Update web-platform-tests to revision 14cfa4d648cc1c853b4153268df672d21425f8c1

author: Josh Matthews <josh@joshmatthews.net> 2017-10-30 09:31:22 -0400
committer: Josh Matthews <josh@joshmatthews.net> 2017-10-30 18:26:08 -0400
commit: 75736751d9ffa1489c67387b89b79d7ebd06611c (patch)
tree: da615fa4454d45743b6fe656d3fc9a1643695158 /tests/wpt/web-platform-tests/content-security-policy/script-src
parent: 1b73cf33525afbbe2d077554d1965b74ef9ae5e3 (diff)
download: servo-75736751d9ffa1489c67387b89b79d7ebd06611c.tar.gz
servo-75736751d9ffa1489c67387b89b79d7ebd06611c.zip
62 files changed, 1053 insertions, 106 deletions
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_1.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_1.js
index 7b6e85210d0..9bfe201711a 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_1.js
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_1.js
@@ -1 +1,4 @@
-var dataScriptRan = false;
-\ No newline at end of file
+var dataScriptRan = false;
+
+var t_spv = async_test("Test that no report violation event was raised");
+window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have raised any securitypolicyviolation event"));
+\ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_2.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_2.js
index ba586810f5f..6e6c15d2235 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_2.js
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_2.js
@@ -1,3 +1,5 @@
 test(function () {
             assert_true(dataScriptRan, "data script ran");
-        }, "Verify that data: as script src runs with this policy");
-\ No newline at end of file
+        }, "Verify that data: as script src runs with this policy");
+        
+t_spv.done();
+\ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js
index cd093ac9423..a5d91dcab0f 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js
@@ -1,4 +1,14 @@
 (function () {
+  var t_spv = async_test("Test that securitypolicyviolation event is fired");
+  var test_count = 2;
+
+  window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+   assert_equals(e.violatedDirective, "script-src");
+   if (--test_count <= 0) {
+    t_spv.done();
+   }
+  }));
+
 
   var dmTest = async_test("DOM manipulation inline tests");
   var attachPoint = document.getElementById('attachHere');
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html
new file mode 100644
index 00000000000..5a8cdec8472
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'">
+    <title>injected-inline-script-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["Pass 1 of 2","Pass 2 of 2"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <script>
+       window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+        });
+    </script>
+    <script src="support/inject-script.js"></script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html
new file mode 100644
index 00000000000..07e2ae2871c
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'; connect-src 'self';">
+    <title>injected-inline-script-blocked</title>
+    <script nonce='abc' src="/resources/testharness.js"></script>
+    <script nonce='abc' src="/resources/testharnessreport.js"></script>
+    <script nonce='abc' src='../support/logTest.sub.js?logs=["violated-directive=script-src",]'></script>
+    <script nonce='abc' src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+       window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+    </script>
+    <script src="support/inject-script.js"></script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js
index ea2be272a20..1f0d7ae7154 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js
@@ -1,3 +1,6 @@
+var t_spv = async_test("Should not fire policy violation events");
+window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should have not fired any securitypolicyviolation event"));
+
 var inlineRan = false;
 
 onload = function() {
@@ -5,4 +8,5 @@ onload = function() {
         assert_true(inlineRan, 'Unsafe inline script ran.')},
         'Inline script in a script tag should  run with an unsafe-inline directive'
     );
+  t_spv.done();
 }
 \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineTests.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineTests.js
index 6e76b0a1781..0c6e5446041 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineTests.js
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineTests.js
@@ -1,4 +1,13 @@
 var t1 = async_test("Inline script block");
 var t2 = async_test("Inline event handler");
 
