summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/blink-contrib-2
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/blink-contrib-2')
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css3
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html36
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html33
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html40
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html40
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html40
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html42
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html43
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html34
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html41
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js5
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html65
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html42
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html69
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html15
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html57
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html71
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html64
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html76
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html43
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html72
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html59
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html34
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html77
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html61
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html21
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html54
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html38
-rw-r--r--testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers6
74 files changed, 1744 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css b/testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css
new file mode 100644
index 000000000..ace543489
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css
@@ -0,0 +1,3 @@
+#test {
+ color: green;
+}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html
new file mode 100644
index 000000000..143777407
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>base-uri-allow</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+base-uri http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self';
+-->
+ <base href="http://www1.{{host}}:{{ports[http][0]}}/">
+ <script>
+ test(function() {
+ if ('{{ports[http][0]}}' == '80' ||
+ '{{ports[http][0]}}' == '443') {
+ assert_equals(document.baseURI, 'http://www1.{{host}}/');
+ } else {
+ assert_equals(document.baseURI, 'http://www1.{{host}}' + ':{{ports[http][0]}}/');
+ }
+
+ log("TEST COMPLETE")
+ });
+
+ </script>
+</head>
+
+<body>
+ <p>Check that base URIs can be set if they do not violate the page's policy.</p>
+ <div id="log"></div>
+ <script async defer src="./content-security-policy/support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers
new file mode 100644
index 000000000..e749d7238
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: base-uri-allow={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: base-uri http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html
new file mode 100644
index 000000000..f2b7c591e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>base-uri-deny</title>
+ <base href="http://www1.{{host}}:{{ports[http][0]}}/">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS document.baseURI is document.location.href","TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+base-uri 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ var base = document.createElement('base');
+ base.href = 'http://www1.{{host}}:{{ports[http][0]}}/';
+ document.head.appendChild(base);
+ if (document.baseURI == document.location.href) {
+ log("PASS document.baseURI is document.location.href");
+ log("TEST COMPLETE");
+ }
+
+ </script>
+</head>
+
+<body>
+ <p>Check that base URIs cannot be set if they violate the page's policy.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=base-uri%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers
new file mode 100644
index 000000000..0312c46d0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: base-uri-deny={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: base-uri 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html
new file mode 100644
index 000000000..19cf6811c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>form-action-src-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ window.addEventListener("message", function(event) {
+ log(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ log("TEST COMPLETE");
+ }, 0);
+ });
+
+ </script>
+</head>
+
+<body>
+ <iframe name="test_target" id="test_iframe"></iframe>
+
+ <form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-pass.html" id="theform" method="post" target="test_target">
+ <input type="text" name="fieldname" value="fieldvalue">
+ <input type="submit" id="submit" value="submit">
+ </form>
+ <p>Tests that allowed form actions work correctly.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+ </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..88cbfda0e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html
new file mode 100644
index 000000000..0960a8a02
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>form-action-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ }, 0);
+ });
+ setTimeout(function() {log("TEST COMPLETE");}, 1);
+
+ </script>
+</head>
+
+<body>
+ <iframe name="test_target" id="test_iframe"></iframe>
+ <form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-fail.html" id="theform" method="post" target="test_target">
+ <input type="text" name="fieldname" value="fieldvalue">
+ <input type="submit" id="submit" value="submit">
+ </form>
+ <p>Tests that blocking form actions works correctly.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=form-action%20&apos;none&apos;"></script>
+
+ </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..29351c008
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html
new file mode 100644
index 000000000..32823d680
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>form-action-src-default-ignored</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; frame-src 'self';
