summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/blink-contrib
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/blink-contrib')
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html36
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html36
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html51
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis60
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html41
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html40
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html41
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html30
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html40
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html39
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html30
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html30
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html31
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html37
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html45
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html26
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html10
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html37
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html31
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html31
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html30
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html30
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html62
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html59
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html20
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html63
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html61
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html66
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html19
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html17
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html20
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html35
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html32
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html128
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html31
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html28
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html31
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html9
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html9
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html14
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html15
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html39
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html28
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html41
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html41
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html41
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html41
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers5
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html28
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-fail.html4
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-pass.html4
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/blue.css3
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/generate-csp-report.html7
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js12
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-image.js4
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-script.js5
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-style.js5
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/post-message.js1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-fail.html4
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-pass.html4
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/script.js2
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/track.vtt1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js5
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js7
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js21
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js21
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js5
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers1
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html3
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html3
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html49
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html43
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html50
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html49
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html26
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html26
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html33
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html38
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html37
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html65
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html38
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html43
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html33
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html33
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/xsl-blocked-expected.pngbin0 -> 2840 bytes
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.pngbin0 -> 2840 bytes
220 files changed, 3691 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html
new file mode 100644
index 000000000..912a29e0b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>blob-urls-do-not-match-self</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline'; connect-src 'self'; child-src 'self';
+-->
+</head>
+
+<body>
+ <p>
+ blob: URLs are same-origin with the page in which they were created, but explicitly do not match the &apos;self&apos; or '*' source in CSP directives because they are more akin to 'unsafe-inline' content.
+ </p>
+ <script>
+ function fail() {
+ alert_assert("FAIL!");
+ }
+ var b = new Blob(['fail();'], {
+ type: 'application/javascript'
+ });
+ var script = document.createElement('script');
+ script.src = URL.createObjectURL(b);
+ document.body.appendChild(script);
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;self&apos;%20&apos;unsafe-inline&apos;%20&apos;&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers
new file mode 100644
index 000000000..cbfc8d4e4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: blob-urls-do-not-match-self={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; child-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html
new file mode 100644
index 000000000..819c1a699
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>blob-urls-match-blob</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS (1/1)"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' blob:; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>
+ blob: URLs are same-origin with the page in which they were created, but match only if the blob: scheme is specified.
+ </p>
+ <script>
+ function pass() {
+ log("PASS (1/1)");
+ }
+ var b = new Blob(['pass();'], {
+ type: 'application/javascript'
+ });
+ var script = document.createElement('script');
+ script.src = URL.createObjectURL(b);
+ document.body.appendChild(script);
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers
new file mode 100644
index 000000000..be74e61a7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: blob-urls-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' blob:; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html
new file mode 100644
index 000000000..66b86f195
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+ <title>combine-header-and-meta-policies</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing multiple policies:
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'
+Content-Security-Policy: img-src 'none'
+-->
+</head>
+
+<body>
+<p>Test passes if both style and image are blocked and a report is generated for the
+ style block from the header-supplied policy.</p>
+
+ <script>
+ var img = document.createElement('img');
+ img.src = '../support/fail.png';
+ img.onerror = function() {
+ log("TEST COMPLETE");
+ };
+ img.onload = function() {
+ log("FAIL");
+ };
+ document.body.appendChild(img);
+
+ </script>
+ <style>
+ body {
+ background-color: blue;
+ }
+
+ </style>
+ <script>
+ var el = document.querySelector('body');
+ test(function() {
+ assert_equals(window.getComputedStyle(el).color, "rgb(0, 0, 0)")
+ });
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers
new file mode 100644
index 000000000..b1f0e7f01
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: combine-header-and-meta-policies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis
new file mode 100644
index 000000000..a14be5cd9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis
@@ -0,0 +1,60 @@
+HTTP/1.1 200 OK
+Content-Type: text/html
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: combine-multiple-policies=d0140e7d-3800-4842-b66d-370840a4569a; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID=d0140e7d-3800-4842-b66d-370840a4569a
+Content-Security-Policy: img-src 'none'
+
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+ <title>combine-multiple-policies</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing multiple policies:
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; styls-src 'self'
+Content-Security-Policy: img-src 'none'
+-->
+</head>
+
+<body>
+ This test checks that we enforce all the supplied policies. This test passe if it doesn&apos;t alert fail and if the style doesn&apos;t apply.
+ Check that a SecurityPolicyViolationEvent is fired upon blocking an image.
+ <script>
+ var img = document.createElement('img');
+ img.src = '../support/fail.png';
+ img.onerror = function() {
+ log("TEST COMPLETE");
+ };
+ img.onload = function() {
+ log("FAIL");
+ };
+ document.body.appendChild(img);
+
+ </script>
+ <style>
+ body {
+ background-color: blue;
+ }
+
+ </style>
+ <script>
+ var el = document.querySelector('body');
+ test(function() {
+ assert_equals(window.getComputedStyle(el).color, "rgb(0, 0, 0)")
+ });
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html
new file mode 100644
index 000000000..2beb00d02
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-beacon-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ if (typeof navigator.sendBeacon != 'function') {
+ t_log.set_status(t_log.NOTRUN, "No navigator.sendBeacon, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ try {
+ var es = navigator.sendBeacon("http://{{host}}:{{ports[http][0]}}/cors/resources/status.py");
+ log("Pass");
+ } catch (e) {
+ log("Fail");
+ }
+ var report = document.createElement("script");
+ report.src = "../support/checkReport.sub.js?reportExists=false";
+ report.async = true;
+ report.defer = true;
+ document.body.appendChild(report);
+
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..bd3eda40a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-beacon-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html
new file mode 100644
index 000000000..f68d3c384
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-beacon-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ if (typeof navigator.sendBeacon != 'function') {
+ t_log.set_status(t_log.NOTRUN, "No navigator.sendBeacon, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ try {
+ var es = navigator.sendBeacon("http://www1.{{host}}:{{ports[http][0]}}/security/contentSecurityPolicy/echo-report.php");
+ log("Pass");
+ } catch (e) {
+ log("Fail");
+ }
+ var report = document.createElement("script");
+ report.src = "../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=connect-src%20&apos;self&apos;";
+ report.async = true;
+ report.defer = true;
+ document.body.appendChild(report);
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..69ded8da7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-beacon-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html
new file mode 100644
index 000000000..3d03100e3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-beacon-redirect-to-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline';
+-->
+ <script></script>
+</head>
+
+<body>
+ <p>The beacon should not follow the redirect to http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png and send a CSP violation report.</p>
+ <p>Verify that a CSP connect-src directive blocks redirects.</p>
+ <script>
+ if (typeof navigator.sendBeacon != 'function') {
+ var t = async_test();
+ t.set_status(t.NOTRUN, "No navigator.sendBeacon, cannot run test.");
+ t.phase = t.phases.HAS_RESULT;
+ t.done();
+ } else {
+ navigator.sendBeacon(
+ "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png",
+ "ping");
+ var report = document.createElement("script");
+ report.src = "../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=connect-src%20&apos;self&apos;";
+ report.async = true;
+ report.defer = true;
+ document.body.appendChild(report);
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..2c69d0dc8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-beacon-redirect-to-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html
new file mode 100644
index 000000000..b3a65f1c1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-eventsource-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var es = new EventSource("http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/simple-event-stream");
+ log("Pass");
+ } catch (e) {
+ log("Fail");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..eff5c546a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-eventsource-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html
new file mode 100644
index 000000000..5be570c46
