aboutsummaryrefslogtreecommitdiffstats
path: root/tests/wpt/web-platform-tests/content-security-policy/script-src
diff options
context:
space:
mode:
authorJosh Matthews <josh@joshmatthews.net>2017-10-30 09:31:22 -0400
committerJosh Matthews <josh@joshmatthews.net>2017-10-30 18:26:08 -0400
commit75736751d9ffa1489c67387b89b79d7ebd06611c (patch)
treeda615fa4454d45743b6fe656d3fc9a1643695158 /tests/wpt/web-platform-tests/content-security-policy/script-src
parent1b73cf33525afbbe2d077554d1965b74ef9ae5e3 (diff)
downloadservo-75736751d9ffa1489c67387b89b79d7ebd06611c.tar.gz
servo-75736751d9ffa1489c67387b89b79d7ebd06611c.zip
Update web-platform-tests to revision 14cfa4d648cc1c853b4153268df672d21425f8c1
Diffstat (limited to 'tests/wpt/web-platform-tests/content-security-policy/script-src')
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_1.js5
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_2.js4
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js10
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html24
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html24
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js4
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/inlineTests.js11
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html4
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html4
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html.sub.headers6
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html8
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html.sub.headers6
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html3
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers6
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html4
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html.sub.headers6
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html4
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers6
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html4
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html.sub.headers6
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html9
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html.sub.headers6
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html15
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers6
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html10
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers6
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html2
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers5
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html2
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers5
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html27
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html10
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers3
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html2
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers3
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed.html63
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub.html42
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html72
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub.html20
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html56
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html72
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub.html68
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html79
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html43
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html74
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub.html62
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html35
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/support/inject-script.js5
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/support/post-message.js1
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js5
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js.sub.headers1
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js7
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers1
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js6
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js.sub.headers1
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js5
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js.sub.headers1
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub.html38
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub.html37
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub.html41
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/worker-script-src.sub.html32
-rw-r--r--tests/wpt/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub.html32
62 files changed, 1053 insertions, 106 deletions
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_1.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_1.js
index 7b6e85210d0..9bfe201711a 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_1.js
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_1.js
@@ -1 +1,4 @@
-var dataScriptRan = false; \ No newline at end of file
+var dataScriptRan = false;
+
+var t_spv = async_test("Test that no report violation event was raised");
+window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have raised any securitypolicyviolation event")); \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_2.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_2.js
index ba586810f5f..6e6c15d2235 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_2.js
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_2.js
@@ -1,3 +1,5 @@
