation-api/#dfn-controlling-user-agent">
+
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/resources/WebIDLParser.js></script>
+<script src=/resources/idlharness.js></script>
+
+<script id="idl" type="text/plain">
+[Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)]
+interface SecurityPolicyViolationEvent : Event {
+ readonly attribute DOMString documentURI;
+ readonly attribute DOMString referrer;
+ readonly attribute DOMString blockedURI;
+ readonly attribute DOMString violatedDirective;
+ readonly attribute DOMString effectiveDirective;
+ readonly attribute DOMString originalPolicy;
+ readonly attribute DOMString disposition;
+ readonly attribute DOMString sourceFile;
+ readonly attribute unsigned short statusCode;
+ readonly attribute long lineNumber;
+ readonly attribute long columnNumber;
+};
+
+dictionary SecurityPolicyViolationEventInit : EventInit {
+ DOMString documentURI;
+ DOMString referrer;
+ DOMString blockedURI;
+ DOMString violatedDirective;
+ DOMString effectiveDirective;
+ DOMString originalPolicy;
+ DOMString disposition;
+ DOMString sourceFile;
+ unsigned short statusCode;
+ long lineNumber;
+ long columnNumber;
+};
+</script>
+<script>
+ (function() {
+ var idl_array = new IdlArray();
+ var idls = document.getElementById('idl').textContent;
+ idl_array.add_idls(idls);
+
+ window.event_to_test = new SecurityPolicyViolationEvent({});
+
+ idl_array.add_objects({
+ SecurityPolicyViolationEvent: ['event_to_test']
+ });
+ idl_array.test();
+ })();
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js
new file mode 100644
index 000000000..7b6e85210
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js
@@ -0,0 +1 @@
+var dataScriptRan = false; \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js
new file mode 100644
index 000000000..ba586810f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js
@@ -0,0 +1,3 @@
+test(function () {
+ assert_true(dataScriptRan, "data script ran");
+ }, "Verify that data: as script src runs with this policy"); \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js b/testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js
new file mode 100644
index 000000000..cd093ac94
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js
@@ -0,0 +1,18 @@
+(function () {
+
+ var dmTest = async_test("DOM manipulation inline tests");
+ var attachPoint = document.getElementById('attachHere');
+ var inlineScript = document.createElement('script');
+ var scriptText = document.createTextNode('dmTest.step(function() {assert_unreached("Unsafe inline script ran - createTextNode.")});');
+
+ inlineScript.appendChild(scriptText);
+ attachPoint.appendChild(inlineScript);
+
+ document.getElementById('emptyScript').innerHTML = 'dmTest.step(function() {assert_unreached("Unsafe inline script ran - innerHTML.")});';
+ document.getElementById('emptyDiv').outerHTML = '<script id=outerHTMLScript>dmTest.step(function() {assert_unreached("Unsafe inline script ran - outerHTML.")});</script>';
+
+ document.write('<script>dmTest.step(function() {assert_unreached("Unsafe inline script ran - document.write")});</script>');
+ document.writeln('<script>dmTest.step(function() {assert_unreached("Unsafe inline script ran - document.writeln")});</script>');
+
+ dmTest.done();
+})(); \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js b/testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js
new file mode 100644
index 000000000..8cd092147
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js
@@ -0,0 +1,21 @@
+(function ()
+{
+ var workerSource = document.getElementById('inlineWorker');
+ var blob = new Blob([workerSource.textContent]);
+
+ // can I create a new script tag like this? ack...
