Add m-esr52 at 52.6.0

32 files changed, 374 insertions, 0 deletions

diff --git a/testing/web-platform/tests/content-security-policy/generic/fail-0_1.js b/testing/web-platform/tests/content-security-policy/generic/fail-0_1.js
new file mode 100644
index 000000000..5c580273d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/fail-0_1.js
@@ -0,0 +1,3 @@
+(function () {
+  scriptsrc1.step(function() { assert_unreached('Unsafe inline script ran.') });
+})();
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html
new file mode 100644
index 000000000..c3778f816
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html
@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>default-src should cascade to img-src directive</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='../support/siblingPath.js'></script>
+</head>
+<body>
+    <h1>default-src should cascade to img-src directive</h1>
+    <div id='log'></div>
+
+    <script>
+      var imgsrc = async_test("Verify cascading of default-src to img-src policy");
+      var onerrorFired = false;
+    </script>
+
+    <img id='imgfail' src=''
+         onload='imgsrc.step(function() { assert_unreached("Image load was not blocked."); });'
+         onerror='onerrorFired = true;'>
+    <img src='../support/pass.png'
+         onload='imgsrc.step(function() { assert_true(true, "Image load was blocked."); });'>
+
+    <script>
+      document.getElementById('imgfail').src = buildSiblingPath('www1', '../support/fail.png');
+      onload = function() {
+        imgsrc.step(function() { assert_true(onerrorFired, "onerror handler for blocked img didn't fire");});
+        imgsrc.done();
+      }
+    </script>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=default-src%20%27self%27%20%27unsafe-inline%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html.sub.headers
new file mode 100644
index 000000000..61bdc0a30
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_1-img-src={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html
new file mode 100644
index 000000000..740b2a553
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html
@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>default-src should cascade to script-src directive</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='../support/siblingPath.js'></script>
+</head>
+<body>
+    <h1>default-src should cascade to script-src directive</h1>
+    <div id='log'></div>
+
+    <script>
+      var scriptsrc1 = async_test("Verify cascading of default-src to script-src policy: block");
+      var scriptsrc2 = async_test("Verify cascading of default-src to script-src policy: allow");
+      var allowedScriptRan = false;
+    </script>
+
+    <script src='pass-0_1.js'></script>
+
+    <script>
+      var inlineScript = document.createElement('script');
+      inlineScript.src = buildSiblingPath('www1', 'fail-0_1.js');
+      document.getElementById('log').appendChild(inlineScript);
+      onload = function() {
+          scriptsrc1.done();
+          scriptsrc2.step( function() { assert_true(allowedScriptRan, "allowed script didn't run") });
+          scriptsrc2.done();
+      }
+    </script>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=default-src%20%27self%27%20%27unsafe-inline%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html.sub.headers
new file mode 100644
index 000000000..b3ff8c460
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_1-script-src={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html
new file mode 100644
index 000000000..703e50b44
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html
@@ -0,0 +1,21 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>test implicit port number matching (requires port 80)</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script>
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://www." + location.hostname + "/content-security-policy/generic/positiveTest.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>test implicit port number matching (requires port 80)</h1>
+    <div id='log'></div>
+
+    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html.sub.headers
new file mode 100644
index 000000000..c58b0536f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_10={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: script-src 'self' www.{{host}} 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html
new file mode 100644
index 000000000..c66640de3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>implicit port number matching fails with a different port</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='negativeTests.js'></script>
+    <script>
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://www." + location.hostname + ":{{ports[http][1]}}/content-security-policy/generic/unreached.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>implicit port number matching fails with a different port</h1>
+    <div id='log'></div>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27%20www.{{host}}%20%27unsafe-inline%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html.sub.headers
new file mode 100644
index 000000000..e8fcf07c2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_10_1={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: script-src 'self' www.{{host}} 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html
new file mode 100644
index 000000000..130bfadad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>'self' keyword positive test</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='positiveTest.js'></script>
+</head>
+<body>
+    <h1>'self' keyword positive test</h1>
+    <div id='log'></div>
+
+    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html.sub.headers
new file mode 100644