test(function () {
assert_true(dataScriptRan, "data script ran");
- }, "Verify that data: as script src runs with this policy"); \ No newline at end of file
+ }, "Verify that data: as script src runs with this policy");
+
+t_spv.done(); \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js
index cd093ac9423..a5d91dcab0f 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js
@@ -1,4 +1,14 @@
(function () {
+ var t_spv = async_test("Test that securitypolicyviolation event is fired");
+ var test_count = 2;
+
+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, "script-src");
+ if (--test_count <= 0) {
+ t_spv.done();
+ }
+ }));
+
var dmTest = async_test("DOM manipulation inline tests");
var attachPoint = document.getElementById('attachHere');
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html
new file mode 100644
index 00000000000..5a8cdec8472
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'">
+ <title>injected-inline-script-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass 1 of 2","Pass 2 of 2"]'></script>
+ <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log("Fail");
+ });
+ </script>
+ <script src="support/inject-script.js"></script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html
new file mode 100644
index 00000000000..07e2ae2871c
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'; connect-src 'self';">
+ <title>injected-inline-script-blocked</title>
+ <script nonce='abc' src="/resources/testharness.js"></script>
+ <script nonce='abc' src="/resources/testharnessreport.js"></script>
+ <script nonce='abc' src='../support/logTest.sub.js?logs=["violated-directive=script-src",]'></script>
+ <script nonce='abc' src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+ <script nonce='abc'>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log("violated-directive=" + e.violatedDirective);
+ });
+ </script>
+ <script src="support/inject-script.js"></script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js
index ea2be272a20..1f0d7ae7154 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js
@@ -1,3 +1,6 @@
+var t_spv = async_test("Should not fire policy violation events");
+window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should have not fired any securitypolicyviolation event"));
+
var inlineRan = false;
onload = function() {
@@ -5,4 +8,5 @@ onload = function() {
assert_true(inlineRan, 'Unsafe inline script ran.')},
'Inline script in a script tag should run with an unsafe-inline directive'
);
+ t_spv.done();
} \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineTests.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineTests.js
index 6e76b0a1781..0c6e5446041 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineTests.js
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineTests.js
@@ -1,4 +1,13 @@
var t1 = async_test("Inline script block");
var t2 = async_test("Inline event handler");
-onload = function() {t1.done(); t2.done()} \ No newline at end of file
+onload = function() {t1.done(); t2.done()}
+
+var t_spv = async_test("Should not fire policy violation events");
+var test_count = 2;
+window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) {
+ assert_equals(e.violatedDirective, "script-src");
+ if (--test_count <= 0) {
+ t_spv.done();
+ }
+}));
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html
index a8dd14f1c89..e02d66ae9c9 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html
@@ -2,6 +2,7 @@
<html>
<head>
<title>Window.open should not open javascript url if not allowed.</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc';">
<script nonce='abc' src='/resources/testharness.js'></script>
<script nonce='abc' src='/resources/testharnessreport.js'></script>
</head>
@@ -15,8 +16,5 @@
window.open('javascript:test(function() { assert_unreached("FAIL")});', 'new');
</script>
-
- <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
-
</body>
</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html
index c83f512bff5..d66253c6a19 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html
@@ -2,6 +2,7 @@
<html>
<head>
<title>Inline script should not run without 'unsafe-inline' script-src directive.</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self';">
<script src='/resources/testharness.js'></script>
<script src='/resources/testharnessreport.js'></script>
<script src='inlineTests.js'></script>
@@ -15,8 +16,5 @@
</script>
<img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'>
-
- <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
-
</body>
</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html.sub.headers
deleted file mode 100644
index d91fe1c87f1..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html
index 137a16421db..a1bfdaeb15b 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html
@@ -2,6 +2,7 @@
<html>
<head>
<title>data: as script src should not run with a policy that doesn't specify data: as an allowed source</title>
+ <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';">
<script src='/resources/testharness.js'></script>
<script src='/resources/testharnessreport.js'></script>
</head>
@@ -11,6 +12,11 @@
<script>
var dataScriptRan = false;
+ var t_spv = async_test("Test that securitypolicyviolation event is fired");
+
+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, "script-src");
+ }));
</script>
<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
@@ -21,7 +27,5 @@
assert_false(dataScriptRan, "data script ran");
}, "Verify that data: as script src doesn't run with this policy");
</script>
-
