Check CSP for inline event handlers (#36510)

This also ensures that document now reports all violations and we set
the correct directive.

With these changes, all `script-src-attr-elem` WPT tests pass.

Part of #36437 

Requires servo/rust-content-security-policy#3 to land first

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

21 files changed, 0 insertions, 439 deletions

diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/allow_csp_from-header.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/allow_csp_from-header.html.ini
deleted file mode 100644
index 3cf8d56a5d6..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/allow_csp_from-header.html.ini
+++ /dev/null
@@ -1,25 +0,0 @@
-[allow_csp_from-header.html]
-  expected: TIMEOUT
-  [Same origin iframes with an empty Allow-CSP-From header get blocked.]
-    expected: FAIL
-
-  [Same origin iframes without Allow-CSP-From header gets blocked.]
-    expected: FAIL
-
-  [Same origin iframes are blocked if Allow-CSP-From does not match origin.]
-    expected: FAIL
-
-  [Cross origin iframe with an empty Allow-CSP-From header gets blocked.]
-    expected: FAIL
-
-  [Cross origin iframe without Allow-CSP-From header gets blocked.]
-    expected: FAIL
-
-  [Iframe with improper Allow-CSP-From header gets blocked.]
-    expected: FAIL
-
-  [Star Allow-CSP-From header enforces EmbeddingCSP.]
-    expected: TIMEOUT
-
-  [Allow-CSP-From header enforces EmbeddingCSP.]
-    expected: TIMEOUT
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html.ini
deleted file mode 100644
index 31c147a6ece..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html.ini
+++ /dev/null
@@ -1,6 +0,0 @@
-[blocked-iframe-are-cross-origin.html]
-  [Document blocked by embedded enforcement and its parent are cross-origin]
-    expected: FAIL
-
-  [Two same-origin iframes must appear as cross-origin when one is blocked]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/change-csp-attribute-and-history-navigation.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/change-csp-attribute-and-history-navigation.html.ini
deleted file mode 100644
index c8205878128..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/change-csp-attribute-and-history-navigation.html.ini
+++ /dev/null
@@ -1,6 +0,0 @@
-[change-csp-attribute-and-history-navigation.html]
-  [Iframe csp attribute changed before history navigation of local scheme.]
-    expected: FAIL
-
-  [Iframe csp attribute changed before history navigation of network scheme.]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/idlharness.window.js.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/idlharness.window.js.ini
deleted file mode 100644
index 551c76a0058..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/idlharness.window.js.ini
+++ /dev/null
@@ -1,6 +0,0 @@
-[idlharness.window.html]
-  [HTMLIFrameElement interface: attribute csp]
-    expected: FAIL
-
-  [HTMLIFrameElement interface: document.createElement("iframe") must inherit property "csp" with the proper type]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/iframe-csp-attribute.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/iframe-csp-attribute.html.ini
deleted file mode 100644
index 000df37abc1..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/iframe-csp-attribute.html.ini
+++ /dev/null
@@ -1,12 +0,0 @@
-[iframe-csp-attribute.html]
-  [<iframe> has a 'csp' attibute which is an empty string if undefined.]
-    expected: FAIL
-
-  [<iframe>'s csp attribute is always a string.]
-    expected: FAIL
-
-  [<iframe>'s 'csp content attribute reflects the IDL attribute.]
-    expected: FAIL
-
-  [<iframe>'s IDL attribute reflects the DOM attribute.]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/required-csp-header-cascade.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/required-csp-header-cascade.html.ini
deleted file mode 100644
index 19ac0a5a7e6..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/required-csp-header-cascade.html.ini
+++ /dev/null
@@ -1,27 +0,0 @@
-[required-csp-header-cascade.html]
-  [Test same origin: Test same policy for both iframes]
-    expected: FAIL
-
-  [Test same origin: Test more restrictive policy on second iframe]
-    expected: FAIL
-
-  [Test same origin: Test less restrictive policy on second iframe]
-    expected: FAIL
-
-  [Test same origin: Test no policy on second iframe]
-    expected: FAIL
-
-  [Test same origin: Test no policy on first iframe]
-    expected: FAIL
-
-  [Test same origin: Test invalid policy on first iframe (bad directive name)]
-    expected: FAIL
-
-  [Test same origin: Test invalid policy on first iframe (report directive)]
-    expected: FAIL
-