+ var url = window.URL.createObjectURL(blob);
+
+ try {
+ var worker = new Worker(url);
+ }
+ catch (e) {
+ done();
+ }
+
+ worker.addEventListener('message', function(e) {
+ assert_unreached("script ran");
+ }, false);
+
+ worker.postMessage('');
+})();
diff --git a/testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js b/testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js
new file mode 100644
index 000000000..ea2be272a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js
@@ -0,0 +1,8 @@
+var inlineRan = false;
+
+onload = function() {
+ test(function() {
+ assert_true(inlineRan, 'Unsafe inline script ran.')},
+ 'Inline script in a script tag should run with an unsafe-inline directive'
+ );
+} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/inlineTests.js b/testing/web-platform/tests/content-security-policy/script-src/inlineTests.js
new file mode 100644
index 000000000..6e76b0a17
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/inlineTests.js
@@ -0,0 +1,4 @@
+var t1 = async_test("Inline script block");
+var t2 = async_test("Inline event handler");
+
+onload = function() {t1.done(); t2.done()} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html
new file mode 100644
index 000000000..c83f512bf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Inline script should not run without 'unsafe-inline' script-src directive.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='inlineTests.js'></script>
+</head>
+<body>
+ <h1>Inline script should not run without 'unsafe-inline' script-src directive, even for script-src 'self'.</h1>
+ <div id='log'></div>
+
+ <script>
+ t1.step(function() {assert_unreached('Unsafe inline script ran.');});
+ </script>
+
+ <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html.sub.headers
new file mode 100644
index 000000000..d91fe1c87
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html
new file mode 100644
index 000000000..137a16421
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>data: as script src should not run with a policy that doesn't specify data: as an allowed source</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>data: as script src should not run with a policy that doesn't specify data: as an allowed source</h1>
+ <div id='log'></div>
+
+ <script>
+ var dataScriptRan = false;
+ </script>
+
+ <!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+ <script src="data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7"></script>
+
+ <script>
+ test(function () {
+ assert_false(dataScriptRan, "data script ran");
+ }, "Verify that data: as script src doesn't run with this policy");
+ </script>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=default-src%20%27self%27+%27unsafe-inline%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html.sub.headers
new file mode 100644
index 000000000..6c0c0fd0a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_10={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html
new file mode 100644
index 000000000..f1bfee200
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'</h1>
+ <div id='log'></div>
+
+ <script src="10_1_support_1.js"></script>
+
+ <script src="data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7"></script>
+
+ <script src="10_1_support_2.js"></script>
+
+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers
new file mode 100644
index 000000000..dfb6f345f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_10_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' data:; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html
new file mode 100644
index 000000000..a41310da9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Inline script should not run without 'unsafe-inline' script-src directive.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='inlineTests.js'></script>
+</head>
+<body>
+ <h1>Inline script should not run without 'unsafe-inline' script-src directive, even for script-src *.</h1>
+ <div id='log'></div>
+
+ <script>
+ t1.step(function() {assert_unreached('Unsafe inline script ran.');});
+ </script>
+
+ <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html.sub.headers
new file mode 100644
index 000000000..4cf9c6950
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_2={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src *; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html
new file mode 100644
index 000000000..255f5df9c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html
@@ -0,0 +1,23 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *</h1>
+ <div id="log"></div>
+
+ <div id=attachHere></div>
+
+ <script id=emptyScript></script>
+
+ <div id=emptyDiv></div>
+
+ <script src="addInlineTestsWithDOMManipulation.js"></script>
+
+ <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20*"></script>
+
+</body>
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers
new file mode 100644
index 000000000..9c58f0efc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_2_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src *; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html
new file mode 100644
index 000000000..30e6f6870
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Positive test case: Inline script should run 'unsafe-inline' script-src directive.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='inlineSuccessTest.js'></script>
+</head>
+<body>
+ <h1>Positive test case: Inline script should run 'unsafe-inline' script-src directive.</h1>
+ <div id='log'></div>
