From 5f8de423f190bbb79a62f804151bc24824fa32d8 Mon Sep 17 00:00:00 2001
From: "Matt A. Tobin" <mattatobin@localhost.localdomain>
Date: Fri, 2 Feb 2018 04:16:08 -0500
Subject: Add m-esr52 at 52.6.0

---
 .../blink-contrib-2/allowed.css                    |  3 +
 .../blink-contrib-2/base-uri-allow.sub.html        | 36 ++++++++++
 .../base-uri-allow.sub.html.sub.headers            |  6 ++
 .../blink-contrib-2/base-uri-deny.sub.html         | 33 ++++++++++
 .../base-uri-deny.sub.html.sub.headers             |  6 ++
 .../form-action-src-allowed.sub.html               | 40 +++++++++++
 .../form-action-src-allowed.sub.html.sub.headers   |  6 ++
 .../form-action-src-blocked.sub.html               | 40 +++++++++++
 .../form-action-src-blocked.sub.html.sub.headers   |  6 ++
 .../form-action-src-default-ignored.sub.html       | 40 +++++++++++
 ...action-src-default-ignored.sub.html.sub.headers |  6 ++
 .../form-action-src-get-allowed.sub.html           | 42 ++++++++++++
 ...orm-action-src-get-allowed.sub.html.sub.headers |  6 ++
 .../form-action-src-get-blocked.sub.html           | 43 ++++++++++++
 ...orm-action-src-get-blocked.sub.html.sub.headers |  6 ++
 .../form-action-src-javascript-blocked.sub.html    | 34 ++++++++++
 ...ion-src-javascript-blocked.sub.html.sub.headers |  6 ++
 .../form-action-src-redirect-blocked.sub.html      | 41 ++++++++++++
 ...ction-src-redirect-blocked.sub.html.sub.headers |  6 ++
 .../blink-contrib-2/meta-outside-head.sub.html     | 27 ++++++++
 .../meta-outside-head.sub.html.sub.headers         |  6 ++
 .../blink-contrib-2/metaHelper.js                  |  5 ++
 .../plugintypes-mismatched-data.sub.html           | 24 +++++++
 ...lugintypes-mismatched-data.sub.html.sub.headers |  6 ++
 .../plugintypes-mismatched-url.sub.html            | 24 +++++++
 ...plugintypes-mismatched-url.sub.html.sub.headers |  6 ++
 .../plugintypes-notype-data.sub.html               | 23 +++++++
 .../plugintypes-notype-data.sub.html.sub.headers   |  6 ++
 .../plugintypes-notype-url.sub.html                | 24 +++++++
 .../plugintypes-notype-url.sub.html.sub.headers    |  6 ++
 .../plugintypes-nourl-allowed.sub.html             | 23 +++++++
 .../plugintypes-nourl-allowed.sub.html.sub.headers |  6 ++
 .../plugintypes-nourl-blocked.sub.html             | 23 +++++++
 .../plugintypes-nourl-blocked.sub.html.sub.headers |  6 ++
 .../script-src-wildcards-disallowed.html           | 65 ++++++++++++++++++
 ...cript-src-wildcards-disallowed.html.sub.headers |  6 ++
 .../blink-contrib-2/scripthash-allowed.sub.html    | 42 ++++++++++++
 .../scripthash-allowed.sub.html.sub.headers        |  6 ++
 .../scripthash-basic-blocked.sub.html              | 69 +++++++++++++++++++
 .../scripthash-basic-blocked.sub.html.sub.headers  |  6 ++
 .../scripthash-default-src.sub.html                | 15 +++++
 .../scripthash-default-src.sub.html.sub.headers    |  6 ++
 .../scripthash-ignore-unsafeinline.sub.html        | 57 ++++++++++++++++
 ...pthash-ignore-unsafeinline.sub.html.sub.headers |  6 ++
 .../scripthash-unicode-normalization.sub.html      | 71 ++++++++++++++++++++
 ...hash-unicode-normalization.sub.html.sub.headers |  6 ++
 .../blink-contrib-2/scriptnonce-allowed.sub.html   | 64 ++++++++++++++++++
 .../scriptnonce-allowed.sub.html.sub.headers       |  6 ++
 .../scriptnonce-and-scripthash.sub.html            | 76 +++++++++++++++++++++
 ...scriptnonce-and-scripthash.sub.html.sub.headers |  6 ++
 .../scriptnonce-basic-blocked.sub.html             | 43 ++++++++++++
 .../scriptnonce-basic-blocked.sub.html.sub.headers |  6 ++
 .../scriptnonce-ignore-unsafeinline.sub.html       | 72 ++++++++++++++++++++
 ...tnonce-ignore-unsafeinline.sub.html.sub.headers |  6 ++
 .../blink-contrib-2/scriptnonce-redirect.sub.html  | 59 +++++++++++++++++
 .../scriptnonce-redirect.sub.html.sub.headers      |  6 ++
 ...n-block-cross-origin-image-from-script.sub.html | 27 ++++++++
 ...s-origin-image-from-script.sub.html.sub.headers |  6 ++
 ...licyviolation-block-cross-origin-image.sub.html | 29 ++++++++
 ...n-block-cross-origin-image.sub.html.sub.headers |  6 ++
 ...olicyviolation-block-image-from-script.sub.html | 29 ++++++++
 ...on-block-image-from-script.sub.html.sub.headers |  6 ++
 .../securitypolicyviolation-block-image.sub.html   | 34 ++++++++++
 ...olicyviolation-block-image.sub.html.sub.headers |  6 ++
 .../blink-contrib-2/stylehash-allowed.sub.html     | 77 ++++++++++++++++++++++
 .../stylehash-allowed.sub.html.sub.headers         |  6 ++
 .../stylehash-basic-blocked.sub.html               | 61 +++++++++++++++++
 .../stylehash-basic-blocked.sub.html.sub.headers   |  6 ++
 .../blink-contrib-2/stylehash-default-src.sub.html | 21 ++++++
 .../stylehash-default-src.sub.html.sub.headers     |  6 ++
 .../blink-contrib-2/stylenonce-allowed.sub.html    | 54 +++++++++++++++
 .../stylenonce-allowed.sub.html.sub.headers        |  6 ++
 .../blink-contrib-2/stylenonce-blocked.sub.html    | 38 +++++++++++
 .../stylenonce-blocked.sub.html.sub.headers        |  6 ++
 74 files changed, 1744 insertions(+)
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers

(limited to 'testing/web-platform/tests/content-security-policy/blink-contrib-2')

diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css b/testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css
new file mode 100644
index 000000000..ace543489
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css
@@ -0,0 +1,3 @@
+#test {
+	color: green;
+}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html
new file mode 100644
index 000000000..143777407
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>base-uri-allow</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+base-uri http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self';
+-->
+    <base href="http://www1.{{host}}:{{ports[http][0]}}/">
+    <script>
+        test(function() {