index 000000000..776112de6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_2={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: script-src 'self'; report-uri  ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html
new file mode 100644
index 000000000..9d274ea59
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>'self' fails with a different port</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='negativeTests.js'></script>
+    <script>
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://" + location.hostname + ":{{ports[http][1]}}/content-security-policy/generic/unreached.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>'self' fails with a different port</h1>
+    <div id='log'></div>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27%20%27unsafe-inline%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html.sub.headers
new file mode 100644
index 000000000..769ccc154
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_2_2={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html
new file mode 100644
index 000000000..ff4b8db8a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>'self' fails with a different host (including sub-host e.g. foo.com as self with content from bar.foo.com)</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='negativeTests.js'></script>
+    <script>
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://www." + location.hostname + ":" + location.port + "/content-security-policy/generic/unreached.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>'self' fails with a different host (including sub-host e.g. foo.com as self with content from bar.foo.com)</h1>
+    <div id='log'></div>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27%20%27unsafe-inline%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html.sub.headers
new file mode 100644
index 000000000..0a8defccd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_2_3={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html
new file mode 100644
index 000000000..2e7df3776
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>test wildcard host name matching (*.web-platform.test is good)</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='wildcardHostTest.js'></script>
+    <script>
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://www." + location.hostname + ":" + location.port + "/content-security-policy/generic/wildcardHostTestSuceeds.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>test wildcard host name matching (*.web-platform.test is good)</h1>
+    <div id='log'></div>
+
+    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html.sub.headers
new file mode 100644
index 000000000..34756f9db
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_8={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: script-src 'self' *.{{host}}:{{ports[http][0]}} 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html
new file mode 100644
index 000000000..167b4458d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html
@@ -0,0 +1,21 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>test wildcard host name matching (www*.web-platform.test is bad, *www.web-platform.test is bad)</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='wildcardHostTestFailure.js'></script>
+    <script>
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://www." + location.hostname + ":" + location.port + "/content-security-policy/generic/wildcardHostTestSuceeds.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>test wildcard host name matching (www*.web-platform.test is bad, *www.web-platform.test is bad)</h1>
+    <div id='log'></div>
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27%20*w.{{host}}:{{ports[http][0]}}%20w*.{{host}}:{{ports[http][0]}}%20%27unsafe-inline%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html.sub.headers
new file mode 100644
index 000000000..57a038a05
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_8_1={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: script-src 'self' *w.{{host}}:{{ports[http][0]}} w*.{{host}}:{{ports[http][0]}} 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html
new file mode 100644
index 000000000..cadeb178f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>test wildcard port number matching</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='wildcardPortTest.js'></script>
+    <script>
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://" + location.hostname + ":{{ports[http][1]}}/content-security-policy/generic/wildcardPortTestSuceeds.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>test wildcard port number matching</h1>
+    <div id='log'></div>
+
+    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html.sub.headers
new file mode 100644
index 000000000..2f2336009
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_9={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: script-src 'self' {{host}}:* 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/negativeTests.js b/testing/web-platform/tests/content-security-policy/generic/negativeTests.js
new file mode 100644
index 000000000..44b4d7f68
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/negativeTests.js
@@ -0,0 +1,3 @@
+var t1 = async_test("Prevents access to external scripts.");
+
+onload = function() {t1.done();}
diff --git a/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html
new file mode 100644
index 000000000..933986800
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>no default src doesn't behave exactly like *</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]">    </script>
+    <script src='positiveTest.js'></script>
+    <!-- enforcing policy: foobar; report-uri ...
+    -->
+</head>
+<body>
+    <h1>no default src doesn't behave exactly like *</h1>
+    This page has a CSP header but an unknown directive.