+
+ <script>
+ inlineRan = true;
+ </script>
+
+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html.sub.headers
new file mode 100644
index 000000000..8227c6272
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_3={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html
new file mode 100644
index 000000000..5293183d3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>eval() should not run without 'unsafe-eval' script-src directive.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>eval() should not run without 'unsafe-eval' script-src directive.</h1>
+ <div id='log'></div>
+
+ <script>
+
+ var evalRan = false;
+
+ test(function() {assert_throws(new EvalError(), function() { eval('evalRan = true;') })}, "eval() should throw without 'unsafe-eval' keyword source in script-src directive.");
+
+ test(function() {assert_false(evalRan);})
+
+ </script>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html.sub.headers
new file mode 100644
index 000000000..28ad14b60
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_4={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html
new file mode 100644
index 000000000..31664a169
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</h1>
+ <div id='log'></div>
+
+ <script>
+ var t1 = async_test("window.setTimeout()");
+ var t2 = async_test("window.setInterval()");
+
+ onload = function() {t1.done(); t2.done()}
+
+ window.setTimeout('t1.step(function() {assert_unreached("window.setTimeout() ran without unsafe-eval.")})',0);
+ window.setInterval('t2.step(function() {assert_unreached("window.setInterval() ran without unsafe-eval.")})',0);
+
+ </script>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-eval%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers
new file mode 100644
index 000000000..6bd48d1de
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_4_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html
new file mode 100644
index 000000000..31382936f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</h1>
+ <div id='log'></div>
+
+ <script>
+
+ test(function() {
+ assert_throws(
+ new EvalError(),
+ function() {
+ var funq = new Function('');
+ funq();
+ })}, "Unsafe eval ran in Function() constructor.");
+
+ </script>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers
new file mode 100644
index 000000000..314849bb9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_4_2={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/style-src/3_3.css b/testing/web-platform/tests/content-security-policy/style-src/3_3.css
new file mode 100644
index 000000000..8086244b2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/3_3.css
@@ -0,0 +1 @@
+#content {margin-left: 2px;} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-3_1.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_1.html
new file mode 100644
index 000000000..6c4c1a320
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_1.html
@@ -0,0 +1,33 @@
+<!doctype html>
+<html>
+<head>
+ <title></title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+
+ <style>
+ /* none of this should be applied */
+ #log {
+ margin-left: 200px;
+ }
+ </style>
+</head>
+<body>
+ <h1>
+ Inline style should not be applied
+ without unsafe-inline directive
+ </h1>
+ <div id='log'></div>
+
+ <script>
+ test(function() {
+ var logEl = document.getElementById("log");
+ var marginLeftVal = getComputedStyle(logEl).getPropertyValue('margin-left');
+ assert_false(marginLeftVal == "200px")},
+ "Inline style should not be applied"
+ );
+ </script>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=style-src%20%27self%27'></script>
+</body>
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-3_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_1.html.sub.headers
new file mode 100644
index 000000000..c550a46c2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_1.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: style-src-3_1={{$id:uuid()}}; Path=/content-security-policy/style-src/
+Content-Security-Policy: style-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-3_2.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_2.html
new file mode 100644
index 000000000..ce904d96b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_2.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Inline style attributes should not be applied without 'unsafe-inline' style-src directive.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script>
+ onload = function() {
+ test(function() {
+ var text = document.getElementById("content");
+ assert_true(getComputedStyle(text).marginLeft != "2px", "Inline style attribute should not be applied to text");
+ });
+ }
+ </script>
+</head>
+<body>
+ <h1>Inline style attributes should not be applied without 'unsafe-inline' style-src directive.</h1>
+ <div id='log'></div>
+
+ <div id="content" style="margin-left: 2px">This text should not have a margin-left of 2</div>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=style-src%20%27self%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-3_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_2.html.sub.headers
new file mode 100644
index 000000000..3343ccee9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_2.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: style-src-3_2={{$id:uuid()}}; Path=/content-security-policy/style-src/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; style-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-3_3.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_3.html