- <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=default-src%20%27self%27+%27unsafe-inline%27'></script>
</body>
</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html.sub.headers
deleted file mode 100644
index 6c0c0fd0a76..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_10={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html
index f1bfee2000a..a1e2f72cdb7 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html
@@ -2,6 +2,7 @@
<html>
<head>
<title>data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' data:;">
<script src='/resources/testharness.js'></script>
<script src='/resources/testharnessreport.js'></script>
</head>
@@ -14,7 +15,5 @@
<script src="data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7"></script>
<script src="10_1_support_2.js"></script>
-
- <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
</body>
</html> \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers
deleted file mode 100644
index dfb6f345fc7..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_10_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src 'self' data:; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html
index a41310da9e7..a68945cb853 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html
@@ -2,6 +2,7 @@
<html>
<head>
<title>Inline script should not run without 'unsafe-inline' script-src directive.</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src *;">
<script src='/resources/testharness.js'></script>
<script src='/resources/testharnessreport.js'></script>
<script src='inlineTests.js'></script>
@@ -15,8 +16,5 @@
</script>
<img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'>
-
- <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
-
</body>
</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html.sub.headers
deleted file mode 100644
index 4cf9c695051..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_2={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src *; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html
index 255f5df9ce1..2641c867f63 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html
@@ -2,6 +2,7 @@
<html>
<head>
<title>Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src *;">
<script src='/resources/testharness.js'></script>
<script src='/resources/testharnessreport.js'></script>
</head>
@@ -16,8 +17,5 @@
<div id=emptyDiv></div>
<script src="addInlineTestsWithDOMManipulation.js"></script>
-
- <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20*"></script>
-
</body>
</html> \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers
deleted file mode 100644
index 9c58f0efcd5..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_2_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src *; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html
index 30e6f6870a8..bf7a6921b4d 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html
@@ -2,6 +2,7 @@
<html>
<head>
<title>Positive test case: Inline script should run 'unsafe-inline' script-src directive.</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
<script src='/resources/testharness.js'></script>
<script src='/resources/testharnessreport.js'></script>
<script src='inlineSuccessTest.js'></script>
@@ -13,8 +14,5 @@
<script>
inlineRan = true;
</script>
-
- <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
-
</body>
</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html.sub.headers
deleted file mode 100644
index 8227c6272dc..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_3={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html
index 5293183d300..bfc66b2a8d0 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html
@@ -2,6 +2,7 @@
<html>
<head>
<title>eval() should not run without 'unsafe-eval' script-src directive.</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
<script src='/resources/testharness.js'></script>
<script src='/resources/testharnessreport.js'></script>
</head>
@@ -10,6 +11,11 @@
<div id='log'></div>
<script>
+ var t_spv = async_test("Test that securitypolicyviolation event is fired");
+
+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, "script-src");
+ }));
var evalRan = false;
@@ -18,8 +24,5 @@
test(function() {assert_false(evalRan);})
</script>
-
- <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script>
-
</body>
</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html.sub.headers
deleted file mode 100644
index 28ad14b609d..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_4={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html
index 31664a16987..522b9c5f7c8 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html
@@ -2,6 +2,7 @@
<html>
<head>
<title>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
<script src='/resources/testharness.js'></script>
<script src='/resources/testharnessreport.js'></script>
</head>
@@ -12,15 +13,21 @@
<script>
var t1 = async_test("window.setTimeout()");
var t2 = async_test("window.setInterval()");
+ var t_spv = async_test("Test that securitypolicyviolation event is fired");
+ var test_count = 2;
+
+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, "script-src");
+ if (--test_count <= 0) {
+ t_spv.done();
+ }
+ }));
+
onload = function() {t1.done(); t2.done()}
window.setTimeout('t1.step(function() {assert_unreached("window.setTimeout() ran without unsafe-eval.")})',0);
window.setInterval('t2.step(function() {assert_unreached("window.setInterval() ran without unsafe-eval.")})',0);
-
</script>
-
- <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-eval%27'></script>
-
</body>