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-eventsource-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var es = new EventSource("http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/simple-event-stream");
+ // Firefox doesn't throw an exception and takes some time to close async
+ if (es.readyState == EventSource.CONNECTING) {
+ setTimeout( function() {
+ es.readyState != EventSource.CLOSED ? log("Fail") : log("Pass");
+ }, 2);
+ } else if (es.readyState == EventSource.CLOSED) {
+ log("Pass");
+ } else {
+ log("Fail");
+ }
+
+ } catch (e) {
+ log("Pass");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=connect-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..ac37816a4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-eventsource-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html
new file mode 100644
index 000000000..a3ba4bad0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-eventsource-redirect-to-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS EventSource() did not follow the disallowed redirect.","TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline';
+-->
+ <script></script>
+</head>
+
+<body>
+ <script>
+ var es;
+ try {
+ es = new EventSource("/common/redirect.py?location= http://www.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/simple-event-stream");
+ } catch (e) {
+ log("FAIL " + "EventSource() should not throw an exception.");
+ }
+ es.onload = function() {
+ log("FAIL " + "EventSource() should fail to follow the disallowed redirect.");
+ log("TEST COMPLETE");
+ };
+ es.onerror = function() {
+ log("PASS " + "EventSource() did not follow the disallowed redirect.");
+ log("TEST COMPLETE");
+ };
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=connect-src%20&apos;self&apos;/security/contentSecurityPolicy/resources/redir.php"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..c63c8a9de
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-eventsource-redirect-to-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}/security/contentSecurityPolicy/resources/redir.php; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html
new file mode 100644
index 000000000..4e8499bd4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-websocket-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var ws = new WebSocket("ws://127.0.0.1:8880/echo");
+ log("Pass");
+ } catch (e) {
+ log("Fail");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..707435174
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-websocket-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html
new file mode 100644
index 000000000..68f86dec6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-websocket-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var ws = new WebSocket("ws://localhost:8880/echo");
+ log("Fail");
+ } catch (e) {
+ log("Pass");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=connect-src%20ws://127.0.0.1:8880"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..69036f5bd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-websocket-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html
new file mode 100644
index 000000000..a2ad12186
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-xmlhttprequest-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var xhr = new XMLHttpRequest;
+ xhr.open("GET", "http://{{host}}:{{ports[http][0]}}/xmlhttprequest/resources/get.txt", true);
+ log("Pass");
+ } catch (e) {
+ log("Fail");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..dbabcad7a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-xmlhttprequest-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html
new file mode 100644
index 000000000..014bb21ae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-xmlhttprequest-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var xhr = new XMLHttpRequest;
+ xhr.open("GET", "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png", true);
+ xhr.send();
+ xhr.onload = function() {
+ log("Fail");
+ }
+ xhr.onerror = function() {
+ log("Pass");
+ }
+ } catch (e) {
+ log("Pass");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=connect-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..d338034cf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-xmlhttprequest-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html
new file mode 100644
index 000000000..6fc0769b6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-xmlhttprequest-redirect-to-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS XMLHttpRequest.send() did not follow the disallowed redirect.","TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline';
+-->
+ <script id="inject_here"></script>
+</head>
+
+<body>
+ <script>
+ var xhr = new XMLHttpRequest;
+ try {
+ xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+ } catch (e) {
+ log("FAIL " + "XMLHttpRequest.open() should not throw an exception.");
+ }
+ xhr.onload = function() {
+ //cons/**/ole.log(xhr.responseText);
+ if(xhr.responseText == "FAIL") {
+ log("FAIL " + "XMLHttpRequest.send() should fail to follow the disallowed redirect.");
+ } else {
+ log("PASS " + "XMLHttpRequest.send() did not follow the disallowed redirect.");
+ }
+ log("TEST COMPLETE");
+ };
+ xhr.onerror = function() {
+ log("PASS " + "XMLHttpRequest.send() did not follow the disallowed redirect.");
+ log("TEST COMPLETE");
+ };
+ xhr.send();
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=connect-src%20&apos;self&apos;/security/contentSecurityPolicy/resources/redir.php"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..452104ecd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-xmlhttprequest-redirect-to-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html
new file mode 100644
index 000000000..f5859087a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>default-src-inline-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script>
+ <!-- enforcing policy:
+default-src 'self' about: 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body onload="alert_assert(&apos;PASS 2 of 2&apos;)">
+ <script>
+ alert_assert('PASS 1 of 2');
+
+ </script>
+ <!--iframe src="javascript:alert_assert(&apos;PASS 2 of 3&apos;)"></iframe-->
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..f223f0661
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: default-src-inline-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: default-src 'self' about: 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html
new file mode 100644
index 000000000..ad66a9d1f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>default-src-inline-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <!-- enforcing policy:
+default-src 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if the inline scripts don't create failing tests and a CSP report is sent.
+ <script>
+ test(function() {
+ assert_unreached('FAIL inline script ran')
+ });
+
+ </script>
+ <script src="resources/document-write-alert-fail.js"></script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=default-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..63ea706f9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: default-src-inline-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: default-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html
new file mode 100644
index 000000000..4336b729b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>duplicate-directive</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS (1/1)"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline'; script-src 'none'; connect-src 'self';
+-->
+
+ <script>
+ alert_assert('PASS (1/1)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the effect of duplicated directives. It passes if the alert_assert() is executed.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers
new file mode 100644
index 000000000..eefd7197f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: duplicate-directive={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; script-src 'none'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html
new file mode 100644
index 000000000..88da806a8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS (1 of 2)","PASS (2 of 2)"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ eval("alert_assert('PASS (1 of 2)')");
+
+ </script>
+ <script>
+ window.eval("alert_assert('PASS (2 of 2)')");
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..6bf55a116
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html
new file mode 100644
index 000000000..599b01c31
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-blocked-and-sends-report</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS: eval() blocked."]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'self'; report-uri resources/save-report.php?test=eval-blocked-and-sends-report.html; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ eval("alert_assert('FAIL')");
+ } catch (e) {
+ log('PASS: eval() blocked.');
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;self&apos;%20&apos;unsafe-inline&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers
new file mode 100644
index 000000000..f197e41de
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-blocked-and-sends-report={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html
new file mode 100644
index 000000000..449f9d192
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html
@@ -0,0 +1,10 @@
+
+<iframe src="about:blank"></iframe>
+Eval should be blocked in the iframe, but inline script should be allowed.
+<script>
+ window.onload = function() {
+ frames[0].log("<script>alert_assert(/PASS/); eval('alert_assert(/FAIL/);');<\/script>");
+ frames[0].document.close();
+ }
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers
new file mode 100644
index 000000000..224f25ba7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-blocked-in-about-blank-iframe={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html
new file mode 100644
index 000000000..229667e7d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS EvalError","PASS EvalError"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ eval("alert_assert('FAIL (1 of 2)')");
+ } catch (e) {
+ log("PASS EvalError");
+ }
+
+ </script>
+ <script>
+ try {
+ window.eval("alert_assert('FAIL (1 of 2)')");
+ } catch (e) {
+ log("PASS EvalError");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;unsafe-inline&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..124f56bfa
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html
new file mode 100644
index 000000000..66fa95d31
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-scripts-setInterval-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';
+-->
+</head>
+<pre>
+<script>
+ {
+}
+var id_string = setInterval("clearInterval(id_string); alert_assert('PASS 1 of 2')", 0);
+if (id_string == 0)
+ log('FAIL: Return value for string (should not be 0): ' + id_string);
+var id_function = setInterval(function() {
+ clearInterval(id_function);
+ alert_assert('PASS 2 of 2');
+}, 0);
+if (id_function == 0)
+ document.write('FAIL: Return value for function (should not be 0): ' + id_function);
+</script>
+</pre>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..f13ba4c64
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-scripts-setInterval-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html
new file mode 100644
index 000000000..45d873c80
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-scripts-setInterval-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+<pre>
+<script>
+ {
+}
+var id = setInterval("alert_assert('FAIL')", 0);
+if (id != 0)
+ log('FAIL: Return value for string (should be 0): ' + id);
+var id = setInterval(function() {
+ clearInterval(id);
+ alert_assert('PASS');
+}, 0);
+if (id == 0)
+ document.write('FAIL: Return value for function (should not be 0): ' + id);
+</script>
+</pre>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..1bd6b636d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-scripts-setInterval-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html
new file mode 100644
index 000000000..9b2e595e5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-scripts-setTimeout-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';
+-->
+</head>
+<pre>
+<script>
+ {
+}
+var id = setTimeout("alert_assert('PASS 1 of 2')", 0);
+if (id == 0)
+ log('FAIL: Return value for string (should not be 0): ' + id);
+var id = setTimeout(function() {
+ alert_assert('PASS 2 of 2');
+}, 0);
+if (id == 0)
+ document.write('FAIL: Return value for function (should not be 0): ' + id);
+</script>
+</pre>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..4d664d600
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-scripts-setTimeout-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html
new file mode 100644
index 000000000..72ed2ce1a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-scripts-setTimeout-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+<pre>
+<script>
+ {
+}
+var id = setTimeout("alert_assert('FAIL')", 0);
+if (id != 0)
+ log('FAIL: Return value for string (should be 0): ' + id);
+var id = setTimeout(function() {
+ alert_assert('PASS');
+}, 0);
+if (id == 0)
+ document.write('FAIL: Return value for function (should not be 0): ' + id);
+</script>
+</pre>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..81537fe3e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-scripts-setTimeout-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html
new file mode 100644
index 000000000..f9e814a1e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>filesystem-urls-do-not-match-self</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>
+ filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the &apos;self&apos; or &apos;*&apos; source in CSP directives because they are more akin to 'unsafe-inline' content..