+    This should have no impact on an img loaded from a data:
+    uri, or an inline script, although that would be blocked by a default-src policy of *.
+    <br>
+    <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAKgAAABACAIAAAABPqsMAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH1QoMCC8h3if5rgAAAB10RVh0Q29tbWVudABDcmVhdGVkIHdpdGggVGhlIEdJTVDvZCVuAAAGD0lEQVR42u2aa0yTVxiA39ILxa4KIkKrVCCIitzrqkAXQiXDSFjQHyZDBRRdtoDzgooao5uaoInID4hRJFC8RBOzxQuKigyYokuDSB0WlaJQlQrITRCwte1+nKVhpbT9aGUue59fb84573dO+uR7v/drS4OfAPkf4oQfAYpHUDyC4hEUj6B4BMUjKB5B8QiKR1A8guIRFI+geATFIygeQfEIikdQPEIVxmd1GsN+w9hBrV7bN9Kn7FHWqmqLHxY3vW2ycIWtS7Yeiz9G4h0VO47eO2rj1p4cz7WhayW+kuCZwdNdpjsznIe0Q53vO1X9qsbOxrr2uprWmrb+Nofn/lvQPqs/W5oVb0KBrCDrVpZGpzE7++iHR8Ezg0ms6FIsPL7Qho+Ali3O3h+zn81gW1n5M82BuVjqqZEpyjyVeMrs1CL+IqN1AAj0CBTNElm9YGFiYc7SHKvmHJ6Lpd7K/cF0YvK5/KV+S3eLd/tP9weAlNAUaYO0qrXKJGtd2DoS6A16J5oTGZG9llnYKDEgcUPEBhI/636WL8uvelHV1t82rB1mM9geHA8fV58QzxAhTxjjE+PAXCz15ku92cLIZXFr1tWEe4UDwLk/z635dc3oWWe6s3q72o3tBgD7qvYdiD0AAH0jfbxc3sjHkfF2LF9dvsx/GQDcbLmZdCHJwkrH5mKpp8CAZiC7IpvEUd5RJrMrFqwg1pU9ykO/H2rpbQEAV7brygUrLVxz8ezFJNh2cxtVc/bkonhq3Ht5jwReX3iNV+elDVIDGKQNUpNxs0x1nkoCZY+S6mHsyUXxE30oGP7R/3tP9Y7ziyNP91J5KQCUNpTqDXoAkPhKBNME412ne6ibBEEzg6iewZ5cFE8NY4XveN8xejw1LJV0cxXPK169ewUAL9+9vP38NgA40ZxSQ1OtlpDCxMI50+ZMrPxMIBfFU4DD5ByOO2zyoRPSwtJIUPyw2DhojNPC0mhg/jU67488AxgAQMgTNv/YfPXbq5miTNEskQvDxep57MnFrt56V890YvK4vFif2D1f7QlwDyCDcafjKl9UkjhmTkx1WjUA9Az38HP5H3Qfxvb5saWx1a3VZjfdsmRL7te5pGAY0Rl0ii7FnbY7l55cqnxRSZ4ajs1F8WbEW8bkXU6aJCXFvEBWsKl80+iVBcsLMr7MAIDT8tOpl8Yt+JGzIw9KDkp8JWYLg7JHmXUr68rTKw7PRfEUxJ98cHJz+Wbjbc1lcdXb1RwmBwCEhcJ6df3oxUKesO67OgAY0g55HfUa0AxYuLJgmmD53OVigTiCFxHgHkCn0UfP7rq960jtkU+Ri+LH/ZGmf6S/pbelVlVb0lDS2Nk4ejY9PL3omyIAkHfIw06EjU2Xfy8P8QwBgI1XNxbVF9l4EheGi5AvTJibkB6R7jHFAwAMYBAXi016C4fn4jPe1p807q6/G+0dbWMTHl0cTfVIbmy3suQy8jZxUXFx1cVVk5OLXb0lAtwDbLROXgWNvaHt9I70ZlzPILFYIJ60XBRvCcvfytm/ntDU9fc/AEjdnrTcTwrjv2udTqOnhKaQOOlC0uWnl8dbmTA3oSy5DABSQlP2/rZXZ9BR2mjejHkksNwbOjwX73jzxPvH87l8AOh433Gt+ZqFlTeUN9SDagDgc/nx/vGUdpnCnJIXn0fiB+0PJi0X73jrdfvso7Mf9R8trNQZdGfkZ3ZG7yRZ15uvG6dUW1W1qtp6db2iS9HW36YeUA9qBrV6LYfJ8XPzk/hKMkWZfm5+ZLHJS4E9udjVT7Crd3dxb89qZ9FZABB0POhx12PL6+fPmN+U0QQAGp2Gn8vvHu6m9JWR2bbcnlws9RNkdchqYl32WmbVOgA8efvk/qv7AMCis5KDkyntpdFpcu7mJP+SPIFz2pOLpd5SnS9pKLExpeRhSeTsSABYH74+X5ZPBgV5gijvqAheRKBHoI+rD4/L47K4TDpzWDv8ZvCNoktR3Vp9vvF8+0D72Avak4ulHsFSj6B4BMUjKB5B8QiKR1A8guIRFI+geATFo3gExSMoHkHxCIpHUDyC4hEUj6B45HPmL9so2ZKs94sNAAAAAElFTkSuQmCC'>
+    <script>
+        var allowedScriptRan = true;
+    </script>
+
+    <div id='log'></div>
+
+    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers
new file mode 100644
index 000000000..a7337acce