+            if ('{{ports[http][0]}}' == '80' ||
+               '{{ports[http][0]}}' == '443') {
+                assert_equals(document.baseURI, 'http://www1.{{host}}/');
+            } else {
+                assert_equals(document.baseURI, 'http://www1.{{host}}' + ':{{ports[http][0]}}/');
+            }
+
+            log("TEST COMPLETE")
+        });
+
+    </script>
+</head>
+
+<body>
+    <p>Check that base URIs can be set if they do not violate the page's policy.</p>
+    <div id="log"></div>
+    <script async defer src="./content-security-policy/support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers
new file mode 100644
index 000000000..e749d7238
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: base-uri-allow={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: base-uri http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html
new file mode 100644
index 000000000..f2b7c591e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>base-uri-deny</title>
+    <base href="http://www1.{{host}}:{{ports[http][0]}}/">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS document.baseURI is document.location.href","TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+base-uri 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+    <script>
+        var base = document.createElement('base');
+        base.href = 'http://www1.{{host}}:{{ports[http][0]}}/';
+        document.head.appendChild(base);
+        if (document.baseURI == document.location.href) {
+            log("PASS document.baseURI is document.location.href");
+            log("TEST COMPLETE");
+        }
+
+    </script>
+</head>
+
+<body>
+    <p>Check that base URIs cannot be set if they violate the page's policy.</p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=base-uri%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers
new file mode 100644
index 000000000..0312c46d0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: base-uri-deny={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: base-uri 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html
new file mode 100644
index 000000000..19cf6811c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>form-action-src-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+    <script>
+        window.addEventListener("message", function(event) {
+            log(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                document.getElementById('submit').click();
+                log("TEST COMPLETE");
+            }, 0);
+        });
+
+    </script>
+</head>
+
+<body>
+    <iframe name="test_target" id="test_iframe"></iframe>
+
+    <form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-pass.html" id="theform" method="post" target="test_target">
+        <input type="text" name="fieldname" value="fieldvalue">
+        <input type="submit" id="submit" value="submit">
+    </form>
+    <p>Tests that allowed form actions work correctly.</p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+    </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..88cbfda0e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html
new file mode 100644
index 000000000..0960a8a02
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>form-action-src-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+    <script>
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                document.getElementById('submit').click();
+            }, 0);
+        });
+        setTimeout(function() {log("TEST COMPLETE");}, 1);
+
+    </script>
+</head>
+
+<body>
+    <iframe name="test_target" id="test_iframe"></iframe>
+    <form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-fail.html" id="theform" method="post" target="test_target">
+        <input type="text" name="fieldname" value="fieldvalue">
+        <input type="submit" id="submit" value="submit">
+    </form>
+    <p>Tests that blocking form actions works correctly.</p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=form-action%20&apos;none&apos;"></script>
+
+    </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..29351c008
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html
new file mode 100644
index 000000000..32823d680
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>form-action-src-default-ignored</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; frame-src 'self';
+-->
+    <script>
+        window.addEventListener("message", function(event) {
+            log(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                document.getElementById('submit').click();
+                log("TEST COMPLETE");
+            }, 0);
+        });
+
+    </script>
+</head>
+
+<body>
+    <iframe name="test_target" id="test_iframe"></iframe>
+
+    <form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-pass.html" id="theform" method="post" target="test_target">
+        <input type="text" name="fieldname" value="fieldvalue">
+        <input type="submit" id="submit" value="submit">
+    </form>
+    <p>Tests that default-src does not cascade to form-action.</p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers
new file mode 100644
index 000000000..1abbcf50c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-default-ignored={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; frame-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html
new file mode 100644
index 000000000..a7d3e584b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>form-action-src-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+    <script>
+        window.addEventListener("message", function(event) {
+            log(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                document.getElementById('submit').click();
+                log("TEST COMPLETE");
+            }, 0);
+        });
+
+    </script>
+</head>
+
+<body>
+    <iframe name="test_target" id="test_iframe"></iframe>