new file mode 100644
index 000000000..d836b351c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_3.html
@@ -0,0 +1,37 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>href of link with rel=stylesheet must be in src list</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script>
+ var head = document.getElementsByTagName('head')[0];
+ var link = document.createElement('link');
+ link.setAttribute('rel', 'stylesheet');
+ link.setAttribute('type', 'text/css');
+ link.setAttribute('href', location.protocol +
+ '//www1.' +
+ location.hostname +
+ ':' +
+ location.port +
+ '/content-security-policy/style-src/3_3.css');
+ head.appendChild(link);
+
+ onload = function doTest() {
+ test(function() {
+ var text = document.getElementById("content");
+ assert_true(getComputedStyle(text).marginLeft != "2px", "Style sheet loaded from origin not in style-src directive should be blocked");
+ });
+ }
+ </script>
+</head>
+<body>
+ <h1>href of link with rel=stylesheet must be in src list</h1>
+ <div id='log'></div>
+
+ <div id="content">This text should not have a margin-left of 2</div>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=style-src%20%27self%27'></script>
+
+</body>
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-3_3.html.sub.headers b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_3.html.sub.headers
new file mode 100644
index 000000000..ca1adc553
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_3.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: style-src-3_3={{$id:uuid()}}; Path=/content-security-policy/style-src/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; style-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-3_4-import.css b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_4-import.css
new file mode 100644
index 000000000..8ef865fdc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_4-import.css
@@ -0,0 +1,3 @@
+#log {
+ margin-left: 200px;
+}
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-3_4.css b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_4.css
new file mode 100644
index 000000000..11729ce7a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_4.css
@@ -0,0 +1 @@
+@import "http://{{host}}:{{ports[http][1]}}/content-security-policy/style-src/style-src-3_4-import.css";
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-3_4.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_4.html
new file mode 100644
index 000000000..92553dd67
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_4.html
@@ -0,0 +1,27 @@
+<!doctype html>
+<html>
+<head>
+ <title></title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <link href="style-src-3_4.css?pipe=sub" rel=stylesheet type=text/css>
+</head>
+<body>
+ <h1>
+ @import stylesheet should not be loaded
+ if its URL doesn't match style-src.
+ </h1>
+ <div id='log'></div>
+
+ <script>
+ test(function() {
+ var logEl = document.getElementById("log");
+ var marginLeftVal = getComputedStyle(logEl).getPropertyValue('margin-left');
+ assert_false(marginLeftVal == "200px")},
+ "@import stylesheet should not be applied"
+ );
+ </script>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=style-src%20%27self%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-3_4.html.sub.headers b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_4.html.sub.headers
new file mode 100644
index 000000000..9a9e1a288
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-3_4.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: style-src-3_4={{$id:uuid()}}; Path=/content-security-policy/style-src/
+Content-Security-Policy: style-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/support/alert-pass.js b/testing/web-platform/tests/content-security-policy/support/alert-pass.js
new file mode 100644
index 000000000..d3f811ec1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/alert-pass.js
@@ -0,0 +1 @@
+alert_assert("PASS"); \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/support/alertAssert.sub.js b/testing/web-platform/tests/content-security-policy/support/alertAssert.sub.js
new file mode 100644
index 000000000..ee9e54ea7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/alertAssert.sub.js
@@ -0,0 +1,43 @@
+// note, this template substitution is XSS, but no way to avoid it in this framework
+var expected_alerts = {{GET[alerts]}};
+var timeout= "{{GET[timeout]}}";
+if (timeout == "") {
+ timeout = 2;
+}
+
+if(expected_alerts.length == 0) {
+ function alert_assert(msg) {
+ test(function () { assert_unreached(msg) });
+ }
+} else {
+ var t_alert = async_test('Expecting alerts: {{GET[alerts]}}');
+ step_timeout(function() {
+ if(t_alert.phase != t_alert.phases.COMPLETE) {
+ t_alert.step(function() { assert_unreached('Alert timeout, expected alerts ' + expected_alerts + ' not fired.') });
+ t_alert.done();
+ }
+ }, timeout * 1000);
+ var alert_assert = function (msg) {
+ t_alert.step(function () {
+ if(msg && msg instanceof Error) {
+ msg = msg.message;
+ }
+ if (msg && msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }.bind(this);
+}
diff --git a/testing/web-platform/tests/content-security-policy/support/checkReport.sub.js b/testing/web-platform/tests/content-security-policy/support/checkReport.sub.js
new file mode 100644
index 000000000..803dc06d5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/checkReport.sub.js
@@ -0,0 +1,84 @@
+(function () {
+
+ // Get values from the substitution engine.