+-->
+ <script>
+ window.addEventListener("message", function(event) {
+ log(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ log("TEST COMPLETE");
+ }, 0);
+ });
+
+ </script>
+</head>
+
+<body>
+ <iframe name="test_target" id="test_iframe"></iframe>
+
+ <form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-pass.html" id="theform" method="post" target="test_target">
+ <input type="text" name="fieldname" value="fieldvalue">
+ <input type="submit" id="submit" value="submit">
+ </form>
+ <p>Tests that default-src does not cascade to form-action.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers
new file mode 100644
index 000000000..1abbcf50c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-default-ignored={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; frame-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html
new file mode 100644
index 000000000..a7d3e584b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>form-action-src-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ window.addEventListener("message", function(event) {
+ log(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ log("TEST COMPLETE");
+ }, 0);
+ });
+
+ </script>
+</head>
+
+<body>
+ <iframe name="test_target" id="test_iframe"></iframe>
+
+ <form action="/common/redirect.py" id="theform" method="get" target="test_target">
+ <input type="text" name="location" value="/content-security-policy/blink-contrib/resources/postmessage-pass.html">
+ <input type="text" name="fieldname" value="fieldvalue">
+ <input type="submit" id="submit" value="submit">
+ </form>
+ <p>Tests that allowed form actions work correctly
+ with GET and a redirect.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+ </body>
+
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..ac8761518
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-get-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html
new file mode 100644
index 000000000..0910eb419
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>form-action-src-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ log("TEST COMPLETE");
+ }, 0);
+ });
+
+ </script>
+</head>
+
+<body>
+ <iframe name="test_target" id="test_iframe"></iframe>
+
+ <form action="/common/redirect.py" id="theform" method="get" target="test_target">
+ <input type="text" name="location" value="/content-security-policy/blink-contrib/resources/postmessage-fail.html">
+ <input type="text" name="fieldname" value="fieldvalue">
+ <input type="submit" id="submit" value="submit">
+ </form>
+ <p>Tests that disallowed form actions are blocked
+ with GET and redirects.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=form-action%20&apos;none&apos;
+"></script>
+ </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..e7a044dbc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-get-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html
new file mode 100644
index 000000000..c362ea6fd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>form-action-src-javascript-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self';
+-->
+ <script nonce='noncynonce'>
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ log("TEST COMPLETE");
+ }, 0);
+ });
+ </script>
+</head>
+
+<body>
+ <form action="javascript:alert_assert(&quot;FAIL!&quot;)" id="theform" method="post">
+ <input type="text" name="fieldname" value="fieldvalue">
+ <input type="submit" id="submit" value="submit">
+ </form>
+ <p>Tests that blocking form actions works correctly. If this test passes, a CSP violation will be generated, and will not see a JavaScript alert.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..ffa2288c0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-javascript-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html
new file mode 100644
index 000000000..e311817eb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>form-action-src-redirect-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ log("TEST COMPLETE");
+ }, 0);
+ });
+ setTimeout(function() {}, 1000);
+
+ </script>
+</head>
+
+<body>
+ <iframe name="test_target" id="test_iframe"></iframe>
+
+ <form id="form1" action="/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-fail.html" method="post" target="test_target">
+ <input type="text" name="fieldname" value="fieldvalue">
+ <input type="submit" id="submit" value="submit">
+ </form>
+ <p>Tests that blocking a POST form with a redirect works correctly. If this test passes, a CSP violation will be generated.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=form-action%20'self'"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..ee767f4a7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: form-action-src-redirect-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html
new file mode 100644
index 000000000..41618d4ef
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>meta-outside-head</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS (1/1)"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'none'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self'">
+ <p>This test checks that Content Security Policy delivered via a meta element is not enforced if the element is outside the document&apos;s head.</p>
+ <script>
+ var aa = "PASS (1/1)";
+ </script>
+ <script src="metaHelper.js"></script>
+ <div id="log"></div>
+ <script src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers
new file mode 100644
index 000000000..3cd335192
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: meta-outside-head={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'none'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js b/testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js
new file mode 100644
index 000000000..9191a39c7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js
@@ -0,0 +1,5 @@
+if (typeof aa != 'undefined') {
+ alert_assert(aa);
+} else {
+ alert_assert("Failed - allowed inline script blocked by meta policy outside head.");
+}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html
new file mode 100644
index 000000000..fe3f95878
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>plugintypes-mismatched-data</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ This tests that plugin content that doesn&apos;t match the declared type doesn&apos;t load, even if the document&apos;s CSP would allow it. This test passes if &quot;FAIL!&quot; isn&apos;t logged.