-onload = function() {t1.done(); t2.done()}
-\ No newline at end of file
+onload = function() {t1.done(); t2.done()}
+
+var t_spv = async_test("Should not fire policy violation events");
+var test_count = 2;
+window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) {
+    assert_equals(e.violatedDirective, "script-src");
+    if (--test_count <= 0) {
+        t_spv.done();
+    }
+}));
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html
index a8dd14f1c89..e02d66ae9c9 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html
@@ -2,6 +2,7 @@
 <html>
 <head>
     <title>Window.open should not open javascript url if not allowed.</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc';">
     <script nonce='abc' src='/resources/testharness.js'></script>
     <script nonce='abc' src='/resources/testharnessreport.js'></script>
 </head>
@@ -15,8 +16,5 @@
 
     window.open('javascript:test(function() { assert_unreached("FAIL")});', 'new');
   </script>
-
-  <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
-
 </body>
 </html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html
index c83f512bff5..d66253c6a19 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html
@@ -2,6 +2,7 @@
 <html>
 <head>
     <title>Inline script should not run without 'unsafe-inline' script-src directive.</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self';">
     <script src='/resources/testharness.js'></script>
     <script src='/resources/testharnessreport.js'></script>
     <script src='inlineTests.js'></script>
@@ -15,8 +16,5 @@
     </script>
 
     <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'>
-
-    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
-
 </body>
 </html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html.sub.headers
deleted file mode 100644
index d91fe1c87f1..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src 'self'; report-uri  ../support/report.py?op=put&reportID={{$id}}
-\ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html
index 137a16421db..a1bfdaeb15b 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html
@@ -2,6 +2,7 @@
 <html>
 <head>
     <title>data: as script src should not run with a policy that doesn't specify data: as an allowed source</title>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';">
     <script src='/resources/testharness.js'></script>
     <script src='/resources/testharnessreport.js'></script>
 </head>
@@ -11,6 +12,11 @@
 
     <script>
         var dataScriptRan = false;
+        var t_spv = async_test("Test that securitypolicyviolation event is fired");
+        
+        window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, "script-src");
+        }));
     </script>
 
     <!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
@@ -21,7 +27,5 @@
             assert_false(dataScriptRan, "data script ran");
         }, "Verify that data: as script src doesn't run with this policy");
     </script>
-
-    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=default-src%20%27self%27+%27unsafe-inline%27'></script>
 </body>
 </html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html.sub.headers
deleted file mode 100644
index 6c0c0fd0a76..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_10={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html
index f1bfee2000a..a1e2f72cdb7 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html
@@ -2,6 +2,7 @@
 <html>
 <head>
     <title>data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' data:;">
     <script src='/resources/testharness.js'></script>
     <script src='/resources/testharnessreport.js'></script>
 </head>
@@ -14,7 +15,5 @@
     <script src="data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7"></script>
 
     <script src="10_1_support_2.js"></script>
-
-    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
 </body>
 </html>
 \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers
deleted file mode 100644
index dfb6f345fc7..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_10_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src 'self' data:; report-uri  ../support/report.py?op=put&reportID={{$id}}
-\ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html
index a41310da9e7..a68945cb853 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html
@@ -2,6 +2,7 @@
 <html>
 <head>
     <title>Inline script should not run without 'unsafe-inline' script-src directive.</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src *;">
     <script src='/resources/testharness.js'></script>
     <script src='/resources/testharnessreport.js'></script>
     <script src='inlineTests.js'></script>
@@ -15,8 +16,5 @@
     </script>
 
     <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'>
-
-    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
-
 </body>
 </html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html.sub.headers
deleted file mode 100644
index 4cf9c695051..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_2={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src *; report-uri  ../support/report.py?op=put&reportID={{$id}}
-\ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html
index 255f5df9ce1..2641c867f63 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html
@@ -2,6 +2,7 @@
 <html>
 <head>
     <title>Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src *;">
     <script src='/resources/testharness.js'></script>
     <script src='/resources/testharnessreport.js'></script>
 </head>
@@ -16,8 +17,5 @@
     <div id=emptyDiv></div>
 
     <script src="addInlineTestsWithDOMManipulation.js"></script>
-
-    <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20*"></script>
-
 </body>
 </html>
 \ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers
deleted file mode 100644
index 9c58f0efcd5..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_2_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src *; report-uri  ../support/report.py?op=put&reportID={{$id}}
-\ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html
index 30e6f6870a8..bf7a6921b4d 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html
@@ -2,6 +2,7 @@
 <html>
 <head>
     <title>Positive test case: Inline script should run 'unsafe-inline' script-src directive.</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
     <script src='/resources/testharness.js'></script>
     <script src='/resources/testharnessreport.js'></script>
     <script src='inlineSuccessTest.js'></script>
@@ -13,8 +14,5 @@
     <script>
       inlineRan = true;
     </script>
-
-    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
-
 </body>
 </html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html.sub.headers
deleted file mode 100644
index 8227c6272dc..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_3={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
-\ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html
index 5293183d300..bfc66b2a8d0 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html
@@ -2,6 +2,7 @@
 <html>
 <head>
     <title>eval() should not run without 'unsafe-eval' script-src directive.</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
     <script src='/resources/testharness.js'></script>
     <script src='/resources/testharnessreport.js'></script>
 </head>
@@ -10,6 +11,11 @@
     <div id='log'></div>
 