+ </p>
+ <script>
+ if(!window.webkitRequestFileSystem) {
+ t_log = async_test();
+ t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ function fail() {
+ alert_assert("FAIL!");
+ }
+ window.webkitRequestFileSystem(
+ TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) {
+ fs.root.getFile('fail.js', {
+ create: true
+ }, function(fileEntry) {
+ fileEntry.createWriter(function(fileWriter) {
+ fileWriter.onwriteend = function(e) {
+ var script = document.createElement('script');
+ script.src = fileEntry.toURL('application/javascript');
+ document.body.appendChild(script);
+ };
+ // Create a new Blob and write it to pass.js.
+ var b = new Blob(['fail();'], {
+ type: 'application/javascript'
+ });
+ fileWriter.write(b);
+ });
+ });
+ });
+ var s = document.createElement('script');
+ s.async = true;
+ s.defer = true;
+ s.src = "../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;self&apos;%20&apos;unsafe-inline&apos;%20&apos;*&apos;"
+ document.lastChild.appendChild(s);
+ }
+
+
+ </script>
+ <div id="log"></div>
+
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers
new file mode 100644
index 000000000..a68e2a3df
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: filesystem-urls-do-not-match-self={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html
new file mode 100644
index 000000000..99e8592e5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>filesystem-urls-match-filesystem</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS (1/1)"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>
+ filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the &apos;self&apos; or &apos;*&apos; source in CSP directives because they are more akin to 'unsafe-inline' content, but should match filesystem: source.
+ </p>
+ <script>
+ if(!window.webkitRequestFileSystem) {
+ t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ function pass() {
+ log("PASS (1/1)");
+ }
+ window.webkitRequestFileSystem(
+ TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) {
+ fs.root.getFile('pass.js', {
+ create: true
+ }, function(fileEntry) {
+ fileEntry.createWriter(function(fileWriter) {
+ fileWriter.onwriteend = function(e) {
+ var script = document.createElement('script');
+ script.src = fileEntry.toURL('application/javascript');
+ document.body.appendChild(script);
+ };
+ // Create a new Blob and write it to pass.js.
+ var b = new Blob(['pass();'], {
+ type: 'application/javascript'
+ });
+ fileWriter.write(b);
+ });
+ });
+ });
+ var s = document.createElement('script');
+ s.async = true;
+ s.defer = true;
+ s.src = "../support/checkReport.sub.js?reportExists=false"
+ document.lastChild.appendChild(s);
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers
new file mode 100644
index 000000000..f9956ede8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: filesystem-urls-match-filesystem={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' filesystem:; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html
new file mode 100644
index 000000000..a363ce911
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>frame-src-about-blank-allowed-by-default</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+
+ <!-- enforcing policy:
+frame-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>These frames should not be blocked by Content-Security-Policy.
+ It&apos;s pointless to block about:blank iframes because
+ blocking a frame just results in displaying about:blank anyway!
+ </p>
+ <iframe src="about:blank"></iframe>
+ <object type="text/html" data="about:blank"></object>
+
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers
new file mode 100644
index 000000000..ba1169956
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: frame-src-about-blank-allowed-by-default={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: frame-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html
new file mode 100644
index 000000000..e4c47392c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>frame-src-about-blank-allowed-by-scheme</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+
+ <!-- enforcing policy:
+frame-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>This frame should not be blocked by Content-Security-Policy.
+ </p>
+ <iframe src="about:blank"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers
new file mode 100644
index 000000000..e23b82a93
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: frame-src-about-blank-allowed-by-scheme={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: frame-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html
new file mode 100644
index 000000000..1d34679c8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <title>frame-src-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+
+ var t_alert = async_test('Expecting alerts: ["PASS"]');
+ var expected_alerts = ["PASS"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+Content-Security-Policy: frame-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>
+ This iframe should be allowed.
+ </p>
+ <script>
+ window.wasPostTestScriptParsed = true;
+ var loads = 0;
+
+ function loadEvent() {
+ loads++;
+ log("PASS " + "IFrame #" + loads + " generated a load event.");
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="/content-security-policy/blink-contrib/resources/postmessage-pass.html" onload="loadEvent()"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..05247b402
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: frame-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: frame-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html
new file mode 100644
index 000000000..fe7555aeb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>frame-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+frame-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>
+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
+ </p>
+ <script>
+ window.wasPostTestScriptParsed = true;
+ var loads = 0;
+
+ function loadEvent() {
+ loads++;
+ log("PASS " + "IFrame #" + loads + " generated a load event.");
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=frame-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..bd0e6d17f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: frame-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: frame-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html
new file mode 100644
index 000000000..5238e7c0f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html
@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>frame-src-cross-origin-load</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.","PASS IFrame %232 generated a load event.","PASS IFrame %233 generated a load event."]'></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+
+ var t_alert = async_test('Expecting alerts: ["PASS","PASS"]');
+ var expected_alerts = ["PASS", "PASS"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_alert.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+frame-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>
+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
+ </p>
+ <script>
+ window.wasPostTestScriptParsed = true;
+ var loads = 0;
+
+ function loadEvent() {
+ loads++;
+ log("PASS " + "IFrame #" + loads + " generated a load event.");
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="resources/postmessage-pass.html" onload="loadEvent()"></iframe>
+ <iframe src="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-pass.html" onload="loadEvent()"></iframe>
+ <iframe src="http://www2.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=frame-src%20&apos;self&apos;http://www1.{{host}}:{{ports[http][0]}}"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers
new file mode 100644
index 000000000..0970bbebf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: frame-src-cross-origin-load={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: frame-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html
new file mode 100644
index 000000000..92cd088c5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>function-constructor-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ (new Function("alert_assert('PASS')"))();
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..dd80ebacc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: function-constructor-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html
new file mode 100644
index 000000000..be0c57477
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>function-constructor-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS EvalError"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ (new Function("alert_assert('FAIL')"))();
+ } catch (e) {
+ log("PASS EvalError");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;unsafe-inline&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..eb7da39cb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: function-constructor-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html
new file mode 100644
index 000000000..8bacdd305
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<script>
+ {}
+
+ function createLink(rel, src) {
+ var link = document.createElement('link');
+ link.rel = rel;
+ link.href = src;
+ document.head.appendChild(link);
+ }
+ window.addEventListener('DOMContentLoaded', function() {
+ createLink('icon', 'http://localhost/foo?q=from_icon'); {}
+ });
+
+</script>
+<p>Use callbacks to show that favicons are loaded as allowed by CSP when link tags are dynamically added to the page.</p>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..b7d557b52
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: icon-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src http://localhost; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html
new file mode 100644
index 000000000..978f25f63
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<script>
+ function createLink(rel, src) {
+ var link = document.createElement('link');
+ link.rel = rel;
+ link.href = src;
+ document.head.appendChild(link);
+ }
+ window.addEventListener('DOMContentLoaded', function() {
+ createLink('icon', 'http://localhost/foo?q=from_icon'); {}
+ });
+
+</script>
+<p>Use callbacks to show that favicons are not loaded in violation of CSP when link tags are dynamically added to the page.</p>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..c4dc69985
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: icon-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html
new file mode 100644
index 000000000..f3d1e1424
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html
@@ -0,0 +1 @@
+<iframe src="resources/sandboxed-eval.php"></iframe>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers
new file mode 100644
index 000000000..2cb1c7214
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: iframe-inside-csp={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html
new file mode 100644
index 000000000..c087692db
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>image-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+img-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <img src="../support/pass.png" onload="alert_assert(this.width == 168 ? 'PASS' : 'FAIL')">
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..3b85fc689
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: image-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html
new file mode 100644
index 000000000..e572070ef
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>image-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if it doesn&apos;t alert FAIL and does alert PASS.