+ <object type="application/x-invalid-type" data="data:application/x-webkit-test-netscape,logifloaded" log="FAIL!"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers
new file mode 100644
index 000000000..4e5b31b2a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-mismatched-data={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html
new file mode 100644
index 000000000..bc60994ad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>plugintypes-mismatched-url</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ This tests that plugin content that doesn&apos;t match the declared type doesn&apos;t load, even if the document&apos;s CSP would allow it. This test passes if no iframe is dumped (meaning that no PluginDocument was created).
+ <object type="application/x-invalid-type" data="/plugins/resources/mock-plugin.pl" log="FAIL!"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers
new file mode 100644
index 000000000..38a7450ab
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-mismatched-url={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html
new file mode 100644
index 000000000..eb60d5d4c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>plugintypes-notype-data</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS: object tag onerror handler fired"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there&apos;s a CSP report and &quot;FAIL!&quot; isn&apos;t logged.
+ <object data="data:application/x-webkit-test-netscape" onload="log('FAIL');" onerror="log('PASS: object tag onerror handler fired');"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=plugin-types+application/x-invalid-type"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers
new file mode 100644
index 000000000..ea938378a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-notype-data={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html
new file mode 100644
index 000000000..e9918941f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>plugintypes-notype-url</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there&apos;s an error report is sent.
+ <object data="/plugins/resources/mock-plugin.pl" log="FAIL!"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=plugin-types%20application/x-invalid-type"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers
new file mode 100644
index 000000000..ffe26cdf1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-notype-url={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html
new file mode 100644
index 000000000..222d6500d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>plugintypes-nourl-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+plugin-types application/x-webkit-test-netscape; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if there isn&apos;t a CSP violation sayingthe plugin was blocked.
+ <object type="application/x-webkit-test-netscape"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..7fef2a5b5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-nourl-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types application/x-webkit-test-netscape; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html
new file mode 100644
index 000000000..b5cc5a5a4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>plugintypes-nourl-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+plugin-types text/plain; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if there is a CSP violation sayingthe plugin was blocked.
+ <object type="application/x-webkit-test-netscape"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=plugin-types%20text/plain"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..709bf90df
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugintypes-nourl-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: plugin-types text/plain; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html
new file mode 100644
index 000000000..2a94692ee
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>script-src disallowed wildcard use</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+ <body>
+ <!-- enforcing policy:
+script-src 'nonce-nonce' *; connect-src 'self';
+-->
+ <script nonce="nonce">
+ var t1 = async_test('data: URIs should not match *');
+ t1.step(function() {
+ var script = document.createElement("script");
+ script.src = 'data:application/javascript,';
+ script.addEventListener('load', t1.step_func(function() {
+ assert_unreached('Should not successfully load data URI.');
+ }));
+ script.addEventListener('error', t1.step_func(function() {
+ t1.done();
+ }));
+ document.head.appendChild(script);
+ });
+
+ var t2 = async_test('blob: URIs should not match *');
+ t2.step(function() {
+ var b = new Blob([''], { type: 'application/javascript' });
+ var script = document.createElement('script');
+ script.addEventListener('load', t2.step_func(function() {
+ assert_unreached('Should not successfully load blob URI.');
+ }));
+ script.addEventListener('error', t2.step_func(function() {
+ t2.done();
+ }));
+
+ script.src = URL.createObjectURL(b);
+ document.head.appendChild(script);
+ });
+
+ var t3 = async_test('filesystem URIs should not match *');
+ if (window.webkitRequestFileSystem) {
+ window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) {
+ fs.root.getFile('fail.js', {create: true}, function(fileEntry) {