+ // We can't just pull these from the document context
+ // because this script is intended to be transcluded into
+ // another document, and we want the GET values used to request it,
+ // not the values for the including document
+
+ // XXX these are unencoded, so there's an unavoidable
+ // injection vulnerability in constructing this file...
+ // need to upgrade the template engine.
+ var reportField = "{{GET[reportField]}}";
+ var reportValue = "{{GET[reportValue]}}";
+ var reportExists = "{{GET[reportExists]}}";
+ var noCookies = "{{GET[noCookies]}}";
+
+ var location = window.location;
+ var thisTestName = location.pathname.split('/')[location.pathname.split('/').length - 1].split('.')[0];
+
+ var reportID = "";
+
+ var cookies = document.cookie.split(';');
+ for (var i = 0; i < cookies.length; i++) {
+ var cookieName = cookies[i].split('=')[0].trim();
+ var cookieValue = cookies[i].split('=')[1].trim();
+
+ if (cookieName == thisTestName) {
+ reportID = cookieValue;
+ var cookieToDelete = cookieName + "=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=" + document.location.pathname.substring(0, document.location.pathname.lastIndexOf('/') + 1);
+ document.cookie = cookieToDelete;
+ break;
+ }
+ }
+
+ var timeout = document.querySelector("meta[name=timeout][content=long]") ? 50 : 5;
+ var reportLocation = location.protocol + "//" + location.host + "/content-security-policy/support/report.py?op=take&timeout=" + timeout + "&reportID=" + reportID;
+
+ var reportTest = async_test("Violation report status OK.");
+ reportTest.step(function () {
+
+ var report = new XMLHttpRequest();
+ report.onload = reportTest.step_func(function () {
+
+ var data = JSON.parse(report.responseText);
+
+ if (data.error) {
+ assert_equals("false", reportExists, data.error);
+ } else {
+ if(reportExists != "" && reportExists == "false" && data["csp-report"]) {
+ assert_unreached("CSP report sent, but not expecting one: " + JSON.stringify(data["csp-report"]));
+ }
+ // Firefox expands 'self' or origins in a policy to the actual origin value
+ // so "www.example.com" becomes "http://www.example.com:80".
+ // Accomodate this by just testing that the correct directive name
+ // is reported, not the details...
+
+ if(data["csp-report"] != undefined && data["csp-report"][reportField] != undefined) {
+ assert_true(data["csp-report"][reportField].indexOf(reportValue.split(" ")[0]) != -1,
+ reportField + " value of \"" + data["csp-report"][reportField] + "\" did not match " +
+ reportValue.split(" ")[0] + ".");
+ }
+ }
+
+ reportTest.done();
+ });
+
+ report.open("GET", reportLocation, true);
+ report.send();
+ });
+
+ if (noCookies) {
+ var cookieTest = async_test("No cookies sent with report.");
+ var cookieReport = new XMLHttpRequest();
+ cookieReport.onload = cookieTest.step_func(function () {
+ var data = JSON.parse(cookieReport.responseText);
+ assert_equals(data.reportCookies, "None");
+ cookieTest.done();
+ });
+ var cReportLocation = location.protocol + "//" + location.host + "/content-security-policy/support/report.py?op=cookies&timeout=" + timeout + "&reportID=" + reportID;
+ cookieReport.open("GET", cReportLocation, true);
+ cookieReport.send();
+ };
+
+})();
diff --git a/testing/web-platform/tests/content-security-policy/support/fail.asis b/testing/web-platform/tests/content-security-policy/support/fail.asis
new file mode 100644
index 000000000..96196615b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/fail.asis
@@ -0,0 +1,5 @@
+HTTP/1.1 200 OK
+Content-Type: text/plain
+Access-Control-Allow-Origin: *
+
+FAIL \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/support/fail.js b/testing/web-platform/tests/content-security-policy/support/fail.js
new file mode 100644
index 000000000..9632567a6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/fail.js
@@ -0,0 +1 @@
+test(function() { assert_unreached("FAIL")}); \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/support/fail.png b/testing/web-platform/tests/content-security-policy/support/fail.png
new file mode 100644
index 000000000..b59338033
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/fail.png
Binary files differ
diff --git a/testing/web-platform/tests/content-security-policy/support/inject-image.js b/testing/web-platform/tests/content-security-policy/support/inject-image.js
new file mode 100644
index 000000000..cc5b60079
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/inject-image.js
@@ -0,0 +1,5 @@
+// This script block will trigger a violation report.