+ <img src="../support/pass.png" onload='alert_assert("FAIL")' onerror='alert_assert("PASS")'>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..c58bb88bb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: image-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html
new file mode 100644
index 000000000..6482654cd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>image-full-host-wildcard-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+img-src http://*.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <img src="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/pass.png" onload="alert_assert(this.width == 168 ? 'PASS' : 'FAIL')">
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..0f384f093
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: image-full-host-wildcard-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src http://*.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html
new file mode 100644
index 000000000..8ec6fe433
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>injected-inline-script-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["Pass 1 of 2","Pass 2 of 2"]'></script>
+ <!-- enforcing policy:
+ script-src 'self' 'unsafe-inline'; connect-src 'self';
+ -->
+</head>
+
+<body>
+ <script src="resources/inject-script.js"></script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..7f3453924
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: injected-inline-script-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html
new file mode 100644
index 000000000..bee3f9abd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>injected-inline-script-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <!-- enforcing policy:
+script-src 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script src="resources/inject-script.js"></script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20'self'"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..e90dec673
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: injected-inline-script-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html
new file mode 100644
index 000000000..f52289e49
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>injected-inline-style-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS: 2 stylesheets on the page."]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <div id="test1">
+ FAIL 1/2
+ </div>
+ <div id="test2">
+ FAIL 2/2
+ </div>
+ <script src="resources/inject-style.js"></script>
+ <script>
+ if (document.styleSheets.length === 2)
+ log("PASS: 2 stylesheets on the page.");
+ else
+ document.write("FAIL: " + document.styleSheets.length + " stylesheets on the page (should be 2).");
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..8a48dc248
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: injected-inline-style-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html
new file mode 100644
index 000000000..1ed46cb65
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>injected-inline-style-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <div id="test1">
+ PASS 1/2
+ </div>
+ <div id="test2">
+ PASS 2/2
+ </div>
+ <script src="resources/inject-style.js"></script>
+ <script>
+ log(document.styleSheets.length == 0 ? "PASS" : "FAIL");
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..d3f0a5efb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: injected-inline-style-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html
new file mode 100644
index 000000000..efb5043ad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html
@@ -0,0 +1,128 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>inline-style-allowed-while-cloning-objects</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ window.onload = function() {
+ window.nodes = document.getElementById('nodes');
+ window.node1 = document.getElementById('node1');
+ window.node1.style.background = "yellow";
+ window.node1.style.color = "red";
+ window.node2 = document.getElementById('node1').cloneNode(true);
+ window.node2.id = "node2";
+ window.node3 = document.getElementById('node3');
+ window.node3.style.background = "blue";
+ window.node3.style.color = "green";
+ window.node4 = document.getElementById('node3').cloneNode(false);
+ window.node4.id = "node4";
+ window.node4.innerHTML = "Node #4";
+ nodes.appendChild(node1);
+ nodes.appendChild(node2);
+ nodes.appendChild(node3);
+ nodes.appendChild(node4);
+ test(function() {
+ assert_equals(node1.style.background.match(/yellow/)[0], "yellow")
+ });
+ test(function() {
+ assert_equals(node2.style.background.match(/yellow/)[0], "yellow")
+ });
+ test(function() {
+ assert_equals(node3.style.background.match(/blue/)[0], "blue")
+ });
+ test(function() {
+ assert_equals(node4.style.background.match(/blue/)[0], "blue")
+ });
+ test(function() {
+ assert_equals(node1.style.color, "red")
+ });
+ test(function() {
+ assert_equals(node2.style.color, "red")
+ });
+ test(function() {
+ assert_equals(node3.style.color, "green")
+ });
+ test(function() {
+ assert_equals(node4.style.color, "green")
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(node1).background, window.getComputedStyle(node2).background)
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(node3).background, window.getComputedStyle(node4).background)
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(node1).color, window.getComputedStyle(node2).color)
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(node3).color, window.getComputedStyle(node4).color)
+ });
+ window.ops = document.getElementById('ops');
+ ops.style.color = 'red';
+ window.clonedOps = ops.cloneNode(true);
+ window.violetOps = document.getElementById('violetOps');
+ violetOps.style.background = 'rgb(238, 130, 238)';
+ document.getElementsByTagName('body')[0].appendChild(clonedOps);
+ test(function() {
+ assert_equals(ops.style.background, "")
+ });
+ test(function() {
+ assert_equals(ops.style.color, "red")
+ });
+ test(function() {
+ assert_equals(clonedOps.style.background, "")
+ });
+ test(function() {
+ assert_equals(violetOps.style.background.match(/rgb\(238, 130, 238\)/)[0], "rgb(238, 130, 238)")
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(clonedOps).background, window.getComputedStyle(ops).background)
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(clonedOps).color, window.getComputedStyle(ops).color)
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(ops).background, window.getComputedStyle(violetOps).background)
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(clonedOps).background, window.getComputedStyle(violetOps).background)
+ });
+ test(function() {
+ assert_equals(ops.id, "ops")
+ });
+ test(function() {
+ assert_equals(ops.id, clonedOps.id)
+ });
+ };
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This test ensures that styles can be set by object.cloneNode()
+ </p>
+ <div id="nodes">
+ This is a div (nodes)
+ <div id="node1"> This is a div. (node 1 or 2)</div>
+ <div id="node3"> This is a div. (node 3 or 4)</div>
+ </div>
+ <div id="ops" style="background: rgb(238, 130, 238)">
+ Yet another div.
+ </div>
+ <div id="violetOps">
+ Yet another div.
+ </div>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers
new file mode 100644
index 000000000..963fa1751
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-allowed-while-cloning-objects={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html
new file mode 100644
index 000000000..bf5ac125d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>inline-style-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+ <style>
+ .target {
+ background-color: blue;
+ }
+
+ </style>
+</head>
+
+<body class="target">
+ <script>
+ log(document.styleSheets.length > 0 ? 'PASS' : 'FAIL');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..8ff58f55f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html
new file mode 100644
index 000000000..ab446040a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>inline-style-attribute-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body style="background-color: blue;">
+ <script>
+ log(document.body.style.length > 0 ? 'PASS' : 'FAIL');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..7d765e2b6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-attribute-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html
new file mode 100644
index 000000000..90efe9fe7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>inline-style-attribute-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body style="background-color: blue;">
+ <script>
+ log(document.body.style.length > 0 ? 'FAIL' : 'PASS');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..0b1ec14c1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-attribute-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html
new file mode 100644
index 000000000..b002af987
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html style="background-color: blue;">
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="style-src 'self'">
+ <title>inline-style-attribute-on-html</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>Even though this page has a CSP policy the blocks inline style, the style attribute on the HTML element still takes effect because it preceeds the meta element.