</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers
deleted file mode 100644
index 6bd48d1ded7..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_4_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html
index 31382936f47..0ee6f587c5c 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html
@@ -2,6 +2,7 @@
<html>
<head>
<title>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
<script src='/resources/testharness.js'></script>
<script src='/resources/testharnessreport.js'></script>
</head>
@@ -10,6 +11,12 @@
<div id='log'></div>
<script>
+ var t_spv = async_test("Test that securitypolicyviolation event is fired");
+
+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, "script-src");
+ }));
+
test(function() {
assert_throws(
@@ -20,8 +27,5 @@
})}, "Unsafe eval ran in Function() constructor.");
</script>
-
- <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script>
-
</body>
</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers
deleted file mode 100644
index 314849bb972..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_4_2={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html
index 75ff3424c05..70b31457278 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html
@@ -22,7 +22,5 @@
t.done();
});
</script>
-
- <script nonce="abc" async defer src='../support/checkReport.sub.js?reportExists=false'></script>
</body>
</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers
index 36203b7643a..89f99e621f8 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers
@@ -2,6 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
-Set-Cookie: script-src-multiple-policies-multiple-hashing-algorithms={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
-Content-Security-Policy: script-src 'sha384-skw7BVxHbmE2umPGMd1kX+ye6qBeHAb875erPoD8ilKv1LkjKR+WFi7N85ORMdhS' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
+Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc';
+Content-Security-Policy: script-src 'sha384-skw7BVxHbmE2umPGMd1kX+ye6qBeHAb875erPoD8ilKv1LkjKR+WFi7N85ORMdhS' 'nonce-abc'; \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html
index 34fed6d94b3..da9e60f8743 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html
@@ -22,7 +22,5 @@
t.done();
});
</script>
-
- <script nonce="abc" async defer src='../support/checkReport.sub.js?reportExists=false'></script>
</body>
</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers
index 114c560b28c..83fe7f7005e 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers
@@ -2,6 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
-Set-Cookie: script-src-multiple-policies-multiple-hashing-algorithms-work={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
-Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
+Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc';
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html
new file mode 100644
index 00000000000..5a0dfe50e15
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="default-src about:; script-src 'self' 'unsafe-inline'; style-src 'self'; connect-src 'self';">
+ <title>script-src-overrides-default-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS 1 of 2","PASS 2 of 2"]'></script>
+ <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log("Fail");
+ });
+ </script>
+</head>
+
+<body onload="log(&apos;PASS 2 of 2&apos;)">
+ <script>
+ log('PASS 1 of 2');
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html
index f0f7bcb7a04..16428b1a4de 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html
@@ -8,6 +8,11 @@
</head>
<body>
<script nonce="abc">
+ var t_spv = async_test("Should fire securitypolicyviolation event");
+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, "script-src");
+ assert_equals(e.disposition, "report");
+ }));
var externalRan = false;
</script>
<script src='./externalScript.js'
@@ -16,8 +21,5 @@
test(function() {
assert_true(externalRan, 'External script ran.');
}, 'External script in a script tag with matching SRI hash should run.');
- </script>
-
- <script nonce="abc" async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
-</body>
+ </script></body>
</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers
index 0ccfd507f65..7f03464d4d3 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers
@@ -2,6 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
-Set-Cookie: script-src-report-only-policy-works-with-external-hash-policy={{$id:uuid()}}; Path=/content-security-policy/script-src/
Content-Security-Policy: script-src 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'nonce-abc'
-Content-Security-Policy-Report-Only: script-src 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
+Content-Security-Policy-Report-Only: script-src 'nonce-abc'; \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html
index 82a88791bd5..9ae66611ea5 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html
@@ -27,7 +27,5 @@
t.done();
});
</script>
-
- <script nonce="abc" async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
</body>
</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers
index eaf175a8785..1237c247a67 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers
@@ -2,6 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
-Set-Cookie: script-src-report-only-policy-works-with-hash-policy={{$id:uuid()}}; Path=/content-security-policy/script-src/
Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'
-Content-Security-Policy-Report-Only: script-src 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
+Content-Security-Policy-Report-Only: script-src 'nonce-abc'; \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed.html