    	<script>
+        var t_spv = async_test("Test that securitypolicyviolation event is fired");
+        
+        window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, "script-src");
+        }));
 
         var evalRan = false;
 
@@ -18,8 +24,5 @@
         test(function() {assert_false(evalRan);})
 
     </script>
-
-    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script>
-
 </body>
 </html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html.sub.headers
deleted file mode 100644
index 28ad14b609d..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_4={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
-\ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html
index 31664a16987..522b9c5f7c8 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html
@@ -2,6 +2,7 @@
 <html>
 <head>
     <title>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> 
     <script src='/resources/testharness.js'></script>
     <script src='/resources/testharnessreport.js'></script>
 </head>
@@ -12,15 +13,21 @@
    	<script>
         var t1 = async_test("window.setTimeout()");
         var t2 = async_test("window.setInterval()");
+        var t_spv = async_test("Test that securitypolicyviolation event is fired");
+        var test_count = 2;
+        
+        window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, "script-src");
+            if (--test_count <= 0) {
+                t_spv.done();
+            }
+        }));
+
 
         onload = function() {t1.done(); t2.done()}
 
         window.setTimeout('t1.step(function() {assert_unreached("window.setTimeout() ran without unsafe-eval.")})',0);
         window.setInterval('t2.step(function() {assert_unreached("window.setInterval() ran without unsafe-eval.")})',0);
-
     </script>
-
-    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-eval%27'></script>
-
 </body>
 </html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers
deleted file mode 100644
index 6bd48d1ded7..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_4_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
-\ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html
index 31382936f47..0ee6f587c5c 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html
@@ -2,6 +2,7 @@
 <html>
 <head>
     <title>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
     <script src='/resources/testharness.js'></script>
     <script src='/resources/testharnessreport.js'></script>
 </head>
@@ -10,6 +11,12 @@
     <div id='log'></div>
 
    	<script>
+   	    var t_spv = async_test("Test that securitypolicyviolation event is fired");
+        
+        window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, "script-src");
+        }));
+   	    
 
         test(function() {
             assert_throws(
@@ -20,8 +27,5 @@
         })}, "Unsafe eval ran in Function() constructor.");
 