+
+    <form action="/common/redirect.py" id="theform" method="get" target="test_target">
+        <input type="text" name="location" value="/content-security-policy/blink-contrib/resources/postmessage-pass.html">
+        <input type="text" name="fieldname" value="fieldvalue">
+        <input type="submit" id="submit" value="submit">
+    </form>
+    <p>Tests that allowed form actions work correctly
+        with GET and a redirect.</p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+    </body>
+
+</html>
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..ac8761518
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-get-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html
new file mode 100644
index 000000000..0910eb419
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>form-action-src-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+    <script>
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                document.getElementById('submit').click();
+                log("TEST COMPLETE");
+            }, 0);
+        });
+
+    </script>
+</head>
+
+<body>
+    <iframe name="test_target" id="test_iframe"></iframe>
+
+    <form action="/common/redirect.py" id="theform" method="get" target="test_target">
+        <input type="text" name="location" value="/content-security-policy/blink-contrib/resources/postmessage-fail.html">
+        <input type="text" name="fieldname" value="fieldvalue">
+        <input type="submit" id="submit" value="submit">
+    </form>
+    <p>Tests that disallowed form actions are blocked
+        with GET and redirects.</p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=form-action%20&apos;none&apos;
+"></script>
+    </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..e7a044dbc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-get-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html
new file mode 100644
index 000000000..c362ea6fd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>form-action-src-javascript-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self';
+-->
+    <script nonce='noncynonce'>
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                document.getElementById('submit').click();
+                log("TEST COMPLETE");
+            }, 0);
+        });
+    </script>
+</head>
+
+<body>
+    <form action="javascript:alert_assert(&quot;FAIL!&quot;)" id="theform" method="post">
+        <input type="text" name="fieldname" value="fieldvalue">
+        <input type="submit" id="submit" value="submit">
+    </form>
+    <p>Tests that blocking form actions works correctly. If this test passes, a CSP violation will be generated, and will not see a JavaScript alert.</p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..ffa2288c0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-javascript-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html
new file mode 100644
index 000000000..e311817eb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>form-action-src-redirect-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+    <script>
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                document.getElementById('submit').click();
+                log("TEST COMPLETE");
+            }, 0);
+        });
+        setTimeout(function() {}, 1000);
+
+    </script>
+</head>
+
+<body>
+    <iframe name="test_target" id="test_iframe"></iframe>
+
+    <form id="form1" action="/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-fail.html" method="post" target="test_target">
+        <input type="text" name="fieldname" value="fieldvalue">
+        <input type="submit" id="submit" value="submit">
+    </form>
+    <p>Tests that blocking a POST form with a redirect works correctly. If this test passes, a CSP violation will be generated.</p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=form-action%20'self'"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..ee767f4a7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-redirect-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html
new file mode 100644
index 000000000..41618d4ef
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>meta-outside-head</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src='../support/alertAssert.sub.js?alerts=["PASS (1/1)"]'></script>
+    <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'none'; connect-src 'self';
+-->
+</head>
+
+<body>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self'">
+    <p>This test checks that Content Security Policy delivered via a meta element is not enforced if the element is outside the document&apos;s head.</p>
+    <script>
+        var aa = "PASS (1/1)";
+    </script>
+    <script src="metaHelper.js"></script>
+    <div id="log"></div>
+    <script src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers
new file mode 100644
index 000000000..3cd335192
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: meta-outside-head={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'none'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js b/testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js
new file mode 100644
index 000000000..9191a39c7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js
@@ -0,0 +1,5 @@
+if (typeof aa != 'undefined') {
+  alert_assert(aa);
+} else {
+  alert_assert("Failed - allowed inline script blocked by meta policy outside head.");
+}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html
new file mode 100644
index 000000000..fe3f95878
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>plugintypes-mismatched-data</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+    This tests that plugin content that doesn&apos;t match the declared type doesn&apos;t load, even if the document&apos;s CSP would allow it. This test passes if &quot;FAIL!&quot; isn&apos;t logged.