new file mode 100644
index 00000000000..7bf3d89b672
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed.html
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-nonce' *; connect-src 'self';">
+ <title>script-src disallowed wildcard use</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+ <body>
+ <script nonce="nonce">
+ var t1 = async_test('data: URIs should not match *');
+ t1.step(function() {
+ var script = document.createElement("script");
+ script.src = 'data:application/javascript,';
+ script.addEventListener('load', t1.step_func(function() {
+ assert_unreached('Should not successfully load data URI.');
+ }));
+ script.addEventListener('error', t1.step_func(function() {
+ t1.done();
+ }));
+ document.head.appendChild(script);
+ });
+
+ var t2 = async_test('blob: URIs should not match *');
+ t2.step(function() {
+ var b = new Blob([''], { type: 'application/javascript' });
+ var script = document.createElement('script');
+ script.addEventListener('load', t2.step_func(function() {
+ assert_unreached('Should not successfully load blob URI.');
+ }));
+ script.addEventListener('error', t2.step_func(function() {
+ t2.done();
+ }));
+
+ script.src = URL.createObjectURL(b);
+ document.head.appendChild(script);
+ });
+
+ var t3 = async_test('filesystem URIs should not match *');
+ if (window.webkitRequestFileSystem) {
+ window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) {
+ fs.root.getFile('fail.js', {create: true}, function(fileEntry) {
+ fileEntry.createWriter(function(fileWriter) {
+ var script = document.createElement('script');
+
+ script.addEventListener('load', t3.step_func(function() {
+ assert_unreached('Should not successfully load filesystem URI.');
+ }));
+ script.addEventListener('error', t3.step_func(function() {
+ t3.done();
+ }));
+
+ script.src = fileEntry.toURL('application/javascript');
+ document.body.appendChild(script);
+ });
+ });
+ });
+ } else {
+ t3.done();
+ }
+ </script>
+ </body>
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub.html
new file mode 100644
index 00000000000..c46a99136d8
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-IFmozo9WnnsMXVl/Ka8XzJ3Nd8yzS2zA2ME0mwtd+Ck=' 'sha256-jSpTmJKcrnHttKdYM/wCCDJoQY5tdSxNf7zd2prwFfI=' 'sha256-qbgA2XjB2EZKjn/UmK7v/K77t+fvfxA89QT/K9qPNyE=' 'sha256-K+7X5Ip3msvRvyQzf6fkrWZziuhaUIee1aLnlP5nX10='; connect-src 'self';">
+ <title>scripthash-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/content-security-policy/support/alertAssert.sub.js?alerts=%5B%22PASS%20(1%2F4)%22%2C%22PASS%20(2%2F4)%22%2C%22PASS%20(3%2F4)%22%2C%22PASS%20(4%2F4)%22%5D">
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ alert_assert("Fail");
+ });
+ </script>
+
+ <script>
+ alert_assert('PASS (1/4)');
+
+ </script>
+ <script>
+ alert_assert('PASS (2/4)');
+
+ </script>
+ <script>
+ alert_assert('PASS (3/4)');
+
+ </script>
+ <script>
+ alert_assert('PASS (4/4)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the effect of a valid script-hash value. It passes if no CSP violation is generated, and the alert_assert() is executed.
+ </p>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html
new file mode 100644
index 00000000000..d254053eced
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self';">
+ <title>scripthash-basic-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ alert_assert("Fail");
+ });
+ </script>
+
+ <script>
+ var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]');
+ var expected_alerts = ["PASS (1/1)"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <script>
+ alert_assert('PASS (1/1)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (1/4)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (2/4)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (3/4)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (4/4)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the effect of a valid script-hash value, with one valid script and several invalid ones. It passes if one alert is executed and a CSP violation is reported.
+ </p>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub.html
new file mode 100644
index 00000000000..6025a67179f
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'nonce-abc' 'sha256-sc3CeiHrlck5tH2tTC4MnBYFnI9D5zp8f9odqnmGQjE='; connect-src 'self';">
+ <title>script-hash allowed from default-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script nonce='abc'>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ test(function() { assert_unreached("Should not have fired event")});
+ });
+ </script>
+
+ <script>done();</script>
+ </head>
+
+ <body>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html
new file mode 100644
index 00000000000..d7af328f4e3
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html
@@ -0,0 +1,56 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4=' 'sha256-lxHfHAe5I15v8qaArcZ5WiKmLU4CjV+3tJeQUqSIWBk='; connect-src 'self';">
+
+ <title>scripthash-ignore-unsafeinline</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script>window.addEventListener('securitypolicyviolation', function(e) { alert_assert("Fail"); })</script>
+ <script>
+ var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]');
+ var expected_alerts = ["PASS (1/1)"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <script>
+ alert_assert('PASS (1/1)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (1/1)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests that a valid hash value disables inline JavaScript, even if &apos;unsafe-inline&apos; is present.