     </script>
-
-    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script>
-
 </body>
 </html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers
deleted file mode 100644
index 314849bb972..00000000000
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: script-src-1_4_2={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
-\ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html
index 75ff3424c05..70b31457278 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html
@@ -22,7 +22,5 @@
       t.done();
     });
   </script>
-
-  <script nonce="abc" async defer src='../support/checkReport.sub.js?reportExists=false'></script>
 </body>
 </html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers
index 36203b7643a..89f99e621f8 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers
@@ -2,6 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate
 Cache-Control: post-check=0, pre-check=0, false
 Pragma: no-cache
-Set-Cookie: script-src-multiple-policies-multiple-hashing-algorithms={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
-Content-Security-Policy: script-src 'sha384-skw7BVxHbmE2umPGMd1kX+ye6qBeHAb875erPoD8ilKv1LkjKR+WFi7N85ORMdhS' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
-\ No newline at end of file
+Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc';
+Content-Security-Policy: script-src 'sha384-skw7BVxHbmE2umPGMd1kX+ye6qBeHAb875erPoD8ilKv1LkjKR+WFi7N85ORMdhS' 'nonce-abc';
+\ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html
index 34fed6d94b3..da9e60f8743 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html
@@ -22,7 +22,5 @@
       t.done();
     });
   </script>
-
-  <script nonce="abc" async defer src='../support/checkReport.sub.js?reportExists=false'></script>
 </body>
 </html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers
index 114c560b28c..83fe7f7005e 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers
@@ -2,6 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate
 Cache-Control: post-check=0, pre-check=0, false
 Pragma: no-cache
-Set-Cookie: script-src-multiple-policies-multiple-hashing-algorithms-work={{$id:uuid()}}; Path=/content-security-policy/script-src/
-Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
-Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
-\ No newline at end of file
+Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc';
+Content-Security-Policy: script-src 'self' 'unsafe-inline';
+\ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html
new file mode 100644
index 00000000000..5a0dfe50e15
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="default-src about:; script-src 'self' 'unsafe-inline'; style-src 'self'; connect-src 'self';">
+    <title>script-src-overrides-default-src</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS 1 of 2","PASS 2 of 2"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+    <script>
+       window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+       });
+    </script>
+</head>
+
+<body onload="log(&apos;PASS 2 of 2&apos;)">
+    <script>
+        log('PASS 1 of 2');
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html
index f0f7bcb7a04..16428b1a4de 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html
@@ -8,6 +8,11 @@
 </head>
 <body>
   <script nonce="abc">
+    var t_spv = async_test("Should fire securitypolicyviolation event");
+    window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+      assert_equals(e.violatedDirective, "script-src");
+      assert_equals(e.disposition, "report");
+    }));
     var externalRan = false;
   </script>
   <script src='./externalScript.js'
@@ -16,8 +21,5 @@
     test(function() {
       assert_true(externalRan, 'External script ran.');
     }, 'External script in a script tag with matching SRI hash should run.');
-  </script>
-
-  <script nonce="abc" async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
-</body>
+  </script></body>
 </html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers
index 0ccfd507f65..7f03464d4d3 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers
@@ -2,6 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate
 Cache-Control: post-check=0, pre-check=0, false
 Pragma: no-cache
-Set-Cookie: script-src-report-only-policy-works-with-external-hash-policy={{$id:uuid()}}; Path=/content-security-policy/script-src/
 Content-Security-Policy: script-src 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'nonce-abc'
-Content-Security-Policy-Report-Only: script-src 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
-\ No newline at end of file
+Content-Security-Policy-Report-Only: script-src 'nonce-abc';
+\ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html
index 82a88791bd5..9ae66611ea5 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html
@@ -27,7 +27,5 @@
       t.done();
     });
   </script>
-
-  <script nonce="abc" async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
 </body>
 </html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers
index eaf175a8785..1237c247a67 100644
--- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers
@@ -2,6 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate
 Cache-Control: post-check=0, pre-check=0, false
 Pragma: no-cache
-Set-Cookie: script-src-report-only-policy-works-with-hash-policy={{$id:uuid()}}; Path=/content-security-policy/script-src/
 Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'
-Content-Security-Policy-Report-Only: script-src 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
-\ No newline at end of file
+Content-Security-Policy-Report-Only: script-src 'nonce-abc';
+\ No newline at end of file
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed.html
new file mode 100644
index 00000000000..7bf3d89b672
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed.html
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-nonce' *; connect-src 'self';">