+    <object type="application/x-invalid-type" data="data:application/x-webkit-test-netscape,logifloaded" log="FAIL!"></object>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers
new file mode 100644
index 000000000..4e5b31b2a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-mismatched-data={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html
new file mode 100644
index 000000000..bc60994ad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>plugintypes-mismatched-url</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+    This tests that plugin content that doesn&apos;t match the declared type doesn&apos;t load, even if the document&apos;s CSP would allow it. This test passes if no iframe is dumped (meaning that no PluginDocument was created).
+    <object type="application/x-invalid-type" data="/plugins/resources/mock-plugin.pl" log="FAIL!"></object>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers
new file mode 100644
index 000000000..38a7450ab
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-mismatched-url={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html
new file mode 100644
index 000000000..eb60d5d4c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>plugintypes-notype-data</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS: object tag onerror handler fired"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+    Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there&apos;s a CSP report and &quot;FAIL!&quot; isn&apos;t logged.
+    <object data="data:application/x-webkit-test-netscape" onload="log('FAIL');" onerror="log('PASS: object tag onerror handler fired');"></object>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=plugin-types+application/x-invalid-type"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers
new file mode 100644
index 000000000..ea938378a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-notype-data={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html
new file mode 100644
index 000000000..e9918941f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>plugintypes-notype-url</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+    Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there&apos;s an error report is sent.
+    <object data="/plugins/resources/mock-plugin.pl" log="FAIL!"></object>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=plugin-types%20application/x-invalid-type"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers
new file mode 100644
index 000000000..ffe26cdf1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-notype-url={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html
new file mode 100644
index 000000000..222d6500d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>plugintypes-nourl-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+plugin-types application/x-webkit-test-netscape; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+    This test passes if there isn&apos;t a CSP violation sayingthe plugin was blocked.
+    <object type="application/x-webkit-test-netscape"></object>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..7fef2a5b5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-nourl-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types application/x-webkit-test-netscape; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html
new file mode 100644
index 000000000..b5cc5a5a4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>plugintypes-nourl-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+plugin-types text/plain; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+    This test passes if there is a CSP violation sayingthe plugin was blocked.
+    <object type="application/x-webkit-test-netscape"></object>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=plugin-types%20text/plain"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..709bf90df
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-nourl-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types text/plain; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html
new file mode 100644
index 000000000..2a94692ee
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    <title>script-src disallowed wildcard use</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    </head>
+    <body>
+    <!-- enforcing policy:
+script-src 'nonce-nonce' *; connect-src 'self';
+-->
+    <script nonce="nonce">
+        var t1 = async_test('data: URIs should not match *');
+        t1.step(function() {
+            var script = document.createElement("script");
+            script.src = 'data:application/javascript,';
+            script.addEventListener('load', t1.step_func(function() {
+                assert_unreached('Should not successfully load data URI.');
+            }));
+            script.addEventListener('error', t1.step_func(function() {
+                t1.done();
+            }));
+            document.head.appendChild(script);
+        });
+
+        var t2 = async_test('blob: URIs should not match *');
+        t2.step(function() {
+            var b = new Blob([''], { type: 'application/javascript' });
+            var script = document.createElement('script');
+            script.addEventListener('load', t2.step_func(function() {
+                assert_unreached('Should not successfully load blob URI.');
+            }));
+            script.addEventListener('error', t2.step_func(function() {
+                t2.done();
+            }));
+
+            script.src = URL.createObjectURL(b);
+            document.head.appendChild(script);
+        });
+
+        var t3 = async_test('filesystem URIs should not match *');
+        if (window.webkitRequestFileSystem) {
+            window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) {
+                fs.root.getFile('fail.js', {create: true}, function(fileEntry) {
+                    fileEntry.createWriter(function(fileWriter) {
+                        var script = document.createElement('script');
+
+                        script.addEventListener('load', t3.step_func(function() {
+                            assert_unreached('Should not successfully load filesystem URI.');
+                        }));
+                        script.addEventListener('error', t3.step_func(function() {
+                            t3.done();
+                        }));
+
+                        script.src = fileEntry.toURL('application/javascript');
+                        document.body.appendChild(script);
+                    });
+                });
+            });
+        } else {
+          t3.done();
+        }
+    </script>
+    </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers
new file mode 100644
index 000000000..cd9543913
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-wildcards-disallowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'nonce-nonce' *; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html
new file mode 100644
index 000000000..a7a217448
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>scripthash-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/content-security-policy/support/alertAssert.sub.js?alerts=%5B%22PASS%20(1%2F4)%22%2C%22PASS%20(2%2F4)%22%2C%22PASS%20(3%2F4)%22%2C%22PASS%20(4%2F4)%22%5D">
+
+
+    </script>
+    <!-- enforcing policy:
+script-src 'self' 'sha256-IFmozo9WnnsMXVl/Ka8XzJ3Nd8yzS2zA2ME0mwtd+Ck=' 'sha256-jSpTmJKcrnHttKdYM/wCCDJoQY5tdSxNf7zd2prwFfI=' 'sha256-qbgA2XjB2EZKjn/UmK7v/K77t+fvfxA89QT/K9qPNyE=' 'sha256-K+7X5Ip3msvRvyQzf6fkrWZziuhaUIee1aLnlP5nX10='; connect-src 'self';
+-->
+    <script>
+        alert_assert('PASS (1/4)');
+
+    </script>
+    <script>
+        alert_assert('PASS (2/4)');
+
+    </script>
+    <script>
+        alert_assert('PASS (3/4)');
+
+    </script>
+    <script>
+        alert_assert('PASS (4/4)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the effect of a valid script-hash value. It passes if no CSP violation is generated, and the alert_assert() is executed.