+var i = document.createElement('img');
+i.src = '/content-security-policy/support/fail.png';
+document.body.appendChild(i);
+log("TEST COMPLETE"); \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/support/logTest.sub.js b/testing/web-platform/tests/content-security-policy/support/logTest.sub.js
new file mode 100644
index 000000000..f712252ce
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/logTest.sub.js
@@ -0,0 +1,41 @@
+// note, this template substitution is XSS, but no way to avoid it in this framework
+var expected_logs = {{GET[logs]}};
+var timeout = "{{GET[timeout]}}";
+if (timeout == "") {
+ timeout = 2;
+}
+
+if (expected_logs.length == 0) {
+ function log_assert(msg) {
+ test(function () { assert_unreached(msg) });
+ }
+} else {
+ var t_log = async_test('Expecting logs: {{GET[logs]}}');
+ step_timeout(function() {
+ if(t_log.phase != t_log.phases.COMPLETE){
+ t_log.step(function () { assert_unreached('Logging timeout, expected logs ' + expected_logs + ' not sent.') });
+ t_log.done();
+ }
+ }, timeout * 1000);
+ function log(msg) {
+ //cons/**/ole.log(msg);
+ t_log.step(function () {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_log.done();
+ }
+ for (var i = 0; i < expected_logs.length; i++) {
+ if (expected_logs[i] == msg) {
+ assert_true(expected_logs[i] == msg);
+ expected_logs.splice(i, 1);
+ if (expected_logs.length == 0) {
+ t_log.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected log: ' + msg);
+ t_log.done();
+ });
+ }
+}
diff --git a/testing/web-platform/tests/content-security-policy/support/media/flash.swf b/testing/web-platform/tests/content-security-policy/support/media/flash.swf
new file mode 100644
index 000000000..80bf47e20
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/media/flash.swf
Binary files differ
diff --git a/testing/web-platform/tests/content-security-policy/support/pass.png b/testing/web-platform/tests/content-security-policy/support/pass.png
new file mode 100644
index 000000000..2fa1e0ac0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/pass.png
Binary files differ
diff --git a/testing/web-platform/tests/content-security-policy/support/report.py b/testing/web-platform/tests/content-security-policy/support/report.py
new file mode 100644
index 000000000..193315fa0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/report.py
@@ -0,0 +1,34 @@
+import time
+import json
+import re
+
+def main(request, response):
+ op = request.GET.first("op");
+ key = request.GET.first("reportID")
+
+ if op == "take":
+ timeout = float(request.GET.first("timeout"))
+ t0 = time.time()
+ while time.time() - t0 < timeout:
+ time.sleep(0.5)
+ value = request.server.stash.take(key=key)
+ if value is not None:
+ return [("Content-Type", "application/json")], value
+
+ return [("Content-Type", "application/json")], json.dumps({'error': 'No such report.' , 'guid' : key})
+
+ if op == "cookies":
+ cval = request.server.stash.take(key=re.sub('^...', 'ccc', key))
+ if cval is None:
+ cval = "\"None\""
+
+ return [("Content-Type", "application/json")], "{ \"reportCookies\" : " + cval + "}"
+
+ if hasattr(request, 'Cookies'):
+ request.server.stash.put(key=re.sub('^...', 'ccc', key), value=request.Cookies)
+
+ report = request.body
+ report.rstrip()
+ request.server.stash.take(key=key)
+ request.server.stash.put(key=key, value=report)
+ return [("Content-Type", "text/plain")], "Recorded report " + report
diff --git a/testing/web-platform/tests/content-security-policy/support/siblingPath.js b/testing/web-platform/tests/content-security-policy/support/siblingPath.js
new file mode 100644