+    <title>script-src disallowed wildcard use</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    </head>
+    <body>
+    <script nonce="nonce">
+        var t1 = async_test('data: URIs should not match *');
+        t1.step(function() {
+            var script = document.createElement("script");
+            script.src = 'data:application/javascript,';
+            script.addEventListener('load', t1.step_func(function() {
+                assert_unreached('Should not successfully load data URI.');
+            }));
+            script.addEventListener('error', t1.step_func(function() {
+                t1.done();
+            }));
+            document.head.appendChild(script);
+        });
+
+        var t2 = async_test('blob: URIs should not match *');
+        t2.step(function() {
+            var b = new Blob([''], { type: 'application/javascript' });
+            var script = document.createElement('script');
+            script.addEventListener('load', t2.step_func(function() {
+                assert_unreached('Should not successfully load blob URI.');
+            }));
+            script.addEventListener('error', t2.step_func(function() {
+                t2.done();
+            }));
+
+            script.src = URL.createObjectURL(b);
+            document.head.appendChild(script);
+        });
+
+        var t3 = async_test('filesystem URIs should not match *');
+        if (window.webkitRequestFileSystem) {
+            window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) {
+                fs.root.getFile('fail.js', {create: true}, function(fileEntry) {
+                    fileEntry.createWriter(function(fileWriter) {
+                        var script = document.createElement('script');
+
+                        script.addEventListener('load', t3.step_func(function() {
+                            assert_unreached('Should not successfully load filesystem URI.');
+                        }));
+                        script.addEventListener('error', t3.step_func(function() {
+                            t3.done();
+                        }));
+
+                        script.src = fileEntry.toURL('application/javascript');
+                        document.body.appendChild(script);
+                    });
+                });
+            });
+        } else {
+          t3.done();
+        }
+    </script>
+    </body>
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub.html
new file mode 100644
index 00000000000..c46a99136d8
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-IFmozo9WnnsMXVl/Ka8XzJ3Nd8yzS2zA2ME0mwtd+Ck=' 'sha256-jSpTmJKcrnHttKdYM/wCCDJoQY5tdSxNf7zd2prwFfI=' 'sha256-qbgA2XjB2EZKjn/UmK7v/K77t+fvfxA89QT/K9qPNyE=' 'sha256-K+7X5Ip3msvRvyQzf6fkrWZziuhaUIee1aLnlP5nX10='; connect-src 'self';">
+    <title>scripthash-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/content-security-policy/support/alertAssert.sub.js?alerts=%5B%22PASS%20(1%2F4)%22%2C%22PASS%20(2%2F4)%22%2C%22PASS%20(3%2F4)%22%2C%22PASS%20(4%2F4)%22%5D">
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("Fail");
+        });
+    </script>
+    
+    <script>
+        alert_assert('PASS (1/4)');
+
+    </script>
+    <script>
+        alert_assert('PASS (2/4)');
+
+    </script>
+    <script>
+        alert_assert('PASS (3/4)');
+
+    </script>
+    <script>
+        alert_assert('PASS (4/4)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the effect of a valid script-hash value. It passes if no CSP violation is generated, and the alert_assert() is executed.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html
new file mode 100644
index 00000000000..d254053eced
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self';">
+    <title>scripthash-basic-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("Fail");
+        });
+    </script>
+    
+    <script>
+        var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]');
+        var expected_alerts = ["PASS (1/1)"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_true(expected_alerts[i] == msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <script>
+        alert_assert('PASS (1/1)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (1/4)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (2/4)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (3/4)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (4/4)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the effect of a valid script-hash value, with one valid script and several invalid ones. It passes if one alert is executed and a CSP violation is reported.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub.html
new file mode 100644
index 00000000000..6025a67179f
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'nonce-abc' 'sha256-sc3CeiHrlck5tH2tTC4MnBYFnI9D5zp8f9odqnmGQjE='; connect-src 'self';">
+    <title>script-hash allowed from default-src</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script nonce='abc'>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            test(function() { assert_unreached("Should not have fired event")});
+        });
+    </script>
+    
+    <script>done();</script>
+    </head>
+
+    <body>
+    <div id="log"></div>
+    </body>
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html
new file mode 100644
index 00000000000..d7af328f4e3
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html
@@ -0,0 +1,56 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4=' 'sha256-lxHfHAe5I15v8qaArcZ5WiKmLU4CjV+3tJeQUqSIWBk='; connect-src 'self';">
+    
+    <title>scripthash-ignore-unsafeinline</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script>window.addEventListener('securitypolicyviolation', function(e) { alert_assert("Fail"); })</script>
+    <script>
+        var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]');