+ </p>
+ <script>
+ log(document.documentElement.style.length > 0 ? 'PASS' : 'FAIL');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers
new file mode 100644
index 000000000..66bf93faa
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-attribute-on-html={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html
new file mode 100644
index 000000000..3f7756e44
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>inline-style-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+ <style>
+ .target {
+ background-color: blue;
+ }
+
+ </style>
+</head>
+
+<body class="target">
+ <script>
+ log(document.styleSheets.length > 0 ? 'FAIL' : 'PASS');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..0b8306326
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html
new file mode 100644
index 000000000..fe6d2b1c2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html
@@ -0,0 +1,9 @@
+<link rel="manifest" href="manifest.test/manifest.json">
+<script>
+ {
+ testRunner.getManifestThen(function() {
+ alert_assert("Pass");
+ });
+ }
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..3fbdc7337
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: manifest-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: manifest-src *; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html
new file mode 100644
index 000000000..fe6d2b1c2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html
@@ -0,0 +1,9 @@
+<link rel="manifest" href="manifest.test/manifest.json">
+<script>
+ {
+ testRunner.getManifestThen(function() {
+ alert_assert("Pass");
+ });
+ }
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..4d6e5e395
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: manifest-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: manifest-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html
new file mode 100644
index 000000000..4cb4002d9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html
@@ -0,0 +1,14 @@
+<video></video>
+<script src="../../../media-resources/media-file.js"></script>
+<script src="../../../media-resources/video-test.js"></script>
+<script>
+ waitForEvent('loadedmetadata', function() {
+ alert_assert('PASS');
+ endTestLater();
+ });
+ // Find a supported media file.
+ var mediaFile = findMediaFile("video", "content/test");
+ var mimeType = mimeTypeForFile(mediaFile);
+ video.src = "http://{{host}}:{{ports[http][0]}}/resources/load-and-stall.cgi?name=../../../media/" + mediaFile + "&mimeType=" + mimeType + "&stallAt=100000";
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..b0401f7c7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: media-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: media-src http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html
new file mode 100644
index 000000000..57c8d5f65
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html
@@ -0,0 +1,15 @@
+<video></video>
+<script src="../../../media-resources/media-file.js"></script>
+<script src="../../../media-resources/video-test.js"></script>
+<p>This test passes if it doesn&apos;t alert failure.</p>
+<script>
+ waitForEvent('loadedmetadata', function() {
+ alert_assert('FAIL');
+ });
+ addEventListener('load', endTestLater, false);
+ // Find a supported media file.
+ var mediaFile = findMediaFile("video", "content/test");
+ var mimeType = mimeTypeForFile(mediaFile);
+ video.src = "http://{{host}}:{{ports[http][0]}}/resources/load-and-stall.cgi?name=../../../media/" + mediaFile + "&mimeType=" + mimeType + "&stallAt=100000";
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..86c56953d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: media-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: media-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html
new file mode 100644
index 000000000..c8036ce17
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html
@@ -0,0 +1,39 @@
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>media-src-track-block</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+media-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ function loaded() {
+ alert_assert("FAIL");
+ }
+
+ function errored() {
+ alert_assert("PASS");
+ }
+
+ function start() {
+ var track = document.querySelector('track');
+ track.track.mode = "hidden";
+ track.setAttribute('src', 'resources/track.vtt');
+ }
+
+ </script>
+</head>
+
+<body onload="start()">
+ <video>
+ <track kind="captions" onload="loaded()" onerror="errored()">
+ </video>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=media-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers
new file mode 100644
index 000000000..85c496e74
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: media-src-track-block={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: media-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html
new file mode 100644
index 000000000..358b7af1a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-in-svg-foreignobject</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>This test ensures that objects inside SVG foreignobject elements are beholden to the same policy as the rest of the document. This test passes if there i a CSP violation saying the plugin was blocked.</p>
+ <svg>
+ <foreignobject>
+ <object xmlns="http://www.w3.org/1999/xhtml" data="/plugins/resources/mock-plugin.pl">
+ </object>
+ </foreignobject>
+ </svg>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=object-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers
new file mode 100644
index 000000000..a196a1558
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-in-svg-foreignobject={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html
new file mode 100644
index 000000000..d77027840
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-applet-archive-codebase</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ var len = navigator.mimeTypes.length;
+ var allTypes = "";
+ var appletMimeType = "application/x-java-applet";
+ for (var i = 0; i < len; i++) {
+ allTypes += navigator.mimeTypes[i].type + ';';
+ }
+ if (allTypes.indexOf(appletMimeType) == -1) {
+ t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ var s = document.createElement('script');
+ s.src = "../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=object-src%20&apos;none&apos;";
+ document.body.appendChild(s);
+ }
+
+ </script>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <applet code="TestThingie" archive="archive.jar" codebase="/plugins/codebase/" id="appletObject" onload="log('FAIL')" onerror="log('PASS')"></applet>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers
new file mode 100644
index 000000000..0b71a188b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-applet-archive-codebase={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html
new file mode 100644
index 000000000..69c71986e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-applet-archive</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ var len = navigator.mimeTypes.length;
+ var allTypes = "";
+ var appletMimeType = "application/x-java-applet";
+ for (var i = 0; i < len; i++) {
+ allTypes += navigator.mimeTypes[i].type + ';';
+ }
+ if (allTypes.indexOf(appletMimeType) == -1) {
+ t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ var s = document.createElement('script');
+ s.src = "../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=object-src%20&apos;none&apos;";
+ document.body.appendChild(s);
+ }
+
+ </script>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <applet code="TestThingie" archive="/plugins/archive.jar" id="appletObject" onload="log('FAIL')" onerror="log('PASS')"></applet>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers
new file mode 100644
index 000000000..4bd5ec149
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-applet-archive={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html
new file mode 100644
index 000000000..6121dad56
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-applet-archive-code-codebase</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ var len = navigator.mimeTypes.length;
+ var allTypes = "";
+ var appletMimeType = "application/x-java-applet";
+ for (var i = 0; i < len; i++) {
+ allTypes += navigator.mimeTypes[i].type + ';';
+ }
+ if (allTypes.indexOf(appletMimeType) == -1) {
+ t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ var s = document.createElement('script');
+ s.src = "../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=object-src%20&apos;none&apos;";
+ document.body.appendChild(s);
+ }
+
+ </script>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <applet code="code.class" codebase="/plugins/codebase/"></applet>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers
new file mode 100644
index 000000000..1ced1a8e2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-applet-code-codebase={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html
new file mode 100644
index 000000000..af598bfd1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-applet-code</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ var len = navigator.mimeTypes.length;
+ var allTypes = "";
+ var appletMimeType = "application/x-java-applet";
+ for (var i = 0; i < len; i++) {
+ allTypes += navigator.mimeTypes[i].type + ';';
+ }
+ if (allTypes.indexOf(appletMimeType) == -1) {
+ t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ var s = document.createElement('script');
+ s.src = "../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=object-src%20&apos;none&apos;";
+ document.body.appendChild(s);
+ }
+
+ </script>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <applet code="/plugins/code.class"></applet>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers
new file mode 100644
index 000000000..44bd725f8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-applet-code={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html
new file mode 100644
index 000000000..2e2bef25d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-no-url-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if there isn&apos;t a CSP violation saying the plugin was blocked.
+ <object type="application/x-webkit-test-netscape"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..3746103fe
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-no-url-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html
new file mode 100644
index 000000000..ad3eebcae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-no-url-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <object type="application/x-webkit-test-netscape"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=object-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..dba0ece70
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-no-url-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html
new file mode 100644
index 000000000..dace2c417
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-url-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if there is no CSP violation saying the plugin was blocked.