+ fileEntry.createWriter(function(fileWriter) {
+ var script = document.createElement('script');
+
+ script.addEventListener('load', t3.step_func(function() {
+ assert_unreached('Should not successfully load filesystem URI.');
+ }));
+ script.addEventListener('error', t3.step_func(function() {
+ t3.done();
+ }));
+
+ script.src = fileEntry.toURL('application/javascript');
+ document.body.appendChild(script);
+ });
+ });
+ });
+ } else {
+ t3.done();
+ }
+ </script>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers
new file mode 100644
index 000000000..cd9543913
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-wildcards-disallowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'nonce-nonce' *; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html
new file mode 100644
index 000000000..a7a217448
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scripthash-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/content-security-policy/support/alertAssert.sub.js?alerts=%5B%22PASS%20(1%2F4)%22%2C%22PASS%20(2%2F4)%22%2C%22PASS%20(3%2F4)%22%2C%22PASS%20(4%2F4)%22%5D">
+
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'sha256-IFmozo9WnnsMXVl/Ka8XzJ3Nd8yzS2zA2ME0mwtd+Ck=' 'sha256-jSpTmJKcrnHttKdYM/wCCDJoQY5tdSxNf7zd2prwFfI=' 'sha256-qbgA2XjB2EZKjn/UmK7v/K77t+fvfxA89QT/K9qPNyE=' 'sha256-K+7X5Ip3msvRvyQzf6fkrWZziuhaUIee1aLnlP5nX10='; connect-src 'self';
+-->
+ <script>
+ alert_assert('PASS (1/4)');
+
+ </script>
+ <script>
+ alert_assert('PASS (2/4)');
+
+ </script>
+ <script>
+ alert_assert('PASS (3/4)');
+
+ </script>
+ <script>
+ alert_assert('PASS (4/4)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the effect of a valid script-hash value. It passes if no CSP violation is generated, and the alert_assert() is executed.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..e0fe373b6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripthash-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'sha256-IFmozo9WnnsMXVl/Ka8XzJ3Nd8yzS2zA2ME0mwtd+Ck=' 'sha256-jSpTmJKcrnHttKdYM/wCCDJoQY5tdSxNf7zd2prwFfI=' 'sha256-qbgA2XjB2EZKjn/UmK7v/K77t+fvfxA89QT/K9qPNyE=' 'sha256-K+7X5Ip3msvRvyQzf6fkrWZziuhaUIee1aLnlP5nX10='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html
new file mode 100644
index 000000000..ac7b2c02f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html
@@ -0,0 +1,69 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scripthash-basic-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script>
+ var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]');
+ var expected_alerts = ["PASS (1/1)"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo='; connect-src 'self';
+-->
+ <script>
+ alert_assert('PASS (1/1)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (1/4)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (2/4)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (3/4)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (4/4)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the effect of a valid script-hash value, with one valid script and several invalid ones. It passes if one alert is executed and a CSP violation is reported.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo=&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..6a92e06f4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripthash-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html
new file mode 100644
index 000000000..a11a224ae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>script-hash allowed from default-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+
+ <script>done();</script>
+ </head>
+
+ <body>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers
new file mode 100644
index 000000000..d8893af41
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripthash-default-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: default-src 'self' 'sha256-sc3CeiHrlck5tH2tTC4MnBYFnI9D5zp8f9odqnmGQjE='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html
new file mode 100644
index 000000000..545099e08
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html
@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scripthash-ignore-unsafeinline</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script>
+ var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]');
+ var expected_alerts = ["PASS (1/1)"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo=' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ alert_assert('PASS (1/1)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (1/1)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests that a valid hash value disables inline JavaScript, even if &apos;unsafe-inline&apos; is present.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo=&apos;%20&apos;unsafe-inline&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers
new file mode 100644
index 000000000..fb3fc7655
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripthash-ignore-unsafeinline={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' unsafe-inline' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html
new file mode 100644
index 000000000..bd1e0365c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html
@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scripthash-unicode-normalization</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+