+        var expected_alerts = ["PASS (1/1)"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_true(expected_alerts[i] == msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <script>
+        alert_assert('PASS (1/1)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (1/1)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests that a valid hash value disables inline JavaScript, even if &apos;unsafe-inline&apos; is present.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html
new file mode 100644
index 00000000000..0c303630331
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-nonceynonce' 'sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c='; connect-src 'self';">
+    <title>scripthash-unicode-normalization</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+</head>
+
+<body>
+    <!-- The following two scripts contain two separate code points (U+00C5
+        and U+212B, respectively) which, depending on your text editor, might be
+        rendered the same.However, their difference is important because, under
+        NFC normalization, they would become the same code point, which would be
+        against the spec. This test, therefore, validates that the scripts have
+        *different* hash values. -->
+    <script nonce="nonceynonce">
+      var t_spv = async_test("Should fire securitypolicyviolation");
+      window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) {
+          assert_equals(e.violatedDirective, "script-src");
+      }));
+      
+      var matchingContent = 'Å';
+      var nonMatchingContent = 'Å';
+
+      // This script should have a hash value of
+      // sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c=
+      var scriptContent1 = "window.finish('" + matchingContent + "');";
+
+      // This script should have a hash value of
+      // sha256-iNjjXUXds31FFvkAmbC74Sxnvreug3PzGtu16udQyqM=
+      var scriptContent2 = "window.finish('" + nonMatchingContent + "');";
+
+      var script1 = document.createElement('script');
+      var script2 = document.createElement('script');
+
+      script1.test = async_test("Only matching content runs even with NFC normalization.");
+
+      var failure = function() {
+        assert_unreached();
+      }
+
+      window.finish = function(content) {
+        if (content == matchingContent) {
+          script1.test.step(function() {
+            script1.test.done();
+          });
+        } else {
+	  script1.test.step(function() {
+            assert_unreached("nonMatchingContent script ran");
+	  });
+        }
+      }
+
+      script1.onerror = failure;
+
+      document.body.appendChild(script2);
+      script2.textContent = scriptContent2;
+      document.body.appendChild(script1);
+      script1.textContent = scriptContent1;
+    </script>
+
+    <p>
+        This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub.html
new file mode 100644
index 00000000000..46fdabd62c5
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-noncynonce' 'nonce-noncy+/nonce='; connect-src 'self';">
+    <title>scriptnonce-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script nonce="noncynonce">
+        function log(msg) {
+            test(function() {
+                assert_unreached(msg)
+            });
+        }
+
+    </script>
+    <script nonce="noncynonce">
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("Fail");
+        });
+
+        var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)"]');
+        var expected_alerts = ["PASS (1/2)", "PASS (2/2)"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_true(expected_alerts[i] == msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce='; connect-src 'self';
+-->
+    <script nonce="noncynonce">
+        alert_assert('PASS (1/2)');
+
+    </script>
+    <script nonce="noncy+/nonce=">
+        alert_assert('PASS (2/2)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the effect of a valid script-nonce value. It passes if no CSP violation is generated and the alerts are executed.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html
new file mode 100644
index 00000000000..94a39973af2
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html
@@ -0,0 +1,79 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self';">
+    <title>scriptnonce-and-scripthash</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script nonce="nonceynonce">
+        function log(msg) {
+            test(function() {
+                assert_unreached(msg)
+            });
+        }
+    </script>
+    <script nonce="nonceynonce">
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("violated-directive=" + e.violatedDirective);
+        });
+    
+        var t_alert = async_test('Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]');
+        var expected_alerts = ["PASS (1/3)", "PASS (2/3)", "PASS (3/3)", "violated-directive=script-src", "violated-directive=script-src"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_true(expected_alerts[i] == msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self';
+-->
+    <script nonce="nonceynonce">
+        alert_assert('PASS (1/3)');
+
+    </script>
+    <script>
+        alert_assert('PASS (2/3)');
+
+    </script>
+    <script nonce="nonceynonce">
+        alert_assert('PASS (3/3)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (1/2)');
+
+    </script>
+    <script nonce="notanonce">
+        alert_assert('FAIL (2/2)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the combined use of script hash and script nonce. It passes if a CSP violation is generated and the three alerts show PASS.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html
new file mode 100644
index 00000000000..db94c1c5f4b
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-noncynonce'; connect-src 'self';">
+    <title>scriptnonce-basic-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/alertAssert.sub.js?alerts=["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src", "violated-directive=script-src", "violated-directive=script-src"]'></script>