+ <object data="/content-security-policy/support/pass.png"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..bce19c1de
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-url-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html
new file mode 100644
index 000000000..4f12d747b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-url-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <object data="/plugins/resources/mock-plugin.pl"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=object-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..1447fd0fc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-url-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html
new file mode 100644
index 000000000..a43e4be27
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html
@@ -0,0 +1 @@
+<iframe src="resources/alert-pass.html"></iframe>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers
new file mode 100644
index 000000000..ff37e37ee
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: policy-does-not-affect-child={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html
new file mode 100644
index 000000000..dea8a87a3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-blocked-data-uri</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; report-uri resources/save-report.php?test=report-blocked-data-uri.html; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==">
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers
new file mode 100644
index 000000000..8530a1cc4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-blocked-data-uri={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html
new file mode 100644
index 000000000..ed2cd2a74
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-cross-origin-no-cookies</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; report-uri http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID=; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self';
+-->
+ <script src="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/set-cookie.js"></script>
+</head>
+
+<body>
+ <!-- This image will generate a CSP violation report. -->
+ <img src="resources/abe.png">
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;&amp;noCookies=true"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers
new file mode 100644
index 000000000..5a7122975
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-cross-origin-no-cookies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self'; report-uri http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html
new file mode 100644
index 000000000..cb001a220
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-disallowed-from-meta</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri /content-security-policy/support/report.py?op=put&reportID=5ada7c32-1c46-4b79-a95f-af33fcf95f8e">
+</head>
+
+<body>
+ This image should be blocked, but should not show up in the violation report because meta policies MUST ignore report-uri.
+ <img src="../resources/abe.png" onerror="alert_assert('PASS')" onload="alert_assert('FAIL')">
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers
new file mode 100644
index 000000000..4c620525a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-disallowed-from-meta=5ada7c32-1c46-4b79-a95f-af33fcf95f8e; Path=/content-security-policy/blink-contrib \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html
new file mode 100644
index 000000000..e90cb066b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-cross-origin-no-cookies</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; report-uri http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID=; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self';
+-->
+ <script src="/content-security-policy/blink-contrib/resources/set-cookie.js"></script>
+</head>
+
+<body>
+ <!-- This image will generate a CSP violation report. -->
+ <img src="resources/abe.png">
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;&amp;noCookies=true"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers
new file mode 100644
index 000000000..4655de254
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-same-origin-with-cookies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html
new file mode 100644
index 000000000..cf3f72f1e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-uri-from-inline-javascript</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; report-uri resources/save-report.php?test=report-uri-from-inline-javascript.html; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ // This script block will trigger a violation report.
+ var i = document.createElement('img');
+ i.src = 'resources/abe.png';
+ document.body.appendChild(i);
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers
new file mode 100644
index 000000000..c37a9ff8d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-uri-from-inline-javascript={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html
new file mode 100644
index 000000000..790a75bda
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-uri-from-javascript</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; report-uri resources/save-report.php?test=report-uri-from-javascript.html; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script src="resources/inject-image.js"></script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers
new file mode 100644
index 000000000..ed6560118
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-uri-from-javascript={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html
new file mode 100644
index 000000000..9ffb835f2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html
@@ -0,0 +1,6 @@
+<script src="resources/report-test.js"></script>
+<script>
+ // This script block will trigger a violation report.
+ alert_assert('FAIL');
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers
new file mode 100644
index 000000000..1416ea7f1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-uri={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self'; report-uri resources/save-report.php?test=report-uri.html; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-fail.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-fail.html
new file mode 100644
index 000000000..c0fb8173d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-fail.html
@@ -0,0 +1,4 @@
+<script>
+ alert('FAIL');
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-pass.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-pass.html
new file mode 100644
index 000000000..50e753d0d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-pass.html
@@ -0,0 +1,4 @@
+<script>
+ alert('PASS');
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/blue.css b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/blue.css
new file mode 100644
index 000000000..54aeecc12
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/blue.css
@@ -0,0 +1,3 @@
+.target {
+ background-color: blue;
+}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js
new file mode 100644
index 000000000..5e78ca0da
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js
@@ -0,0 +1 @@
+document.write("<script>test(function () { assert_unreached('FAIL inline script from document.write ran') });</script>");
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/generate-csp-report.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/generate-csp-report.html
new file mode 100644
index 000000000..887f44f48
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/generate-csp-report.html
@@ -0,0 +1,7 @@
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'; report-uri save-report.php?test=generate-csp-report.html">
+<script>
+ // This script block will trigger a violation report.
+ alert('FAIL');
+
+</script>
+<script src="go-to-echo-report.js"></script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js
new file mode 100644
index 000000000..e220f2a47
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js
@@ -0,0 +1,12 @@
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+window.onload = function() {
+ var test = window.location.pathname.replace(/^.+\//, '');
+ var match = window.location.search.match(/^\?test=([^&]+)/);
+ if (match)
+ test = match[1];
+ window.location = "/security/contentSecurityPolicy/resources/echo-report.php?test=" + test;
+}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-image.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-image.js
new file mode 100644
index 000000000..1e1f93b39
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-image.js
@@ -0,0 +1,4 @@
+// This script block will trigger a violation report.
+var i = document.createElement('img');
+i.src = '/security/resources/abe.png';
+document.body.appendChild(i);
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-script.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-script.js
new file mode 100644
index 000000000..155371985
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-script.js
@@ -0,0 +1,5 @@
+document.write("<script>alert_assert('Pass 1 of 2');</script>");
+
+var s = document.createElement('script');
+s.textContent = "alert_assert('Pass 2 of 2');";
+document.body.appendChild(s);
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-style.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-style.js
new file mode 100644
index 000000000..532645a45
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-style.js
@@ -0,0 +1,5 @@
+document.write("<style>#test1 { display: none; }</style>");
+
+var s = document.createElement('style');
+s.textContent = "#test2 { display: none; }";
+document.body.appendChild(s);
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/post-message.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/post-message.js
new file mode 100644
index 000000000..69daa31d2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/post-message.js
@@ -0,0 +1 @@
+postMessage("importScripts allowed");
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-fail.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-fail.html
new file mode 100644
index 000000000..a0308ad98
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-fail.html
@@ -0,0 +1,4 @@
+<script>
+ window.parent.postMessage('FAIL', '*');
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-pass.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-pass.html
new file mode 100644
index 000000000..700167b5d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-pass.html
@@ -0,0 +1,4 @@
+<script>
+ window.parent.postMessage('PASS', '*');
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/script.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/script.js
new file mode 100644
index 000000000..54eaf530c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/script.js
@@ -0,0 +1,2 @@
+var result = document.getElementById("result");
+result.firstChild.nodeValue = result.attributes.getNamedItem("text").value;
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers
new file mode 100644
index 000000000..1d5fbba17
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers
@@ -0,0 +1 @@
+Set-Cookie: report-cookie=true \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js
new file mode 100644
index 000000000..28937d05d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js
@@ -0,0 +1,23 @@
+onconnect = function (event) {
+ var port = event.ports[0];
+ var xhr = new XMLHttpRequest;
+ xhr.onerror = function () {
+ port.postMessage("xhr blocked");
+ port.postMessage("TEST COMPLETE");
+ };
+ xhr.onload = function () {
+ if (xhr.responseText == "FAIL") {
+ port.postMessage("xhr allowed");
+ } else {
+ port.postMessage("xhr blocked");
+ }
+ port.postMessage("TEST COMPLETE");
+ };
+ try {
+ xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+ xhr.send();
+ } catch (e) {
+ port.postMessage("xhr blocked");
+ port.postMessage("TEST COMPLETE");
+ }
+} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js
new file mode 100644
index 000000000..28937d05d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js
@@ -0,0 +1,23 @@
+onconnect = function (event) {
+ var port = event.ports[0];
+ var xhr = new XMLHttpRequest;
+ xhr.onerror = function () {
+ port.postMessage("xhr blocked");
+ port.postMessage("TEST COMPLETE");
+ };
+ xhr.onload = function () {
+ if (xhr.responseText == "FAIL") {
+ port.postMessage("xhr allowed");
+ } else {
+ port.postMessage("xhr blocked");
+ }
+ port.postMessage("TEST COMPLETE");
+ };
+ try {
+ xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+ xhr.send();
+ } catch (e) {
+ port.postMessage("xhr blocked");
+ port.postMessage("TEST COMPLETE");
+ }
+} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers
new file mode 100644
index 000000000..ac7368c32
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: connect-src 'none' \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream
new file mode 100644
index 000000000..e467657bc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream
@@ -0,0 +1 @@
+data: hello
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers
new file mode 100644
index 000000000..9bb8badca
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers
@@ -0,0 +1 @@
+Content-Type: text/event-stream
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/track.vtt b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/track.vtt
new file mode 100644
index 000000000..365e9ae15
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/track.vtt
@@ -0,0 +1 @@
+Subtitles!