+    </p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..e0fe373b6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripthash-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'sha256-IFmozo9WnnsMXVl/Ka8XzJ3Nd8yzS2zA2ME0mwtd+Ck=' 'sha256-jSpTmJKcrnHttKdYM/wCCDJoQY5tdSxNf7zd2prwFfI=' 'sha256-qbgA2XjB2EZKjn/UmK7v/K77t+fvfxA89QT/K9qPNyE=' 'sha256-K+7X5Ip3msvRvyQzf6fkrWZziuhaUIee1aLnlP5nX10='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html
new file mode 100644
index 000000000..ac7b2c02f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html
@@ -0,0 +1,69 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>scripthash-basic-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script>
+        var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]');
+        var expected_alerts = ["PASS (1/1)"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_true(expected_alerts[i] == msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo='; connect-src 'self';
+-->
+    <script>
+        alert_assert('PASS (1/1)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (1/4)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (2/4)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (3/4)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (4/4)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the effect of a valid script-hash value, with one valid script and several invalid ones. It passes if one alert is executed and a CSP violation is reported.
+    </p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo=&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..6a92e06f4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripthash-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html
new file mode 100644
index 000000000..a11a224ae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    <title>script-hash allowed from default-src</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    
+    <script>done();</script>
+    </head>
+
+    <body>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+    </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers
new file mode 100644
index 000000000..d8893af41
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripthash-default-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: default-src 'self' 'sha256-sc3CeiHrlck5tH2tTC4MnBYFnI9D5zp8f9odqnmGQjE='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html
new file mode 100644
index 000000000..545099e08
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html
@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>scripthash-ignore-unsafeinline</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script>
+        var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]');
+        var expected_alerts = ["PASS (1/1)"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_true(expected_alerts[i] == msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo=' 'unsafe-inline'; connect-src 'self';
+-->
+    <script>
+        alert_assert('PASS (1/1)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (1/1)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests that a valid hash value disables inline JavaScript, even if &apos;unsafe-inline&apos; is present.
+    </p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo=&apos;%20&apos;unsafe-inline&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers
new file mode 100644
index 000000000..fb3fc7655
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripthash-ignore-unsafeinline={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' unsafe-inline' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html
new file mode 100644
index 000000000..bd1e0365c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html
@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>scripthash-unicode-normalization</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <!-- enforcing policy:
+script-src 'self' 'nonce-nonceynonce' 'sha256-dWTP4Di8KBjaiXvQ5mRquI9OoBSo921ahYxLfYSiuT8='; connect-src 'self';
+-->
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+</head>
+
+<body>
+    <!-- The following two scripts contain two separate code points (U+00C5
+        and U+212B, respectively) which, depending on your text editor, might be
+        rendered the same.However, their difference is important because, under
+        NFC normalization, they would become the same code point, which would be
+        against the spec. This test, therefore, validates that the scripts have
+        *different* hash values. -->
+    <script nonce="nonceynonce">
+      var matchingContent = 'Å';
+      var nonMatchingContent = 'Å';
+
+      // This script should have a hash value of
+      // sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c=
+      var scriptContent1 = "window.finish('" + matchingContent + "');";
+
+      // This script should have a hash value of
+      // sha256-iNjjXUXds31FFvkAmbC74Sxnvreug3PzGtu16udQyqM=
+      var scriptContent2 = "window.finish('" + nonMatchingContent + "');";
+
+      var script1 = document.createElement('script');
+      var script2 = document.createElement('script');
+
+      script1.test = async_test("Only matching content runs even with NFC normalization.");
+
+      var failure = function() {
+        assert_unreached();
+      }
+
+      window.finish = function(content) {
+        if (content == matchingContent) {
+          script1.test.step(function() {
+            script1.test.done();
+          });
+        } else {
+	  script1.test.step(function() {
+            assert_unreached("nonMatchingContent script ran");
+	  });
+        }
+      }
+
+      script1.onerror = failure;
+
+      document.body.appendChild(script2);
+      script2.textContent = scriptContent2;
+      document.body.appendChild(script1);
+      script1.textContent = scriptContent1;
+    </script>
+
+    <p>
+        This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken.