index 000000000..f4012f04d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/siblingPath.js
@@ -0,0 +1,5 @@
+ buildSiblingPath = function(hostPrefix, relativePath, newPort) {
+ var port = newPort ? newPort : document.location.port;
+ var path = document.location.pathname.substring(0, document.location.pathname.lastIndexOf('/') + 1);
+ return (document.location.protocol + '//' + hostPrefix + "." + document.location.hostname + ':' + port + path + relativePath);
+}; \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/svg/including.sub.svg b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg
new file mode 100644
index 000000000..99b416b5e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg
@@ -0,0 +1,18 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="6cm" height="5cm" viewBox="0 0 600 500"
+ xmlns="http://www.w3.org/2000/svg" version="1.1">
+ <desc>using SVG as a resource doc should apply this doc's CSP</desc>
+
+ <use xlink:href="scripted.svg#postmessagescript" />
+
+ <circle cx="300" cy="225" r="100" fill="lawngreen"/>
+
+ <text x="300" y="250"
+ font-family="Verdana"
+ font-size="50"
+ text-anchor="middle">
+ PASS
+ </text>
+</svg>
diff --git a/testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers
new file mode 100644
index 000000000..0f3f281d9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: including={{$id:uuid()}}; Path=/content-security-policy/svg
+Content-Security-Policy: script-src 'none';
diff --git a/testing/web-platform/tests/content-security-policy/svg/scripted.svg b/testing/web-platform/tests/content-security-policy/svg/scripted.svg
new file mode 100644
index 000000000..a8aca4e30
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/scripted.svg
@@ -0,0 +1,20 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="6cm" height="5cm" viewBox="0 0 600 500"
+ xmlns="http://www.w3.org/2000/svg" version="1.1">
+ <desc>Example script01 - redirect</desc>
+
+ <script id="postmessagescript" type="application/ecmascript"> <![CDATA[
+ location = "/content-security-policy/blink-contrib/resources/postmessage-fail.html";
+ ]]> </script>
+
+ <circle cx="300" cy="225" r="100" fill="lawngreen"/>
+
+ <text x="300" y="250"
+ font-family="Verdana"
+ font-size="50"
+ text-anchor="middle">
+ PASS
+ </text>
+</svg>
diff --git a/testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers b/testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers
new file mode 100644
index 000000000..0e90e147a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripted={{$id:uuid()}}; Path=/content-security-policy/svg
+Content-Security-Policy: script-src 'none';
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html b/testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html
new file mode 100644
index 000000000..b565e94a4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>svg-from-guid</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ log("TEST COMPLETE");
+ }, 1);
+ });
+ </script>
+</head>
+
+<body>
+ <p>Tests that an SVG loaded in an iframe with a policy enforces it, not
+ the policy enforced by this parent frame. The SVG should render and
+ not redirect to a different resource.</p>
+ <!--
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="6cm" height="5cm" viewBox="0 0 600 500"
+ xmlns="http://www.w3.org/2000/svg" version="1.1">
+ <desc>Example script01 - redirect</desc>
+
+ <script id="postmessagescript" type="application/ecmascript"> <![CDATA[
+ location = "/content-security-policy/blink-contrib/resources/postmessage-fail.html";
+ ]]> </script>
+
+ <circle cx="300" cy="225" r="100" fill="lawngreen"/>
+
+ <text x="300" y="250"
+ font-family="Verdana"
+ font-size="50"