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js
new file mode 100644
index 000000000..9aa87129a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js
@@ -0,0 +1,5 @@
+var id = 0;
+try {
+ id = eval("1 + 2 + 3");
+} catch (e) {}
+postMessage(id === 0 ? "eval blocked" : "eval allowed");
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers
new file mode 100644
index 000000000..afdcc7c01
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js
new file mode 100644
index 000000000..03d9bf4cb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js
@@ -0,0 +1,7 @@
+var fn = function() {
+ postMessage('Function() function blocked');
+}
+try {
+ fn = new Function("", "postMessage('Function() function allowed');");
+} catch (e) {}
+fn();
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers
new file mode 100644
index 000000000..afdcc7c01
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js
new file mode 100644
index 000000000..65ec6f446
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js
@@ -0,0 +1,6 @@
+try {
+ importScripts("/content-security-policy/blink-contrib/resources/post-message.js");
+ postMessage("importScripts allowed");
+} catch (e) {
+ postMessage("importScripts blocked");
+}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers
new file mode 100644
index 000000000..57616b1fc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js
new file mode 100644
index 000000000..22819d57a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js
@@ -0,0 +1,21 @@
+var xhr = new XMLHttpRequest;
+xhr.onerror = function () {
+ postMessage("xhr blocked");
+ postMessage("TEST COMPLETE");
+};
+xhr.onload = function () {
+ //cons/**/ole.log(xhr.responseText);
+ if (xhr.responseText == "FAIL") {
+ postMessage("xhr allowed");
+ } else {
+ postMessage("xhr blocked");
+ }
+ postMessage("TEST COMPLETE");
+};
+try {
+ xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+ xhr.send();
+} catch (e) {
+ postMessage("xhr blocked");
+ postMessage("TEST COMPLETE");
+} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers
new file mode 100644
index 000000000..ac7368c32
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: connect-src 'none' \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js
new file mode 100644
index 000000000..73359a39e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js
@@ -0,0 +1,21 @@
+var xhr = new XMLHttpRequest;
+xhr.onerror = function () {
+ postMessage("xhr blocked");
+ postMessage("TEST COMPLETE");
+};
+xhr.onload = function () {
+ //cons/**/ole.log(xhr.responseText);
+ if (xhr.responseText == "FAIL") {
+ postMessage("xhr allowed");
+ } else {
+ postMessage("xhr blocked");
+ }
+ postMessage("TEST COMPLETE");
+};
+try {
+ xhr.open("GET", "/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+ xhr.send();
+} catch (e) {
+ postMessage("xhr blocked");
+ postMessage("TEST COMPLETE");
+} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js
new file mode 100644
index 000000000..a16827edd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js
@@ -0,0 +1,5 @@
+var id = 0;
+try {
+ id = setTimeout("postMessage('handler invoked')", 100);
+} catch (e) {}
+postMessage(id === 0 ? "setTimeout blocked" : "setTimeout allowed");
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers
new file mode 100644
index 000000000..57616b1fc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html
new file mode 100644
index 000000000..c755504b1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html
@@ -0,0 +1,3 @@
+
+This test passes if it does alert pass.
+<iframe src="data:text/html,&lt;script&gt;alert_assert(&apos;PASS&apos;);&lt;/script&gt;"></iframe>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers
new file mode 100644
index 000000000..4c7945728
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: sandbox-allow-scripts-subframe={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: sandbox allow-scripts; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html
new file mode 100644
index 000000000..3bdaa12ea
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html
@@ -0,0 +1,6 @@
+
+This test passes if it does alert pass.
+<script>
+ alert_assert('PASS');
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers
new file mode 100644
index 000000000..b6df57d17
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: sandbox-allow-scripts={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: sandbox allow-scripts; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html
new file mode 100644
index 000000000..5ddccfaa3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html
@@ -0,0 +1,3 @@
+
+This test passes if it doesn&apos;t alert fail.
+<iframe src="data:text/html,&lt;script&gt;alert_assert(&apos;FAIL&apos;);&lt;/script&gt;"></iframe>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers
new file mode 100644
index 000000000..5287112d6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: sandbox-empty-subframe={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: sandbox; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html
new file mode 100644
index 000000000..4e04e9875
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html
@@ -0,0 +1,6 @@
+
+This test passes if it doesn&apos;t alert fail.
+<script>
+ alert_assert('FAIL');
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers
new file mode 100644
index 000000000..f7d31c959
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: sandbox-empty={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: sandbox; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html
new file mode 100644
index 000000000..cf4aab201
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>script-src-overrides-default-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script>
+ <!-- enforcing policy:
+default-src about:; script-src 'self' 'unsafe-inline' 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body onload="alert_assert(&apos;PASS 2 of 2&apos;)">
+ <script>
+ alert_assert('PASS 1 of 2');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers
new file mode 100644
index 000000000..5d3456433
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-overrides-default-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: default-src about:; script-src 'self' 'unsafe-inline'; style-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html
new file mode 100644
index 000000000..5f388622c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-connect-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src 'self';
+-->
+
+</head>
+<p>This test loads a worker, from a guid.
+ The worker should be blocked from loading with a child-src policy of 'self'
+ as the blob: scheme must be specified explicitly.