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: no-default-src={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: foobar; report-uri  ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/generic/pass-0_1.js b/testing/web-platform/tests/content-security-policy/generic/pass-0_1.js
new file mode 100644
index 000000000..3a08dd562
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/pass-0_1.js
@@ -0,0 +1,3 @@
+(function () {
+   allowedScriptRan = true;
+})();
diff --git a/testing/web-platform/tests/content-security-policy/generic/positiveTest.js b/testing/web-platform/tests/content-security-policy/generic/positiveTest.js
new file mode 100644
index 000000000..63c999196
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/positiveTest.js
@@ -0,0 +1,6 @@
+onload = function() {
+  test(function() {
+        assert_true(true, 'Script ran.')},
+        "Allows scripts from the same host."
+    );
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/unreached.js b/testing/web-platform/tests/content-security-policy/generic/unreached.js
new file mode 100644
index 000000000..893fb5eba
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/unreached.js
@@ -0,0 +1,3 @@
+onload = function() {
+      t1.step(function() {assert_unreached("Script should not have ran.");});
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js
new file mode 100644
index 000000000..da3e2790f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js
@@ -0,0 +1,8 @@
+wildcardHostTestRan = false;
+
+onload = function() {
+  test(function() {
+        assert_true(wildcardHostTestRan, 'Script should have ran.')},
+        "Wildcard host matching works."
+    );
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js
new file mode 100644
index 000000000..75ec8cf80
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js
@@ -0,0 +1,8 @@
+wildcardHostTestRan = false;
+
+onload = function() {
+  test(function() {
+        assert_false(wildcardHostTestRan, 'Script should not have ran.')},
+        "Wildcard host matching works."
+    );
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js
new file mode 100644
index 000000000..8b115d7fc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js
@@ -0,0 +1 @@
+wildcardHostTestRan = true;
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js
new file mode 100644
index 000000000..3cd1d2eae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js
@@ -0,0 +1,8 @@
+wildcardPortTestRan = false;
+
+onload = function() {
+  test(function() {
+        assert_true(wildcardPortTestRan, 'Script should have ran.')},
+        "Wildcard port matching works."
+    );
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js
new file mode 100644
index 000000000..0138deb2e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js
@@ -0,0 +1 @@
+wildcardPortTestRan = true;
\ No newline at end of file