+ <!-- enforcing policy:
+script-src 'self' 'nonce-nonceynonce' 'sha256-dWTP4Di8KBjaiXvQ5mRquI9OoBSo921ahYxLfYSiuT8='; connect-src 'self';
+-->
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+</head>
+
+<body>
+ <!-- The following two scripts contain two separate code points (U+00C5
+ and U+212B, respectively) which, depending on your text editor, might be
+ rendered the same.However, their difference is important because, under
+ NFC normalization, they would become the same code point, which would be
+ against the spec. This test, therefore, validates that the scripts have
+ *different* hash values. -->
+ <script nonce="nonceynonce">
+ var matchingContent = 'Ã…';
+ var nonMatchingContent = 'â„«';
+
+ // This script should have a hash value of
+ // sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c=
+ var scriptContent1 = "window.finish('" + matchingContent + "');";
+
+ // This script should have a hash value of
+ // sha256-iNjjXUXds31FFvkAmbC74Sxnvreug3PzGtu16udQyqM=
+ var scriptContent2 = "window.finish('" + nonMatchingContent + "');";
+
+ var script1 = document.createElement('script');
+ var script2 = document.createElement('script');
+
+ script1.test = async_test("Only matching content runs even with NFC normalization.");
+
+ var failure = function() {
+ assert_unreached();
+ }
+
+ window.finish = function(content) {
+ if (content == matchingContent) {
+ script1.test.step(function() {
+ script1.test.done();
+ });
+ } else {
+ script1.test.step(function() {
+ assert_unreached("nonMatchingContent script ran");
+ });
+ }
+ }
+
+ script1.onerror = failure;
+
+ document.body.appendChild(script2);
+ script2.textContent = scriptContent2;
+ document.body.appendChild(script1);
+ script1.textContent = scriptContent1;
+ </script>
+
+ <p>
+ This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers
new file mode 100644
index 000000000..a23724f8a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripthash-unicode-normalization={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'nonce-nonceynonce' 'sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html
new file mode 100644
index 000000000..2a1321d24
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html
@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scriptnonce-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script nonce="noncynonce">
+ function log(msg) {
+ test(function() {
+ assert_unreached(msg)
+ });
+ }
+
+ </script>
+ <script nonce="noncynonce">
+ var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)"]');
+ var expected_alerts = ["PASS (1/2)", "PASS (2/2)"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/=nonce'; connect-src 'self';
+-->
+ <script nonce="noncynonce">
+ alert_assert('PASS (1/2)');
+
+ </script>
+ <script nonce="noncy+/=nonce">
+ alert_assert('PASS (2/2)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the effect of a valid script-nonce value. It passes if no CSP violation is generated and the alerts are executed.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..a69c927c9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scriptnonce-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'nonce-noncynonce' 'nonce-noncy+/=nonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html
new file mode 100644
index 000000000..2b333cbea
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html
@@ -0,0 +1,76 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scriptnonce-and-scripthash</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script nonce="nonceynonce">
+ function log(msg) {
+ test(function() {
+ assert_unreached(msg)
+ });
+ }
+
+ </script>
+ <script nonce="nonceynonce">
+ var t_alert = async_test('Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]');
+ var expected_alerts = ["PASS (1/3)", "PASS (2/3)", "PASS (3/3)"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self';
+-->
+ <script nonce="nonceynonce">
+ alert_assert('PASS (1/3)');
+
+ </script>
+ <script>
+ alert_assert('PASS (2/3)');
+
+ </script>
+ <script nonce="nonceynonce">
+ alert_assert('PASS (3/3)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (1/2)');
+
+ </script>
+ <script nonce="notanonce">
+ alert_assert('FAIL (2/2)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the combined use of script hash and script nonce. It passes if a CSP violation is generated and the three alerts show PASS.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;sha1-MfuEFRkC2LmR31AMy9KW2ZLDegA=&apos;%20&apos;sha1-p70t5PXyndLfjKNjbyBBOL1gFiM=&apos;%20&apos;nonce-nonceynonce&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers
new file mode 100644
index 000000000..afa33e6df
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scriptnonce-and-scripthash={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html
new file mode 100644
index 000000000..4815ca100
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scriptnonce-basic-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self';
+-->
+ <script nonce="noncynonce">
+ alert_assert('PASS (closely-quoted nonce)');
+
+ </script>
+ <script nonce=" noncynonce ">
+ alert_assert('PASS (nonce w/whitespace)');
+
+ </script>
+ <script nonce="noncynonce noncynonce">
+ alert_assert('FAIL (1/3)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (2/3)');
+
+ </script>