+    <script nonce="noncynonce">
+        alert_assert('PASS (closely-quoted nonce)');
+
+    </script>
+    <script nonce="   noncynonce    ">
+        alert_assert('PASS (nonce w/whitespace)');
+
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("violated-directive=" + e.violatedDirective);
+        });
+    </script>
+    <script nonce="noncynonce noncynonce">
+        alert_assert('FAIL (1/3)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (2/3)');
+
+    </script>
+    <script nonce="noncynonceno?">
+        alert_assert('FAIL (3/3)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the effect of a valid script-nonce value. It passes if a CSP violation is generated, and the two PASS alerts are executed.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html
new file mode 100644
index 00000000000..18a6899a5cd
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html
@@ -0,0 +1,74 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce=' 'unsafe-inline'; connect-src 'self';">
+    <title>scriptnonce-ignore-unsafeinline</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script nonce='noncynonce'>
+        function log(msg) {
+            test(function() {
+                assert_unreached(msg)
+            });
+        }
+
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("violated-directive=" + e.violatedDirective);
+        });
+    </script>
+    <script nonce='noncynonce'>
+        var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src"]');
+        var expected_alerts = ["PASS (1/2)", "PASS (2/2)", "violated-directive=script-src"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_true(expected_alerts[i] == msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce=' 'unsafe-inline'; connect-src 'self';
+-->
+    <script nonce="noncynonce">
+
+
+    </script>
+    <script nonce="noncynonce">
+        alert_assert('PASS (1/2)');
+    </script>
+    <script nonce="noncy+/nonce=">
+        alert_assert('PASS (2/2)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (1/1)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests that a valid nonce disables inline JavaScript, even if &apos;unsafe-inline&apos; is present.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub.html
new file mode 100644
index 00000000000..7e4e848375d
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self';">
+    <title>scriptnonce-redirect</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script nonce="noncynonce">
+        function log(msg) {
+            test(function() {
+                assert_unreached(msg)
+            });
+        }
+
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("Fail");
+        });
+    </script>
+    <script nonce="noncynonce">
+        var t_alert = async_test('Expecting alerts: ["PASS"]');
+        var expected_alerts = ["PASS"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_true(expected_alerts[i] == msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self';
+-->
+</head>
+
+<body>
+    This tests whether a deferred script load caused by a redirect is properly allowed by a nonce.
+    <script nonce="noncynonce" src="/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/alert-pass.js"></script>
+    <script nonce="noncynonce">
+
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html
new file mode 100644
index 00000000000..eea201865aa
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'; connect-src 'self';">
+    <title>srcdoc-doesnt-bypass-script-src</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=script-src"]'></script>
+</head>
+
+<body>
+ 
+    <script nonce='abc'>
+        window.onmessage = function(e) {
+          log(e.data);
+        }
+        
+        var i = document.createElement('iframe');
+        i.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+        
+        i.srcdoc = "<sc" + "ript nonce='abc'>" + 
+                     "window.addEventListener('securitypolicyviolation', function(e) {" + 
+                       "window.parent.postMessage('violated-directive=' + e.violatedDirective, '*');});" +
+                   "</scr" + "ipt>" + 
+                   "<scr" + "ipt>window.parent.log('FAIL')</scr" + "ipt>";
+        document.body.appendChild(i);
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/inject-script.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/inject-script.js
new file mode 100644
index 00000000000..c04033c46f0
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/inject-script.js
@@ -0,0 +1,5 @@
+document.write("<script>log('Pass 1 of 2');</script>");
+
+var s = document.createElement('script');
+s.textContent = "log('Pass 2 of 2');";
+document.body.appendChild(s);
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/post-message.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/post-message.js
new file mode 100644
index 00000000000..69daa31d2f1
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/post-message.js
@@ -0,0 +1 @@
+postMessage("importScripts allowed");
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js
new file mode 100644
index 00000000000..9aa87129aee
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js
@@ -0,0 +1,5 @@
+var id = 0;
+try {
+    id = eval("1 + 2 + 3");
+} catch (e) {}
+postMessage(id === 0 ? "eval blocked" : "eval allowed");
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js.sub.headers
new file mode 100644
index 00000000000..afdcc7c011b
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'unsafe-inline'
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js
new file mode 100644
index 00000000000..03d9bf4cbbc
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js
@@ -0,0 +1,7 @@
+var fn = function() {
+    postMessage('Function() function blocked');
+}
+try {
+    fn = new Function("", "postMessage('Function() function allowed');");
+} catch (e) {}
+fn();