+ A report should be sent to the report-uri specified
+ with this resource.</p>
+<body>
+ <script>
+ try {
+ var blob = new Blob([
+ "postMessage('FAIL');" +
+ "postMessage('TEST COMPLETE');"
+ ],
+ {type : 'application/javascript'});
+ var url = URL.createObjectURL(blob);
+ var worker = new Worker(url);
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ worker.onerror = function(event) {
+ alert_assert('TEST COMPLETE');
+ event.preventDefault();
+ }
+ } catch (e) {
+ alert_assert('TEST COMPLETE');
+ }
+ function timeout() {
+ alert_assert('TEST COMPLETE');
+ }
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=child-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers
new file mode 100644
index 000000000..05843484b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: self-doesnt-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html
new file mode 100644
index 000000000..17da111a8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>shared-worker-connect-src-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["xhr allowed","TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+
+</head>
+
+<body>
+ <script>
+ if(typeof SharedWorker != 'function') {
+ t_alert.set_status(t_alert.NOTRUN, "No SharedWorker, cannot run test.");
+ t_alert.phase = t_alert.phases.HAS_RESULT;
+ t_alert.done();
+ } else {
+ try {
+ var worker = new SharedWorker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js');
+ worker.port.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+ var report = document.createElement("script");
+ report.src = "../support/checkReport.sub.js?reportExists=false";
+ report.async = true;
+ report.defer = true;
+ document.body.appendChild(report);
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..eefff95c6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: shared-worker-connect-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html
new file mode 100644
index 000000000..63225bf27
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html
@@ -0,0 +1,50 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>shared-worker-connect-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["xhr blocked","TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src *; script-src 'self' 'unsafe-inline';
+-->
+
+</head>
+
+<body>
+ <p>This test loads a shared worker, delivered with its own
+ policy. The worker should be blocked from making an XHR
+ as that policy specifies a connect-src 'none', though
+ this resource's policy is connect-src *. No report
+ should be sent since the worker's policy doesn't specify
+ a report-uri.</p>
+ <script>
+ if(typeof SharedWorker != 'function') {
+ t_alert.set_status(t_alert.NOTRUN, "No SharedWorker, cannot run test.");
+ t_alert.phase = t_alert.phases.HAS_RESULT;
+ t_alert.done();
+ } else {
+ try {
+ var worker = new SharedWorker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js');
+ worker.port.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+ var report = document.createElement("script");
+ report.src = "../support/checkReport.sub.js?reportExists=false";
+ report.async = true;
+ report.defer = true;
+ document.body.appendChild(report);
+ }
+
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..bb4fb4c90
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: shared-worker-connect-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src *; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html
new file mode 100644
index 000000000..b60eccb9b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>source-list-parsing-paths-03</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' example.com/js/; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>This test passes if the source expression does not throw an &quot;invalid source&quot; error.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers
new file mode 100644
index 000000000..58e7a22df
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: source-list-parsing-paths-03={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' example.com/js/; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html
new file mode 100644
index 000000000..50b76688f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>srcdoc-doesnt-bypass-script-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/alertAssert.sub.js?alerts=%5B%5D"></script>
+ <!-- enforcing policy:
+script-src 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if it doesn&apos;t alert fail.
+ <iframe srcdoc="&lt;script&gt;window.parent.alert_assert(&apos;FAIL&apos;)&lt;/script&gt;"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers
new file mode 100644
index 000000000..e2ffd1185
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: srcdoc-doesnt-bypass-script-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html
new file mode 100644
index 000000000..fac12b52a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-connect-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src *;
+-->
+
+</head>
+<p>This test loads a worker, from a guid.
+ The worker should be blocked from loading with a child-src policy of *
+ as the blob: scheme must be specified explicitly.
+ A report should be sent to the report-uri specified
+ with this resource.</p>
+<body>
+ <script>
+ try {
+ var blob = new Blob([
+ "postMessage('FAIL');" +
+ "postMessage('TEST COMPLETE');"
+ ],
+ {type : 'application/javascript'});
+ var url = URL.createObjectURL(blob);
+ var worker = new Worker(url);
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ worker.onerror = function(event) {
+ event.preventDefault();
+ alert_assert('TEST COMPLETE');
+ }
+ } catch (e) {
+ alert_assert('TEST COMPLETE');
+ }
+ function timeout() {
+ alert_assert('TEST COMPLETE');
+ }
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=child-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers
new file mode 100644
index 000000000..9f7db5b0f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: star-doesnt-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src *; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html
new file mode 100644
index 000000000..176a8e3ef
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>style-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+ <link rel="stylesheet" href="resources/blue.css">
+</head>
+
+<body>
+ <script>
+ log(document.styleSheets.length > 0 ? 'PASS' : 'FAIL');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..cdf394548
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: style-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html
new file mode 100644
index 000000000..847e05b6a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>style-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+ <link rel="stylesheet" href="resources/blue.css">
+</head>
+
+<body>
+ <script>
+ log(document.styleSheets.length > 0 ? 'FAIL' : 'PASS');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..54c3272a3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: style-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html
new file mode 100644
index 000000000..923149199
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-connect-src-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["xhr allowed"]'></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+
+</head>
+
+<body>
+ <script>
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js');
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..92ef91f0d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-connect-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html
new file mode 100644
index 000000000..054132290
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-connect-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["xhr blocked","TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src *; script-src 'self' 'unsafe-inline';
+-->
+
+</head>
+<p>This test loads a worker, which is delivered with its own
+ policy. The worker should be blocked from making an XHR
+ as that policy specifies a connect-src 'none', though
+ this resource's policy is connect-src *. No report
+ should be sent since the worker's policy doesn't specify
+ a report-uri.</p>
+<body>
+ <script>
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js');
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..e302aa84a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-connect-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src *; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html
new file mode 100644
index 000000000..ac96e0f4d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-eval-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["eval blocked"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>This test loads a worker, delivered with its own policy.
+ The eval() call in the worker should be forbidden by that
+ policy. No report should be generated because the worker
+ policy does not set a report-uri (although this parent
+ resource does).</p>
+ <script>
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-eval.js');
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..8964f80ab
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-eval-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html
new file mode 100644
index 000000000..b290b82f6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-connect-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["xhr blocked","TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline' blob:;
+-->
+
+</head>
+<p>This test loads a worker, from a guid.
+ The worker should be blocked from making an XHR
+ to www1 as this resource's policy is connect-src 'self
+ and a guid Worker should inherit is parent's policy.
+ A report should be sent to the report-uri specified
+ with this resource.</p>
+<body>
+ <script>
+ try {
+ var blob = new Blob([
+ "var xhr = new XMLHttpRequest;" +
+ "xhr.onerror = function () {" +
+ " postMessage('xhr blocked');" +
+ " postMessage('TEST COMPLETE');" +
+ "};" +
+ "xhr.onload = function () {" +
+ " if (xhr.responseText == 'FAIL') {" +
+ " postMessage('xhr allowed');" +
+ " } else {" +
+ " postMessage('xhr blocked');" +
+ " }" +
+ " postMessage('TEST COMPLETE');" +
+ "};" +
+ "try { " +
+ " xhr.open(" +
+ " 'GET'," +
+ " 'http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis'," +
+ " true" +
+ " );" +
+ " xhr.send();" +
+ "} catch (e) {" +
+ " postMessage('xhr blocked');" +
+ " postMessage('TEST COMPLETE');" +
+ "}"],
+ {type : 'application/javascript'});
+ var url = URL.createObjectURL(blob);
+ var worker = new Worker(url);
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=connect-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers
new file mode 100644
index 000000000..d94d31ace
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-from-guid={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline' blob:; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html
new file mode 100644
index 000000000..1db574780
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-function-function-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["Function() function blocked"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <p>This test loads a worker, delivered with its own policy.
+ The Function constructor should be forbidden by that
+ policy. No report should be generated because the worker
+ policy does not set a report-uri (although this parent
+ resource does).</p>
+ <script>
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-function-function.js');
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..b012518ec
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-function-function-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html
new file mode 100644
index 000000000..9ec49c030
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-importscripts-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-eval' 'unsafe-inline' 127.0.0.1:8000; connect-src 'self';
+-->
+ <script></script>
+</head>
+
+<body>
+ <script>
+ window.wasPostTestScriptParsed = true;
+ var result = '';
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-importscripts.js');
+ worker.onmessage = function(event) {
+ result = event.data;
+ test(function() {
+ assert_equals(result, 'importScripts blocked')
+ });
+ log("TEST COMPLETE");
+ };
+ } catch (e) {
+ result = e;
+ test(function() {
+ assert_equals(result, 'importScripts blocked')
+ });
+ log("TEST COMPLETE");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..04de51d14
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-importscripts-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html
new file mode 100644
index 000000000..9caf77224
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-script-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ try {
+ var foo = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/post-message.js');
+ foo.onmessage = function(event) {
+ alert_assert("PASS");
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers
new file mode 100644
index 000000000..76e5a3ba2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-script-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html
new file mode 100644
index 000000000..119121ca5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-set-timeout-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["setTimeout blocked"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-set-timeout.js');
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..fb6b3d0a2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-set-timeout-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-blocked-expected.png b/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-blocked-expected.png
new file mode 100644
index 000000000..b5daa8555
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-blocked-expected.png
Binary files differ
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.png b/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.png
new file mode 100644
index 000000000..b5daa8555
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.png
Binary files differ