-  [Test same origin: Test invalid policy on second iframe (bad directive name)]
-    expected: FAIL
-
-  [Test same origin: Test invalid policy on second iframe (report directive)]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/required_csp-header.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/required_csp-header.html.ini
deleted file mode 100644
index 784d7df63b8..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/required_csp-header.html.ini
+++ /dev/null
@@ -1,141 +0,0 @@
-[required_csp-header.html]
-  [Test Required-CSP value on `csp` change: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.]
-    expected: FAIL
-
-  [Test same origin: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
-    expected: FAIL
-
-  [Test same origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
-    expected: FAIL
-
-  [Test cross origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
-    expected: FAIL
-
-  [Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
-    expected: FAIL
-
-  [Test Required-CSP value on `csp` change: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
-    expected: FAIL
-
-  [Test same origin: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
-    expected: FAIL
-
-  [Test same origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
-    expected: FAIL
-
-  [Test cross origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
-    expected: FAIL
-
-  [Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
-    expected: FAIL
-
-  [Test Required-CSP value on `csp` change: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
-    expected: FAIL
-
-  [Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp]
-    expected: FAIL
-
-  [Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp]
-    expected: FAIL
-
-  [Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp]
-    expected: FAIL
-
-  [Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp]
-    expected: FAIL
-
-  [Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp]
-    expected: FAIL
-
-  [Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name]
-    expected: FAIL
-
-  [Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name]
-    expected: FAIL
-
-  [Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name]
-    expected: FAIL
-
-  [Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name]
-    expected: FAIL
-
-  [Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name]
-    expected: FAIL
-
-  [Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
-    expected: FAIL
-
-  [Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
-    expected: FAIL
-
-  [Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
-    expected: FAIL
-
-  [Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
-    expected: FAIL
-
-  [Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
-    expected: FAIL
-
-  [Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none']
-    expected: FAIL
-
-  [Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none']
-    expected: FAIL
-
-  [Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none']
-    expected: FAIL
-
-  [Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none']
-    expected: FAIL
-
-  [Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none']
-    expected: FAIL
-
-  [Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path]
-    expected: FAIL
-
-  [Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path]
-    expected: FAIL
-
-  [Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path]
-    expected: FAIL
-
-  [Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path]
-    expected: FAIL
-
-  [Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path]
-    expected: FAIL
-
-  [Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon]
-    expected: FAIL
-
-  [Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon]
-    expected: FAIL
-
-  [Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon]
-    expected: FAIL
-
-  [Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon]
-    expected: FAIL
-
-  [Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon]
-    expected: FAIL
-
-  [Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated]
-    expected: FAIL
-
-  [Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - invalid characters in directive names]
-    expected: FAIL
-
-  [Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - invalid character in directive name]
-    expected: FAIL
-
-  [Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present]
-    expected: FAIL
-
-  [Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present]
-    expected: FAIL
-