+    </p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers
new file mode 100644
index 000000000..a23724f8a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripthash-unicode-normalization={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'nonce-nonceynonce' 'sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html
new file mode 100644
index 000000000..2a1321d24
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html
@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>scriptnonce-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script nonce="noncynonce">
+        function log(msg) {
+            test(function() {
+                assert_unreached(msg)
+            });
+        }
+
+    </script>
+    <script nonce="noncynonce">
+        var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)"]');
+        var expected_alerts = ["PASS (1/2)", "PASS (2/2)"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_true(expected_alerts[i] == msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/=nonce'; connect-src 'self';
+-->
+    <script nonce="noncynonce">
+        alert_assert('PASS (1/2)');
+
+    </script>
+    <script nonce="noncy+/=nonce">
+        alert_assert('PASS (2/2)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the effect of a valid script-nonce value. It passes if no CSP violation is generated and the alerts are executed.
+    </p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..a69c927c9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scriptnonce-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'nonce-noncynonce' 'nonce-noncy+/=nonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html
new file mode 100644
index 000000000..2b333cbea
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html
@@ -0,0 +1,76 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>scriptnonce-and-scripthash</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script nonce="nonceynonce">
+        function log(msg) {
+            test(function() {
+                assert_unreached(msg)
+            });
+        }
+
+    </script>
+    <script nonce="nonceynonce">
+        var t_alert = async_test('Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]');
+        var expected_alerts = ["PASS (1/3)", "PASS (2/3)", "PASS (3/3)"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_true(expected_alerts[i] == msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self';
+-->
+    <script nonce="nonceynonce">
+        alert_assert('PASS (1/3)');
+
+    </script>
+    <script>
+        alert_assert('PASS (2/3)');
+
+    </script>
+    <script nonce="nonceynonce">
+        alert_assert('PASS (3/3)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (1/2)');
+
+    </script>
+    <script nonce="notanonce">
+        alert_assert('FAIL (2/2)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the combined use of script hash and script nonce. It passes if a CSP violation is generated and the three alerts show PASS.
+    </p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;sha1-MfuEFRkC2LmR31AMy9KW2ZLDegA=&apos;%20&apos;sha1-p70t5PXyndLfjKNjbyBBOL1gFiM=&apos;%20&apos;nonce-nonceynonce&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers
new file mode 100644
index 000000000..afa33e6df
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scriptnonce-and-scripthash={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html
new file mode 100644
index 000000000..4815ca100
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>scriptnonce-basic-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/alertAssert.sub.js?alerts=["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)"]'></script>
+    <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self';
+-->
+    <script nonce="noncynonce">
+        alert_assert('PASS (closely-quoted nonce)');
+
+    </script>
+    <script nonce="   noncynonce    ">
+        alert_assert('PASS (nonce w/whitespace)');
+
+    </script>
+    <script nonce="noncynonce noncynonce">
+        alert_assert('FAIL (1/3)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (2/3)');
+
+    </script>
+    <script nonce="noncynonceno?">
+        alert_assert('FAIL (3/3)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the effect of a valid script-nonce value. It passes if a CSP violation is generated, and the two PASS alerts are executed.
+    </p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;nonce-noncynonce&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..ee4e8b3f0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scriptnonce-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html
new file mode 100644
index 000000000..d1b97dfb9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>scriptnonce-ignore-unsafeinline</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script nonce='noncynonce'>
+        function log(msg) {
+            test(function() {
+                assert_unreached(msg)
+            });
+        }
+
+    </script>
+    <script nonce='noncynonce'>
+        var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)"]');
+        var expected_alerts = ["PASS (1/2)", "PASS (2/2)"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_true(expected_alerts[i] == msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/=nonce' 'unsafe-inline'; connect-src 'self';
+-->
+    <script nonce="noncynonce">
+
+
+    </script>
+    <script nonce="noncynonce">
+        alert_assert('PASS (1/2)');
+
+    </script>
+    <script nonce="noncy+/=nonce">
+        alert_assert('PASS (2/2)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (1/1)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests that a valid nonce disables inline JavaScript, even if &apos;unsafe-inline&apos; is present.