+ </p>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html
new file mode 100644
index 00000000000..0c303630331
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-nonceynonce' 'sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c='; connect-src 'self';">
+ <title>scripthash-unicode-normalization</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+</head>
+
+<body>
+ <!-- The following two scripts contain two separate code points (U+00C5
+ and U+212B, respectively) which, depending on your text editor, might be
+ rendered the same.However, their difference is important because, under
+ NFC normalization, they would become the same code point, which would be
+ against the spec. This test, therefore, validates that the scripts have
+ *different* hash values. -->
+ <script nonce="nonceynonce">
+ var t_spv = async_test("Should fire securitypolicyviolation");
+ window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, "script-src");
+ }));
+
+ var matchingContent = 'Å';
+ var nonMatchingContent = 'Å';
+
+ // This script should have a hash value of
+ // sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c=
+ var scriptContent1 = "window.finish('" + matchingContent + "');";
+
+ // This script should have a hash value of
+ // sha256-iNjjXUXds31FFvkAmbC74Sxnvreug3PzGtu16udQyqM=
+ var scriptContent2 = "window.finish('" + nonMatchingContent + "');";
+
+ var script1 = document.createElement('script');
+ var script2 = document.createElement('script');
+
+ script1.test = async_test("Only matching content runs even with NFC normalization.");
+
+ var failure = function() {
+ assert_unreached();
+ }
+
+ window.finish = function(content) {
+ if (content == matchingContent) {
+ script1.test.step(function() {
+ script1.test.done();
+ });
+ } else {
+ script1.test.step(function() {
+ assert_unreached("nonMatchingContent script ran");
+ });
+ }
+ }
+
+ script1.onerror = failure;
+
+ document.body.appendChild(script2);
+ script2.textContent = scriptContent2;
+ document.body.appendChild(script1);
+ script1.textContent = scriptContent1;
+ </script>
+
+ <p>
+ This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken.
+ </p>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub.html
new file mode 100644
index 00000000000..46fdabd62c5
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-noncynonce' 'nonce-noncy+/nonce='; connect-src 'self';">
+ <title>scriptnonce-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script nonce="noncynonce">
+ function log(msg) {
+ test(function() {
+ assert_unreached(msg)
+ });
+ }
+
+ </script>
+ <script nonce="noncynonce">
+ window.addEventListener('securitypolicyviolation', function(e) {
+ alert_assert("Fail");
+ });
+
+ var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)"]');
+ var expected_alerts = ["PASS (1/2)", "PASS (2/2)"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce='; connect-src 'self';
+-->
+ <script nonce="noncynonce">
+ alert_assert('PASS (1/2)');
+
+ </script>
+ <script nonce="noncy+/nonce=">
+ alert_assert('PASS (2/2)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the effect of a valid script-nonce value. It passes if no CSP violation is generated and the alerts are executed.
+ </p>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html
new file mode 100644
index 00000000000..94a39973af2
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html
@@ -0,0 +1,79 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self';">
+ <title>scriptnonce-and-scripthash</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script nonce="nonceynonce">
+ function log(msg) {
+ test(function() {
+ assert_unreached(msg)
+ });
+ }
+ </script>
+ <script nonce="nonceynonce">
+ window.addEventListener('securitypolicyviolation', function(e) {
+ alert_assert("violated-directive=" + e.violatedDirective);
+ });
+
+ var t_alert = async_test('Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]');
+ var expected_alerts = ["PASS (1/3)", "PASS (2/3)", "PASS (3/3)", "violated-directive=script-src", "violated-directive=script-src"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self';
+-->
+ <script nonce="nonceynonce">
+ alert_assert('PASS (1/3)');
+
+ </script>
+ <script>
+ alert_assert('PASS (2/3)');
+
+ </script>
+ <script nonce="nonceynonce">
+ alert_assert('PASS (3/3)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (1/2)');
+
+ </script>
+ <script nonce="notanonce">
+ alert_assert('FAIL (2/2)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the combined use of script hash and script nonce. It passes if a CSP violation is generated and the three alerts show PASS.