+ text-anchor="middle">
+ PASS
+ </text>
+</svg>
+ -->
+ <iframe name="test_target" id="test_iframe" src="data:image/svg+xml;charset=utf-8;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pg0KPCFET0NUWVBFIHN2ZyBQVUJMSUMgIi0vL1czQy8vRFREIFNWRyAxLjEvL0VOIg0KICAiaHR0cDovL3d3dy53My5vcmcvR3JhcGhpY3MvU1ZHLzEuMS9EVEQvc3ZnMTEuZHRkIj4NCjxzdmcgd2lkdGg9IjZjbSIgaGVpZ2h0PSI1Y20iIHZpZXdCb3g9IjAgMCA2MDAgNTAwIg0KICAgICB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZlcnNpb249IjEuMSI+DQogIDxkZXNjPkV4YW1wbGUgc2NyaXB0MDEgLSByZWRpcmVjdDwvZGVzYz4NCg0KICA8c2NyaXB0IGlkPSJwb3N0bWVzc2FnZXNjcmlwdCIgdHlwZT0iYXBwbGljYXRpb24vZWNtYXNjcmlwdCI+IDwhW0NEQVRBWw0KICAgIGxvY2F0aW9uID0gIi9jb250ZW50LXNlY3VyaXR5LXBvbGljeS9ibGluay1jb250cmliL3Jlc291cmNlcy9wb3N0bWVzc2FnZS1mYWlsLmh0bWwiOw0KICBdXT4gPC9zY3JpcHQ+DQoNCiAgPGNpcmNsZSBjeD0iMzAwIiBjeT0iMjI1IiByPSIxMDAiIGZpbGw9Imxhd25ncmVlbiIvPg0KDQogIDx0ZXh0IHg9IjMwMCIgeT0iMjUwIg0KICAgICAgICBmb250LWZhbWlseT0iVmVyZGFuYSINCiAgICAgICAgZm9udC1zaXplPSI1MCINCiAgICAgICAgdGV4dC1hbmNob3I9Im1pZGRsZSI+DQogICAgICBQQVNTDQogICAgPC90ZXh0Pg0KPC9zdmc+"></iframe>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html b/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html
new file mode 100644
index 000000000..7beb295f1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>svg-policy-with-resource</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+ <p>Tests that an SVG loaded in an iframe with a policy enforces it, not
+ the policy enforced by this parent frame. The SVG should render and
+ not redirect to a different resource.</p>
+ <div id="log"></div>
+ <?xml version="1.0" standalone="no"?>
+<svg width="6cm" height="5cm" viewBox="0 0 600 500"
+ xmlns="http://www.w3.org/2000/svg" version="1.1">
+
+ <script type="application/ecmascript"
+ xlink:href="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/.js">
+ </script>
+
+ <circle cx="300" cy="225" r="100" fill="lawngreen"/>
+
+ <text x="300" y="250"
+ font-family="Verdana"
+ font-size="50"
+ text-anchor="middle">
+ PASS
+ </text>
+</svg>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html.sub.headers
new file mode 100644
index 000000000..a846c4b16
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: svg-inline={{$id:uuid()}}; Path=/content-security-policy/svg/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html b/testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html
new file mode 100644
index 000000000..3ca626240
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>svg-policy-with-resource</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ log("TEST COMPLETE");
+ }, 0);
+ });
+ </script>
+</head>
+
+<body>
+ <p>Tests that an SVG loaded in an iframe with a policy enforces it, not
+ the policy enforced by this parent frame. The SVG should render and
+ not redirect to a different resource.</p>
+ <iframe name="test_target" id="test_iframe" src="scripted.svg"></iframe>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html b/testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html
new file mode 100644
index 000000000..88ba0b3e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>svg-policy-with-resource</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ log("TEST COMPLETE");
+ }, 0);
+ });
+ </script>
+</head>
+
+<body>
+ <p>Tests that an SVG loaded in an iframe with a policy enforces it, not
+ the policy enforced by this parent frame. The SVG should render and
+ not redirect to a different resource.</p>
+ <iframe name="test_target" id="test_iframe" src="scripted.svg"></iframe>
+ <object type="image/svg+xml" data="scripted.svg"></object>
+ <div id="log"></div>
+</body>
+
+</html>