+ <script nonce="noncynonceno?">
+ alert_assert('FAIL (3/3)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the effect of a valid script-nonce value. It passes if a CSP violation is generated, and the two PASS alerts are executed.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;nonce-noncynonce&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..ee4e8b3f0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scriptnonce-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html
new file mode 100644
index 000000000..d1b97dfb9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scriptnonce-ignore-unsafeinline</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script nonce='noncynonce'>
+ function log(msg) {
+ test(function() {
+ assert_unreached(msg)
+ });
+ }
+
+ </script>
+ <script nonce='noncynonce'>
+ var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)"]');
+ var expected_alerts = ["PASS (1/2)", "PASS (2/2)"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/=nonce' 'unsafe-inline'; connect-src 'self';
+-->
+ <script nonce="noncynonce">
+
+
+ </script>
+ <script nonce="noncynonce">
+ alert_assert('PASS (1/2)');
+
+ </script>
+ <script nonce="noncy+/=nonce">
+ alert_assert('PASS (2/2)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (1/1)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests that a valid nonce disables inline JavaScript, even if &apos;unsafe-inline&apos; is present.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=script-src%20&apos;nonce-noncynonce&apos;%20&apos;nonce-noncy+/=nonce&apos;%20&apos;unsafe-inline&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers
new file mode 100644
index 000000000..01f7e185a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scriptnonce-ignore-unsafeinline={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/=nonce' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html
new file mode 100644
index 000000000..a17f1fb5c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>scriptnonce-redirect</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script nonce="noncynonce">
+ function log(msg) {
+ test(function() {
+ assert_unreached(msg)
+ });
+ }
+
+ </script>
+ <script nonce="noncynonce">
+ var t_alert = async_test('Expecting alerts: ["PASS"]');
+ var expected_alerts = ["PASS"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This tests whether a deferred script load caused by a redirect is properly allowed by a nonce.
+ <script nonce="noncynonce" src="/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/alert-pass.js"></script>
+ <script nonce="noncynonce">
+
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers
new file mode 100644
index 000000000..8d71f88d5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scriptnonce-redirect={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html
new file mode 100644
index 000000000..82cad0347
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>securitypolicyviolation-block-cross-origin-image-from-script</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ var x = document.createElement('script');
+ x.src = 'http://{{host}}:{{ports[http][0]}}/content-security-policy/support/inject-image.js';
+ document.body.appendChild(x);
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers
new file mode 100644
index 000000000..723ed281f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: securitypolicyviolation-block-cross-origin-image-from-script={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html
new file mode 100644
index 000000000..9b7dc32e1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>securitypolicyviolation-block-cross-origin-image</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ var img = document.createElement('img');
+ img.src = 'http://{{host}}:{{ports[http][0]}}/security/resources/abe.png';
+ document.body.appendChild(img);
+ log("TEST COMPLETE");
+
+ </script>
+ <p>Check that a SecurityPolicyViolationEvent strips detail from cross-origin blocked URLs.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers
new file mode 100644
index 000000000..d701a476f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: securitypolicyviolation-block-cross-origin-image={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html
new file mode 100644
index 000000000..33facfbc3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>securitypolicyviolation-block-image-from-script</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ var script = document.createElement('script');
+ script.src = '../support/inject-image.js';
+ document.body.appendChild(script);
+ log("TEST COMPLETE");
+
+ </script>
+ <p>Check that a SecurityPolicyViolationEvent is fired upon blocking an image injected via script.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers
new file mode 100644
index 000000000..6b6084dc5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: securitypolicyviolation-block-image-from-script={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html
new file mode 100644
index 000000000..3e62e2d35
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>securitypolicyviolation-block-image</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ var img = document.createElement('img');
+ img.src = '../support/fail.png';
+ img.onerror = function() {
+ log("TEST COMPLETE");