+ </p>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html
new file mode 100644
index 00000000000..db94c1c5f4b
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-noncynonce'; connect-src 'self';">
+ <title>scriptnonce-basic-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src", "violated-directive=script-src", "violated-directive=script-src"]'></script>
+ <script nonce="noncynonce">
+ alert_assert('PASS (closely-quoted nonce)');
+
+ </script>
+ <script nonce=" noncynonce ">
+ alert_assert('PASS (nonce w/whitespace)');
+
+ window.addEventListener('securitypolicyviolation', function(e) {
+ alert_assert("violated-directive=" + e.violatedDirective);
+ });
+ </script>
+ <script nonce="noncynonce noncynonce">
+ alert_assert('FAIL (1/3)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (2/3)');
+
+ </script>
+ <script nonce="noncynonceno?">
+ alert_assert('FAIL (3/3)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the effect of a valid script-nonce value. It passes if a CSP violation is generated, and the two PASS alerts are executed.
+ </p>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html
new file mode 100644
index 00000000000..18a6899a5cd
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html
@@ -0,0 +1,74 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce=' 'unsafe-inline'; connect-src 'self';">
+ <title>scriptnonce-ignore-unsafeinline</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script nonce='noncynonce'>
+ function log(msg) {
+ test(function() {
+ assert_unreached(msg)
+ });
+ }
+
+ window.addEventListener('securitypolicyviolation', function(e) {
+ alert_assert("violated-directive=" + e.violatedDirective);
+ });
+ </script>
+ <script nonce='noncynonce'>
+ var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src"]');
+ var expected_alerts = ["PASS (1/2)", "PASS (2/2)", "violated-directive=script-src"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce=' 'unsafe-inline'; connect-src 'self';
+-->
+ <script nonce="noncynonce">
+
+
+ </script>
+ <script nonce="noncynonce">
+ alert_assert('PASS (1/2)');
+ </script>
+ <script nonce="noncy+/nonce=">
+ alert_assert('PASS (2/2)');
+
+ </script>
+ <script>
+ alert_assert('FAIL (1/1)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests that a valid nonce disables inline JavaScript, even if &apos;unsafe-inline&apos; is present.
+ </p>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub.html
new file mode 100644
index 00000000000..7e4e848375d
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self';">
+ <title>scriptnonce-redirect</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script nonce="noncynonce">
+ function log(msg) {
+ test(function() {
+ assert_unreached(msg)
+ });
+ }
+
+ window.addEventListener('securitypolicyviolation', function(e) {
+ alert_assert("Fail");
+ });
+ </script>
+ <script nonce="noncynonce">
+ var t_alert = async_test('Expecting alerts: ["PASS"]');
+ var expected_alerts = ["PASS"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This tests whether a deferred script load caused by a redirect is properly allowed by a nonce.
+ <script nonce="noncynonce" src="/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/alert-pass.js"></script>
+ <script nonce="noncynonce">
+
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html
new file mode 100644
index 00000000000..eea201865aa
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'; connect-src 'self';">
+ <title>srcdoc-doesnt-bypass-script-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["violated-directive=script-src"]'></script>
+</head>
+
+<body>
+
+ <script nonce='abc'>
+ window.onmessage = function(e) {
+ log(e.data);
+ }
+
+ var i = document.createElement('iframe');
+ i.addEventListener('securitypolicyviolation', function(e) {
+ log("violated-directive=" + e.violatedDirective);
+ });
+
+ i.srcdoc = "<sc" + "ript nonce='abc'>" +
+ "window.addEventListener('securitypolicyviolation', function(e) {" +
+ "window.parent.postMessage('violated-directive=' + e.violatedDirective, '*');});" +
+ "</scr" + "ipt>" +
+ "<scr" + "ipt>window.parent.log('FAIL')</scr" + "ipt>";
+ document.body.appendChild(i);
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/inject-script.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/inject-script.js
new file mode 100644
index 00000000000..c04033c46f0
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/inject-script.js
@@ -0,0 +1,5 @@
+document.write("<script>log('Pass 1 of 2');</script>");
+
+var s = document.createElement('script');
+s.textContent = "log('Pass 2 of 2');";
+document.body.appendChild(s);
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/post-message.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/post-message.js
new file mode 100644
index 00000000000..69daa31d2f1
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/post-message.js
@@ -0,0 +1 @@
+postMessage("importScripts allowed");
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js
new file mode 100644
index 00000000000..9aa87129aee
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js
@@ -0,0 +1,5 @@
+var id = 0;
+try {
+ id = eval("1 + 2 + 3");
+} catch (e) {}
+postMessage(id === 0 ? "eval blocked" : "eval allowed");
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js.sub.headers