-  [Test Required-CSP value on `csp` change: Sec-Required-CSP is not sent if `csp` attribute is longer than 4096 bytes]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html.ini
deleted file mode 100644
index 17be9612c26..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html.ini
+++ /dev/null
@@ -1,21 +0,0 @@
-[subsumption_algorithm-general.html]
-  [Iframe with empty returned CSP should be blocked.]
-    expected: FAIL
-
-  [Iframe with less restricting CSP should be blocked.]
-    expected: FAIL
-
-  [Iframe with a different CSP should be blocked.]
-    expected: FAIL
-
-  [Host wildcard *.a.com does not match a.com]
-    expected: FAIL
-
-  [Iframe should block if intersection allows sources which are not in required_csp.]
-    expected: FAIL
-
-  [Iframe should block if intersection allows sources which are not in required_csp (other ordering).]
-    expected: FAIL
-
-  [Removed plugin-types directive should be ignored 3.]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html.ini
deleted file mode 100644
index 52a06599411..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html.ini
+++ /dev/null
@@ -1,18 +0,0 @@
-[subsumption_algorithm-hashes.html]
-  [Returned should not include hashes not present in required csp.]
-    expected: FAIL
-
-  [Hashes do not have to be present in returned csp but must not allow all inline behavior.]
-    expected: FAIL
-
-  [Other expressions have to be subsumed.]
-    expected: FAIL
-
-  [Required csp must allow 'sha256-abc123'.]
-    expected: FAIL
-
-  [Effective policy is properly found where 'sha256-abc123' is not subsumed.]
-    expected: FAIL
-
-  ['sha256-abc123' is not subsumed by 'sha256-abc456'.]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html.ini
deleted file mode 100644
index d45034b98bb..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html.ini
+++ /dev/null
@@ -1,12 +0,0 @@
-[subsumption_algorithm-host_sources-hosts.html]
-  [Host must match.]
-    expected: FAIL
-
-  [Hosts without wildcards must match.]
-    expected: FAIL
-
-  [More specific subdomain should not match.]
-    expected: FAIL
-
-  [Specified host should not match a wildcard host.]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html.ini
deleted file mode 100644
index a209654a16a..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html.ini
+++ /dev/null
@@ -1,9 +0,0 @@
-[subsumption_algorithm-host_sources-paths.html]
-  [Returned CSP must specify a path.]
-    expected: FAIL
-
-  [Empty path is not subsumed by specified paths.]
-    expected: FAIL
-
-  [That should not be true when required csp specifies a specific page.]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html.ini
deleted file mode 100644
index 71eee1cc3a6..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html.ini
+++ /dev/null
@@ -1,12 +0,0 @@
-[subsumption_algorithm-host_sources-ports.html]
-  [Specified ports must match.]
-    expected: FAIL
-
-  [Returned CSP should be subsumed if the port is specified but is not default for a more secure scheme.]
-    expected: FAIL
-
-  [Wildcard port should not be subsumed by a default port.]
-    expected: FAIL
-
-  [Wildcard port should not be subsumed by a spcified port.]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html.ini
deleted file mode 100644
index 7667e7f2f15..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html.ini
+++ /dev/null
@@ -1,12 +0,0 @@
-[subsumption_algorithm-host_sources-protocols.html]
-  [`https` is more restrictive than `http`.]
-    expected: FAIL
-
-  [`http:` does not subsume other protocols.]
-    expected: FAIL
-
-  [If scheme source is present in returned csp, it must be specified in required csp too.]
-    expected: FAIL
-
-  [All scheme sources must be subsumed.]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html.ini
deleted file mode 100644
index beac34a684b..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html.ini
+++ /dev/null
@@ -1,9 +0,0 @@
-[subsumption_algorithm-nonces.html]
-  [A nonce has to be returned if required by the embedder.]
-    expected: FAIL
-
-  [Nonce intersection is still done on exact match - matching nonces.]
-    expected: FAIL
-
-  [Other expressions still have to be subsumed - negative test]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html.ini
deleted file mode 100644
index 32ef4ddd0df..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html.ini
+++ /dev/null
@@ -1,21 +0,0 @@
-[subsumption_algorithm-none.html]
-  [Required policy that allows `none` does not subsume empty list of policies.]
-    expected: FAIL
-
-  [Required csp with effective `none` does not subsume a host source expression.]
-    expected: FAIL
-
-  [Required csp with `none` does not subsume a host source expression.]
-    expected: FAIL
-
