Changeset 263605 in webkit

Timestamp:

Jun 26, 2020 4:58:27 PM (4 years ago)

Author:

Chris Dumez

Message:

Update web-platform-tests/content-security-policy from upstream
​https://bugs.webkit.org/show_bug.cgi?id=213664

Reviewed by Darin Adler.

Update web-platform-tests/content-security-policy from upstream b076c305a256e7fb7.

LayoutTests/imported/w3c:

• resources/resource-files.json:
• web-platform-tests/content-security-policy/*: Updated.

LayoutTests:

• tests-options.json:

Location:

trunk/LayoutTests

Files:

• ChangeLog (modified) (1 diff)
• TestExpectations (modified) (2 diffs)
• imported/w3c/ChangeLog (modified) (1 diff)
• imported/w3c/resources/resource-files.json (modified) (2 diffs)
• imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/allow_csp_from-header.html (modified) (2 diffs)
• imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html (added)
• imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required_csp-header.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html (modified) (2 diffs)
• imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html (modified) (4 diffs)
• imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html (modified) (2 diffs)
• imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/executor.html (added)
• imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/testharness-helper.sub.js (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/w3c-import.log (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/w3c-import.log (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js (modified) (2 diffs)
• imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.sub-expected.txt (added)
• imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.sub.html (moved) (moved from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.html) (3 diffs)
• imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.sub-expected.txt (added)
• imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.sub.html (moved) (moved from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/frame-src/w3c-import.log (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/inheritance/frame-src-javascript-url-expected.txt (added)
• imported/w3c/web-platform-tests/content-security-policy/inheritance/frame-src-javascript-url.html (added)
• imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes.sub-expected.txt (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/inheritance/support/empty.html (added)
• imported/w3c/web-platform-tests/content-security-policy/inheritance/support/w3c-import.log (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/inheritance/w3c-import.log (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/inheritance/window.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/connect-src-self.sub.js (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/script-src-self.sub.js (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonces-expected.txt (added)
• imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonces.html (added)
• imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonces.html.headers (added)
• imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-expected.txt (moved) (moved from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative-expected.txt) (2 diffs)
• imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.sub-expected.txt (moved) (moved from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.sub-expected.txt) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.sub.html (moved) (moved from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.sub.html) (2 diffs)
• imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.html (moved) (moved from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html) (3 diffs)
• imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.html.headers (moved) (moved from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html.headers)
• imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-expected.txt (moved) (moved from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative-expected.txt) (2 diffs)
• imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.sub-expected.txt (moved) (moved from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.tentative.sub-expected.txt) (2 diffs)
• imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.sub.html (moved) (moved from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.tentative.sub.html) (3 diffs)
• imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.html (moved) (moved from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html) (2 diffs)
• imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.html.headers (moved) (moved from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html.headers)
• imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/w3c-import.log (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-allowed.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-allowed.html (modified) (2 diffs)
• imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub-expected.txt (added)
• imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html (copied) (copied from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html) (2 diffs)
• imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.sub.headers (added)
• imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html (modified) (2 diffs)
• imported/w3c/web-platform-tests/content-security-policy/reporting-api/w3c-import.log (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/reporting/post-redirect-stacktrace.https-expected.txt (added)
• imported/w3c/web-platform-tests/content-security-policy/reporting/post-redirect-stacktrace.https.html (added)
• imported/w3c/web-platform-tests/content-security-policy/reporting/post-redirect-stacktrace.https.html.headers (added)
• imported/w3c/web-platform-tests/content-security-policy/reporting/report-clips-sample.https-expected.txt (added)
• imported/w3c/web-platform-tests/content-security-policy/reporting/report-clips-sample.https.html (added)
• imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub-expected.txt (added)
• imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub.html (added)
• imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub.html.sub.headers (added)
• imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html (modified) (2 diffs)
• imported/w3c/web-platform-tests/content-security-policy/reporting/support/redirect-throw-function.sub.py (added)
• imported/w3c/web-platform-tests/content-security-policy/reporting/support/throw-function.js (added)
• imported/w3c/web-platform-tests/content-security-policy/reporting/support/w3c-import.log (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/reporting/w3c-import.log (modified) (3 diffs)
• imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub-expected.txt (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions-expected.txt (added)
• imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html (moved) (moved from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html) (4 diffs)
• imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html.headers (moved) (moved from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html.headers)
• imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions-expected.txt (added)
• imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.html (moved) (moved from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html) (5 diffs)
• imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.html.headers (moved) (moved from trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html.headers)
• imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html (modified) (3 diffs)
• imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/script-src/w3c-import.log (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/constructor-required-fields-expected.txt (modified) (6 diffs)
• imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/constructor-required-fields.html (modified) (7 diffs)
• imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https-expected.txt (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html (modified) (4 diffs)
• imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-allowed.sub.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/support/checkReport.sub.js (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/support/testharness-helper.js (modified) (5 diffs)
• imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-none.sub-expected.txt (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-child-fallback.sub.html (modified) (1 diff)
• imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html (modified) (1 diff)
• platform/gtk/TestExpectations (modified) (1 diff)
• platform/wpe/TestExpectations (modified) (1 diff)
• tests-options.json (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-06-26  Chris Dumez  <cdumez@apple.com>
+
+        Update web-platform-tests/content-security-policy from upstream
+        https://bugs.webkit.org/show_bug.cgi?id=213664
+
+        Reviewed by Darin Adler.
+
+        Update web-platform-tests/content-security-policy from upstream b076c305a256e7fb7.
+
+        * tests-options.json:
+
 2020-06-26  Jer Noble  <jer.noble@apple.com>
 