new file mode 100644
index 00000000000..afdcc7c011b
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'unsafe-inline'
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js
new file mode 100644
index 00000000000..03d9bf4cbbc
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js
@@ -0,0 +1,7 @@
+var fn = function() {
+ postMessage('Function() function blocked');
+}
+try {
+ fn = new Function("", "postMessage('Function() function allowed');");
+} catch (e) {}
+fn();
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers
new file mode 100644
index 00000000000..afdcc7c011b
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'unsafe-inline'
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js
new file mode 100644
index 00000000000..0204de32cf1
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js
@@ -0,0 +1,6 @@
+try {
+ importScripts("/content-security-policy/support/post-message.js");
+ postMessage("importScripts allowed");
+} catch (e) {
+ postMessage("importScripts blocked");
+}
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js.sub.headers
new file mode 100644
index 00000000000..57616b1fc2d
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'none'
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js
new file mode 100644
index 00000000000..a16827eddfc
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js
@@ -0,0 +1,5 @@
+var id = 0;
+try {
+ id = setTimeout("postMessage('handler invoked')", 100);
+} catch (e) {}
+postMessage(id === 0 ? "setTimeout blocked" : "setTimeout allowed");
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js.sub.headers
new file mode 100644
index 00000000000..57616b1fc2d
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'none'
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub.html
new file mode 100644
index 00000000000..9a264f2a240
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+ <title>worker-eval-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["eval blocked"]'></script>
+ <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+ <p>This test loads a worker, delivered with its own policy.
+ The eval() call in the worker should be forbidden by that
+ policy. No report should be generated because the worker
+ policy does not set a report-uri (although this parent
+ resource does).</p>
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log('Fail');
+ });
+
+ try {
+ var worker = new Worker('/content-security-policy/script-src/support/worker-eval.js');
+ worker.onmessage = function(event) {
+ log(event.data);
+ };
+ } catch (e) {
+ log(e);
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub.html
new file mode 100644
index 00000000000..8c1df9f6679
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+ <title>worker-function-function-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Function() function blocked"]'></script>
+ <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+ <p>This test loads a worker, delivered with its own policy.
+ The Function constructor should be forbidden by that
+ policy. No report should be generated because the worker
+ policy does not set a report-uri (although this parent
+ resource does).</p>
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log('Fail');
+ });
+ try {
+ var worker = new Worker('/content-security-policy/script-src/support/worker-function-function.js');
+ worker.onmessage = function(event) {
+ log(event.data);
+ };
+ } catch (e) {
+ log(e);
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub.html
new file mode 100644
index 00000000000..28906138069
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';">
+ <title>worker-importscripts-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log('Fail');
+ });
+ var result = '';
+ try {
+ var worker = new Worker('/content-security-policy/script-src/support/worker-importscripts.js');
+ worker.onmessage = function(event) {
+ result = event.data;
+ test(function() {
+ assert_equals(result, 'importScripts blocked')
+ });
+ log("TEST COMPLETE");
+ };
+ } catch (e) {
+ result = e;
+ test(function() {
+ assert_equals(result, 'importScripts blocked')
+ });
+ log("TEST COMPLETE");
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-script-src.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-script-src.sub.html
new file mode 100644
index 00000000000..da7771b9c4b
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-script-src.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+ <title>worker-script-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log('Fail');
+ });
+ try {
+ var foo = new Worker('/content-security-policy/script-src/support/post-message.js');
+ foo.onmessage = function(event) {
+ log("PASS");
+ };
+ } catch (e) {
+ log(e);
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub.html
new file mode 100644
index 00000000000..5f93433416b
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'self' 'unsafe-eval'; connect-src 'self';">
+ <title>worker-set-timeout-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["setTimeout blocked"]'></script>
+</head>
+
+<body>
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log('Fail');
+ });
+ try {
+ var worker = new Worker('/content-security-policy/script-src/support/worker-set-timeout.js');
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>