+    </p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;nonce-noncynonce&apos;%20&apos;nonce-noncy+/=nonce&apos;%20&apos;unsafe-inline&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers
new file mode 100644
index 000000000..01f7e185a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scriptnonce-ignore-unsafeinline={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/=nonce' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html
new file mode 100644
index 000000000..a17f1fb5c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>scriptnonce-redirect</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script nonce="noncynonce">
+        function log(msg) {
+            test(function() {
+                assert_unreached(msg)
+            });
+        }
+
+    </script>
+    <script nonce="noncynonce">
+        var t_alert = async_test('Expecting alerts: ["PASS"]');
+        var expected_alerts = ["PASS"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_true(expected_alerts[i] == msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self';
+-->
+</head>
+
+<body>
+    This tests whether a deferred script load caused by a redirect is properly allowed by a nonce.
+    <script nonce="noncynonce" src="/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/alert-pass.js"></script>
+    <script nonce="noncynonce">
+
+
+    </script>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers
new file mode 100644
index 000000000..8d71f88d5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scriptnonce-redirect={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html
new file mode 100644
index 000000000..82cad0347
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>securitypolicyviolation-block-cross-origin-image-from-script</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+    <script>
+        var x = document.createElement('script');
+        x.src = 'http://{{host}}:{{ports[http][0]}}/content-security-policy/support/inject-image.js';
+        document.body.appendChild(x);
+
+    </script>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers
new file mode 100644
index 000000000..723ed281f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: securitypolicyviolation-block-cross-origin-image-from-script={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html
new file mode 100644
index 000000000..9b7dc32e1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>securitypolicyviolation-block-cross-origin-image</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+    <script>
+        var img = document.createElement('img');
+        img.src = 'http://{{host}}:{{ports[http][0]}}/security/resources/abe.png';
+        document.body.appendChild(img);
+        log("TEST COMPLETE");
+
+    </script>
+    <p>Check that a SecurityPolicyViolationEvent strips detail from cross-origin blocked URLs.</p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers
new file mode 100644
index 000000000..d701a476f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: securitypolicyviolation-block-cross-origin-image={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html
new file mode 100644
index 000000000..33facfbc3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>securitypolicyviolation-block-image-from-script</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+    <script>
+        var script = document.createElement('script');
+        script.src = '../support/inject-image.js';
+        document.body.appendChild(script);
+        log("TEST COMPLETE");
+
+    </script>
+    <p>Check that a SecurityPolicyViolationEvent is fired upon blocking an image injected via script.</p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers
new file mode 100644
index 000000000..6b6084dc5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: securitypolicyviolation-block-image-from-script={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html
new file mode 100644
index 000000000..3e62e2d35
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>securitypolicyviolation-block-image</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+    <script>
+        var img = document.createElement('img');
+        img.src = '../support/fail.png';
+        img.onerror = function() {
+            log("TEST COMPLETE");
+        };
+        img.onload = function() {
+            log("FAIL");
+        };
+        document.body.appendChild(img);
+
+    </script>
+    <p>Check that a SecurityPolicyViolationEvent is fired upon blocking an image.</p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers
new file mode 100644
index 000000000..1f4f84578
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: securitypolicyviolation-block-image={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html
new file mode 100644
index 000000000..282b18502
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html
@@ -0,0 +1,77 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>stylehash-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script>
+        var t_alert = async_test('Expecting alerts: ["PASS (1/4): The \'#p1\' element\'s text is green, which means the style was correctly applied.","PASS (2/4): The \'#p2\' element\'s text is green, which means the style was correctly applied.","PASS (3/4): The \'#p3\' element\'s text is green, which means the style was correctly applied.","PASS (4/4): The \'#p4\' element\'s text is green, which means the style was correctly applied."]');
+        var expected_alerts = ["PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied.", "PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied.", "PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied.", "PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied."];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_true(expected_alerts[i] == msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+style-src 'sha256-pAKi9r4/WB7fHydbE3F3t8i8602ij2JN8zHJpL2T5BM=' 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw=' 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcSt' 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9KqwvCSapSz5CVoUGHQcxv43UQg=='; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+    <p id="p1">This tests the result of a valid style hash. It passes if this text is green, and a &quot;PASS&quot; alert for p1 is fired.</p>
+    <p id="p2">This tests the result of a valid style hash. It passes if this text is green, and a &quot;PASS&quot; alert for p2 is fired.</p>
+    <p id="p3">This tests the result of a valid style hash. It passes if this text is green, and a &quot;PASS&quot; alert for p3 is fired.</p>
+    <p id="p4">This tests the result of a valid style hash. It passes if this text is green, and a &quot;PASS&quot; alert for p4 is fired.</p>
+    <style>p#p1 { color: green; }</style>
+    <style>p#p2 { color: green; }</style>
+    <style>p#p3 { color: green; }</style>
+    <style>p#p4 { color: green; }</style>
+    <script>
+        var color = window.getComputedStyle(document.querySelector('#p1')).color;
+        if (color === "rgb(0, 128, 0)")
+            alert_assert("PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied.");