+ };
+ img.onload = function() {
+ log("FAIL");
+ };
+ document.body.appendChild(img);
+
+ </script>
+ <p>Check that a SecurityPolicyViolationEvent is fired upon blocking an image.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=img-src%20&apos;none&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers
new file mode 100644
index 000000000..1f4f84578
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: securitypolicyviolation-block-image={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html
new file mode 100644
index 000000000..282b18502
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html
@@ -0,0 +1,77 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>stylehash-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script>
+ var t_alert = async_test('Expecting alerts: ["PASS (1/4): The \'#p1\' element\'s text is green, which means the style was correctly applied.","PASS (2/4): The \'#p2\' element\'s text is green, which means the style was correctly applied.","PASS (3/4): The \'#p3\' element\'s text is green, which means the style was correctly applied.","PASS (4/4): The \'#p4\' element\'s text is green, which means the style was correctly applied."]');
+ var expected_alerts = ["PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied.", "PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied.", "PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied.", "PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied."];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+style-src 'sha256-pAKi9r4/WB7fHydbE3F3t8i8602ij2JN8zHJpL2T5BM=' 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw=' 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcSt' 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9KqwvCSapSz5CVoUGHQcxv43UQg=='; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p id="p1">This tests the result of a valid style hash. It passes if this text is green, and a &quot;PASS&quot; alert for p1 is fired.</p>
+ <p id="p2">This tests the result of a valid style hash. It passes if this text is green, and a &quot;PASS&quot; alert for p2 is fired.</p>
+ <p id="p3">This tests the result of a valid style hash. It passes if this text is green, and a &quot;PASS&quot; alert for p3 is fired.</p>
+ <p id="p4">This tests the result of a valid style hash. It passes if this text is green, and a &quot;PASS&quot; alert for p4 is fired.</p>
+ <style>p#p1 { color: green; }</style>
+ <style>p#p2 { color: green; }</style>
+ <style>p#p3 { color: green; }</style>
+ <style>p#p4 { color: green; }</style>
+ <script>
+ var color = window.getComputedStyle(document.querySelector('#p1')).color;
+ if (color === "rgb(0, 128, 0)")
+ alert_assert("PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied.");
+ else
+ alert_assert("FAIL (1/4): The '#p1' element's text is " + color + ", which means the style was incorrectly applied.");
+ var color = window.getComputedStyle(document.querySelector('#p2')).color;
+ if (color === "rgb(0, 128, 0)")
+ alert_assert("PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied.");
+ else
+ alert_assert("FAIL (2/4): The '#p2' element's text is " + color + ", which means the style was incorrectly applied.");
+ var color = window.getComputedStyle(document.querySelector('#p3')).color;
+ if (color === "rgb(0, 128, 0)")
+ alert_assert("PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied.");
+ else
+ alert_assert("FAIL (3/4): The '#p3' element's text is " + color + ", which means the style was incorrectly applied.");
+ var color = window.getComputedStyle(document.querySelector('#p4')).color;
+ if (color === "rgb(0, 128, 0)")
+ alert_assert("PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied.");
+ else
+ alert_assert("FAIL (4/4): The '#p4' element's text is " + color + ", which means the style was incorrectly applied.");
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..2b519e85e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: stylehash-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: style-src 'self' 'sha256-pAKi9r4/WB7fHydbE3F3t8i8602ij2JN8zHJpL2T5BM=' 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw=' 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcSt' 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9KqwvCSapSz5CVoUGHQcxv43UQg=='; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html
new file mode 100644
index 000000000..274db0140
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>stylehash-basic-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script>
+ var t_alert = async_test('Expecting alerts: ["PASS: The \'p\' element\'s text is green, which means the style was correctly applied."]');
+ var expected_alerts = ["PASS: The 'p' element's text is green, which means the style was correctly applied."];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+style-src 'sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo='; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <style>p { color: green; }</style>
+ <style>p { color: red; }</style>
+ <style>p { color: purple; }</style>
+ <style>p { color: blue; }</style>
+</head>
+
+<body>
+ <p>
+ This tests the effect of a valid style-hash value, with one valid style and several invalid ones. It passes if the valid style is applied and a CSP violation is generated.