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers
new file mode 100644
index 00000000000..afdcc7c011b
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'unsafe-inline'
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js
new file mode 100644
index 00000000000..0204de32cf1
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js
@@ -0,0 +1,6 @@
+try {
+    importScripts("/content-security-policy/support/post-message.js");
+    postMessage("importScripts allowed");
+} catch (e) {
+    postMessage("importScripts blocked");
+}
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js.sub.headers
new file mode 100644
index 00000000000..57616b1fc2d
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'none'
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js
new file mode 100644
index 00000000000..a16827eddfc
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js
@@ -0,0 +1,5 @@
+var id = 0;
+try {
+    id = setTimeout("postMessage('handler invoked')", 100);
+} catch (e) {}
+postMessage(id === 0 ? "setTimeout blocked" : "setTimeout allowed");
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js.sub.headers
new file mode 100644
index 00000000000..57616b1fc2d
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'none'
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub.html
new file mode 100644
index 00000000000..9a264f2a240
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>worker-eval-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["eval blocked"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <p>This test loads a worker, delivered with its own policy.
+    The eval() call in the worker should be forbidden by that
+    policy.  No report should be generated because the worker
+    policy does not set a report-uri (although this parent
+    resource does).</p>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('Fail');
+        });
+    
+        try {
+            var worker = new Worker('/content-security-policy/script-src/support/worker-eval.js');
+            worker.onmessage = function(event) {
+                log(event.data);
+            };
+        } catch (e) {
+            log(e);
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub.html
new file mode 100644
index 00000000000..8c1df9f6679
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>worker-function-function-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["Function() function blocked"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <p>This test loads a worker, delivered with its own policy.
+    The Function constructor should be forbidden by that
+    policy.  No report should be generated because the worker
+    policy does not set a report-uri (although this parent
+    resource does).</p>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('Fail');
+        });
+        try {
+            var worker = new Worker('/content-security-policy/script-src/support/worker-function-function.js');
+            worker.onmessage = function(event) {
+                log(event.data);
+            };
+        } catch (e) {
+            log(e);
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub.html
new file mode 100644
index 00000000000..28906138069
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';">
+    <title>worker-importscripts-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('Fail');
+        });
+        var result = '';
+        try {
+            var worker = new Worker('/content-security-policy/script-src/support/worker-importscripts.js');
+            worker.onmessage = function(event) {
+                result = event.data;
+                test(function() {
+                    assert_equals(result, 'importScripts blocked')
+                });
+                log("TEST COMPLETE");
+            };
+        } catch (e) {
+            result = e;
+            test(function() {
+                assert_equals(result, 'importScripts blocked')
+            });
+            log("TEST COMPLETE");
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-script-src.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-script-src.sub.html
new file mode 100644
index 00000000000..da7771b9c4b
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-script-src.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>worker-script-src</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('Fail');
+        });
+        try {
+            var foo = new Worker('/content-security-policy/script-src/support/post-message.js');
+            foo.onmessage = function(event) {
+                log("PASS");
+            };
+        } catch (e) {
+            log(e);
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub.html
new file mode 100644
index 00000000000..5f93433416b
--- /dev/null
+++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'self' 'unsafe-eval'; connect-src 'self';">
+    <title>worker-set-timeout-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src='../support/alertAssert.sub.js?alerts=["setTimeout blocked"]'></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('Fail');
+        });
+        try {
+            var worker = new Worker('/content-security-policy/script-src/support/worker-set-timeout.js');
+            worker.onmessage = function(event) {
+                alert_assert(event.data);
+            };
+        } catch (e) {
+            alert_assert(e);
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
author	Josh Matthews <josh@joshmatthews.net>	2017-10-30 09:31:22 -0400
committer	Josh Matthews <josh@joshmatthews.net>	2017-10-30 18:26:08 -0400
commit	75736751d9ffa1489c67387b89b79d7ebd06611c (patch)
tree	da615fa4454d45743b6fe656d3fc9a1643695158 /tests/wpt/web-platform-tests/content-security-policy/script-src
parent	1b73cf33525afbbe2d077554d1965b74ef9ae5e3 (diff)
download	servo-75736751d9ffa1489c67387b89b79d7ebd06611c.tar.gz servo-75736751d9ffa1489c67387b89b79d7ebd06611c.zip