trunk/LayoutTests/TestExpectations

@@ -750 +750 @@
 imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html
 imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html
-imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html
 imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html
-imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html
 imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html
 imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html
@@ -781 +779 @@
 imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-script-fallback.sub.html
 imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html
+
+# Sometimes logs a line about trying to connect to an external URL.
+imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.sub.html [ Pass Failure ]
 
 # Web platform test infrastructure unable to support insecure connection

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2020-06-26  Chris Dumez  <cdumez@apple.com>
+
+        Update web-platform-tests/content-security-policy from upstream
+        https://bugs.webkit.org/show_bug.cgi?id=213664
+
+        Reviewed by Darin Adler.
+
+        Update web-platform-tests/content-security-policy from upstream b076c305a256e7fb7.
+
+        * resources/resource-files.json:
+        * web-platform-tests/content-security-policy/*: Updated.
+
 2020-06-26  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/imported/w3c/resources/resource-files.json

@@ -61 +61 @@
         "web-platform-tests/beacon/navigate.iFrame.sub.html",
         "web-platform-tests/content-security-policy/README.html",
+        "web-platform-tests/content-security-policy/embedded-enforcement/support/executor.html",
         "web-platform-tests/content-security-policy/form-action/support/post-message-to-opener.sub.html",
         "web-platform-tests/content-security-policy/form-action/support/post-message-to-parent.sub.html",
@@ -72 +73 @@
         "web-platform-tests/content-security-policy/generic/support/log-pass.html",
         "web-platform-tests/content-security-policy/generic/support/sandboxed-eval.sub.html",
+        "web-platform-tests/content-security-policy/inheritance/support/empty.html",
         "web-platform-tests/content-security-policy/inheritance/support/navigate-self-to-blob.html",
         "web-platform-tests/content-security-policy/inheritance/support/srcdoc-child-frame.html",

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/allow_csp_from-header.html

@@ -46 +46 @@
         "expected": IframeLoad.EXPECT_BLOCK,
         "blockedURI": null},
-      { "name": "iframe from cross origin does not load without Allow-CSP-From header.", 
+      { "name": "Cross origin iframe with correct Allow-CSP-From header is allowed.",
         "origin": Host.CROSS_ORIGIN,
         "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", 
@@ -58 +58 @@
         "expected": IframeLoad.EXPECT_BLOCK,
         "blockedURI": null},
-      { "name": "Allow-CSP-From header with a star value can be returned.", 
+      { "name": "Allow-CSP-From header with a star value allows cross origin frame.",
         "origin": Host.CROSS_ORIGIN,
         "csp": "script-src 'unsafe-inline'", 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required_csp-header.html