+ </p>
+ <script>
+ var color = window.getComputedStyle(document.querySelector('p')).color;
+ if (color === "rgb(0, 128, 0)")
+ alert_assert("PASS: The 'p' element's text is green, which means the style was correctly applied.");
+ else
+ alert_assert("FAIL: The 'p' element's text is " + color + ", which means the style was incorrectly applied.");
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo=&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..ac9ca4e87
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: stylehash-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: style-src 'self' 'sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo='; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html
new file mode 100644
index 000000000..159338c6d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>stylehash allowed from default-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+
+ <body>
+ <p id="p">Test</p>
+ <style>p#p { color: green; }</style>
+ <script>
+ var color = window.getComputedStyle(document.querySelector('#p')).color;
+ assert_equals(color, "rgb(0, 128, 0)");
+ done();
+ </script>
+
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers
new file mode 100644
index 000000000..8efe9d965
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: stylehash-default-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: default-src 'self' 'sha256-SXMrww9+PS7ymkxYbv91id+HfXeO7p1uCY0xhNb4MIw='; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html
new file mode 100644
index 000000000..c8622ba24
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html
@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>stylenonce-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'self' nonce-noncynonce' 'nonce-noncy+/=nonce'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script></script>
+ <style nonce="noncynonce">
+ #test1 {
+ color: green;
+ }
+
+ </style>
+ <style>
+ #test1 {
+ color: red;
+ }
+
+ </style>
+ <style nonce="noncynonce">
+ #test2 {
+ color: green;
+ }
+
+ </style>
+</head>
+
+<body>
+ <p id="test1">This text should be green.</p>
+ <p id="test2">This text should also be green.</p>
+ <script>
+ var el = document.querySelector('#test1');
+ test(function() {
+ assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)")
+ });
+ var el = document.querySelector('#test2');
+ test(function() {
+ assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)")
+ });
+
+ </script>
+ <p>Style correctly whitelisted via a 'nonce-*' expression in 'style-src' should be applied to the page.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;nonce-noncynonce&apos;%20&apos;nonce-noncy+/=nonce&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers
new file mode 100644
index 000000000..28c85c91a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: stylenonce-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: style-src 'self' 'nonce-noncynonce' 'nonce-noncy+/=nonce'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html
new file mode 100644
index 000000000..43204f64d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>stylenonce-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <link rel="stylesheet" type="text/css" href="allowed.css">
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script></script>
+ <style nonce="noncynonce">
+ #test {
+ color: red;
+ }
+
+ </style>
+</head>
+
+<body>
+ <p id="test">This text should be green.</p>
+ <script>
+ var el = document.querySelector('#test');
+ test(function() {
+ assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)")
+ });
+
+ </script>
+ <p>Style that does not match a 'nonce-*' expression in 'style-src' should not be applied to the page.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;self&apos;"></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers
new file mode 100644
index 000000000..e51a02dd0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: stylenonce-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
+Content-Security-Policy: style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}