+        else
+            alert_assert("FAIL (1/4): The '#p1' element's text is " + color + ", which means the style was incorrectly applied.");
+        var color = window.getComputedStyle(document.querySelector('#p2')).color;
+        if (color === "rgb(0, 128, 0)")
+            alert_assert("PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied.");
+        else
+            alert_assert("FAIL (2/4): The '#p2' element's text is " + color + ", which means the style was incorrectly applied.");
+        var color = window.getComputedStyle(document.querySelector('#p3')).color;
+        if (color === "rgb(0, 128, 0)")
+            alert_assert("PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied.");
+        else
+            alert_assert("FAIL (3/4): The '#p3' element's text is " + color + ", which means the style was incorrectly applied.");
+        var color = window.getComputedStyle(document.querySelector('#p4')).color;
+        if (color === "rgb(0, 128, 0)")
+            alert_assert("PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied.");
+        else
+            alert_assert("FAIL (4/4): The '#p4' element's text is " + color + ", which means the style was incorrectly applied.");
+
+    </script>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..2b519e85e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: stylehash-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: style-src 'self' 'sha256-pAKi9r4/WB7fHydbE3F3t8i8602ij2JN8zHJpL2T5BM=' 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw=' 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcSt' 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9KqwvCSapSz5CVoUGHQcxv43UQg=='; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html
new file mode 100644
index 000000000..274db0140
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>stylehash-basic-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script>
+        var t_alert = async_test('Expecting alerts: ["PASS: The \'p\' element\'s text is green, which means the style was correctly applied."]');
+        var expected_alerts = ["PASS: The 'p' element's text is green, which means the style was correctly applied."];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_true(expected_alerts[i] == msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+style-src 'sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo='; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+    <style>p { color: green; }</style>
+    <style>p { color: red; }</style>
+    <style>p { color: purple; }</style>
+    <style>p { color: blue; }</style>
+</head>
+
+<body>
+    <p>
+        This tests the effect of a valid style-hash value, with one valid style and several invalid ones. It passes if the valid style is applied and a CSP violation is generated.
+    </p>
+    <script>
+        var color = window.getComputedStyle(document.querySelector('p')).color;
+        if (color === "rgb(0, 128, 0)")
+            alert_assert("PASS: The 'p' element's text is green, which means the style was correctly applied.");
+        else
+            alert_assert("FAIL: The 'p' element's text is " + color + ", which means the style was incorrectly applied.");
+
+    </script>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo=&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..ac9ca4e87
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: stylehash-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: style-src 'self' 'sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo='; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html
new file mode 100644
index 000000000..159338c6d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    <title>stylehash allowed from default-src</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    </head>
+
+    <body>
+    <p id="p">Test</p>
+    <style>p#p { color: green; }</style>
+    <script>
+    var color = window.getComputedStyle(document.querySelector('#p')).color;
+    assert_equals(color, "rgb(0, 128, 0)");
+    done();
+    </script>
+
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+    </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers
new file mode 100644
index 000000000..8efe9d965
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: stylehash-default-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: default-src 'self' 'sha256-SXMrww9+PS7ymkxYbv91id+HfXeO7p1uCY0xhNb4MIw='; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html
new file mode 100644
index 000000000..c8622ba24
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html
@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>stylenonce-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+style-src 'self' nonce-noncynonce' 'nonce-noncy+/=nonce'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+    <script></script>
+    <style nonce="noncynonce">
+        #test1 {
+            color: green;
+        }
+
+    </style>
+    <style>
+        #test1 {
+            color: red;
+        }
+
+    </style>
+    <style nonce="noncynonce">
+        #test2 {
+            color: green;
+        }
+
+    </style>
+</head>
+
+<body>
+    <p id="test1">This text should be green.</p>
+    <p id="test2">This text should also be green.</p>
+    <script>
+        var el = document.querySelector('#test1');
+        test(function() {
+            assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)")
+        });
+        var el = document.querySelector('#test2');
+        test(function() {
+            assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)")
+        });
+
+    </script>
+    <p>Style correctly whitelisted via a 'nonce-*' expression in 'style-src' should be applied to the page.</p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;nonce-noncynonce&apos;%20&apos;nonce-noncy+/=nonce&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..28c85c91a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: stylenonce-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: style-src 'self' 'nonce-noncynonce' 'nonce-noncy+/=nonce'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html
new file mode 100644
index 000000000..43204f64d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>stylenonce-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <link rel="stylesheet" type="text/css" href="allowed.css">
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+    <script></script>
+    <style nonce="noncynonce">
+        #test {
+            color: red;
+        }
+
+    </style>
+</head>
+
+<body>
+    <p id="test">This text should be green.</p>
+    <script>
+        var el = document.querySelector('#test');
+        test(function() {
+            assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)")
+        });
+
+    </script>
+    <p>Style that does not match a 'nonce-*' expression in 'style-src' should not be applied to the page.</p>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..e51a02dd0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: stylenonce-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
-- 
cgit v1.2.3