-  [Required csp with effective `none` does not subsume `none` of another directive.]
-    expected: FAIL
-
-  [Required csp with `none` does not subsume `none` of another directive.]
-    expected: FAIL
-
-  [Required csp with `none` does not subsume `none` of different directives.]
-    expected: FAIL
-
-  [Both required and returned csp are `none` for only one directive.]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html.ini
deleted file mode 100644
index 6fc6208a3db..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html.ini
+++ /dev/null
@@ -1,6 +0,0 @@
-[subsumption_algorithm-self.html]
-  [Returned CSP must not allow 'self' if required CSP does not.]
-    expected: FAIL
-
-  [Returned 'self' should not be subsumed by a more secure version of origin's url.]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-source_list-wildcards.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-source_list-wildcards.html.ini
deleted file mode 100644
index bb05e009d9e..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-source_list-wildcards.html.ini
+++ /dev/null
@@ -1,45 +0,0 @@
-[subsumption_algorithm-source_list-wildcards.html]
-  [Wildcard does not subsume empty list.]
-    expected: FAIL
-
-  [Empty source list does not subsume a wildcard source list.]
-    expected: FAIL
-
-  ['none' does not subsume a wildcard source list.]
-    expected: FAIL
-
-  [Wildcard source list does not subsume `data:` scheme source expression.]
-    expected: FAIL
-
-  [Wildcard source list does not subsume `blob:` scheme source expression.]
-    expected: FAIL
-
-  [Source expressions do not subsume effective nonce expressions.]
-    expected: FAIL
-
-  [Wildcard source list is not subsumed by a host expression.]
-    expected: FAIL
-
-  [Wildcard list with keywords is not subsumed by a wildcard list.]
-    expected: FAIL
-
-  [Wildcard list with 'unsafe-hashes' is not subsumed by a wildcard list.]
-    expected: FAIL
-
-  [Wildcard list with 'unsafe-inline' is not subsumed by a wildcard list.]
-    expected: FAIL
-
-  [Wildcard list with 'unsafe-eval' is not subsumed by a wildcard list.]
-    expected: FAIL
-
-  [Wildcard list with 'unsafe-eval' is not subsumed by list with a single expression.]
-    expected: FAIL
-
-  [The same as above but for 'unsafe-inline'.]
-    expected: FAIL
-
-  [`data:` is not subsumed by a wildcard list.]
-    expected: FAIL
-
-  [`blob:` is not subsumed by a wildcard list.]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html.ini
deleted file mode 100644
index 1ac21eb5c3f..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html.ini
+++ /dev/null
@@ -1,9 +0,0 @@
-[subsumption_algorithm-strict_dynamic.html]
-  ['strict-dynamic' is effective only for `script-src`.]
-    expected: FAIL
-
-  ['strict-dynamic' is properly handled for finding effective policy.]
-    expected: FAIL
-
-  ['strict-dynamic' has to be allowed by required csp if it is present in returned csp.]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html.ini
deleted file mode 100644
index e5f8147c981..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html.ini
+++ /dev/null
@@ -1,12 +0,0 @@
-[subsumption_algorithm-unsafe_eval.html]
-  [No other keyword has the same effect as 'unsafe-eval'.]
-    expected: FAIL
-
-  [Other expressions have to be subsumed.]
-    expected: FAIL
-
-  [Required csp must allow 'unsafe-eval'.]
-    expected: FAIL
-
-  [Effective policy is properly found where 'unsafe-eval' is not subsumed.]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html.ini
deleted file mode 100644
index be8fe1e17a1..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html.ini
+++ /dev/null
@@ -1,12 +0,0 @@
-[subsumption_algorithm-unsafe_hashes.html]
-  [No other keyword has the same effect as 'unsafe-hashes'.]
-    expected: FAIL
-
-  [Other expressions have to be subsumed.]
-    expected: FAIL
-
-  [Required csp must allow 'unsafe-hashes'.]
-    expected: FAIL
-
-  [Effective policy is properly found where 'unsafe-hashes' is not subsumed.]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html.ini
deleted file mode 100644
index 7921da71005..00000000000
--- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html.ini
+++ /dev/null
@@ -1,18 +0,0 @@
-[subsumption_algorithm-unsafe_inline.html?9-last]
-  [Required csp allows `strict-dynamic`, but retuned csp does.]
-    expected: FAIL
-
-  [Required csp does not allow `unsafe-inline`, but retuned csp does.]
-    expected: FAIL
-
-  [Returned csp allows a nonce.]
-    expected: FAIL
-
-  [Returned csp allows a hash.]
-    expected: FAIL
-
-  [Effective returned csp allows 'unsafe-inline']
-    expected: FAIL
-
-
-[subsumption_algorithm-unsafe_inline.html?1-8]