@@ -2 +2 @@
 <html>
 <head>
-<title>Embedded Enforcement: Sec-Required-CSP header.</title>
+  <title>Embedded Enforcement: Sec-Required-CSP header.</title>
+  <!--
+    This test is creating and navigating >=70 iframes. This can exceed the
+    "short" timeout". See https://crbug.com/818324
+  -->
+  <meta name="timeout" content="long">
+
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html

@@ -9 +9 @@
 <body>
   <script>
+    // Note that the returned csp should always allow execution of an
+    // inline script with nonce "abc" (as returned by
+    // support/echo-policy-multiple.py), otherwise the test might
+    // return false negatives.
     var tests = [
       { "name": "If there is no required csp, iframe should load.", 
@@ -28 +32 @@
       { "name": "Iframe with less restricting CSP should be blocked.", 
         "required_csp": "style-src 'none'; script-src 'none'", 
-        "returned_csp": "style-src 'none'; script-src 'self'", 
+        "returned_csp": "style-src 'none'; script-src 'self' 'nonce-abc'", 
         "expected": IframeLoad.EXPECT_BLOCK },
       { "name": "Iframe with a different CSP should be blocked.", 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html

@@ -11 +11 @@
     var tests = [
       { "name": "Exact nonce subsumes.",
-        "required_csp": "script-src 'nonce-abc'",
-        "returned_csp_1": "script-src 'nonce-abc'",
+        "required_csp": "style-src 'nonce-abc'",
+        "returned_csp_1": "style-src 'nonce-abc'",
         "expected": IframeLoad.EXPECT_LOAD },
       { "name": "Any nonce subsumes.",
@@ -19 +19 @@
         "expected": IframeLoad.EXPECT_LOAD },
       { "name": "A nonce has to be returned if required by the embedder.",
-        "required_csp": "script-src 'nonce-abc'",
-        "returned_csp_1": "script-src http://example1.com/foo",
+        "required_csp": "style-src 'nonce-abc'",
+        "returned_csp_1": "style-src http://example1.com/foo",
         "expected": IframeLoad.EXPECT_BLOCK },
       { "name": "Multiples nonces returned subsume.",
@@ -28 +28 @@
       // nonce intersection
       { "name": "Nonce intersection is still done on exact match - non-matching nonces.",
-        "required_csp": "script-src 'nonce-abc'",
-        "returned_csp_1": "script-src 'nonce-def'",
-        "returned_csp_2": "script-src 'nonce-xyz'",
-        "expected": IframeLoad.EXPECT_BLOCK },
+        "required_csp": "style-src 'none'",
+        "returned_csp_1": "style-src 'nonce-def'",
+        "returned_csp_2": "style-src 'nonce-xyz'",
+        "expected": IframeLoad.EXPECT_LOAD },
       { "name": "Nonce intersection is still done on exact match - matching nonces.",
-        "required_csp": "style-src 'nonce-abc'",
+        "required_csp": "style-src 'none'",
         "returned_csp_1": "style-src 'nonce-def'",
         "returned_csp_2": "style-src 'nonce-def' 'nonce-xyz'",
-        "expected": IframeLoad.EXPECT_LOAD },
+        "expected": IframeLoad.EXPECT_BLOCK },
       // other expressions still have to work
       { "name": "Other expressions still have to be subsumed - positive test.",
@@ -43 +43 @@
         "expected": IframeLoad.EXPECT_LOAD },
       { "name": "Other expressions still have to be subsumed - negative test",
-        "required_csp": "script-src http://example1.com/foo/ 'nonce-abc'",
-        "returned_csp_1": "script-src http://not-example1.com/foo/ 'nonce-xyz'",
+        "required_csp": "style-src http://example1.com/foo/ 'nonce-abc'",
+        "returned_csp_1": "style-src http://not-example1.com/foo/ 'nonce-xyz'",
         "expected": IframeLoad.EXPECT_BLOCK },
     ];

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html

@@ -10 +10 @@
   <script>
     var tests = [
+      // Note that the returned csp should always allow execution of an
+      // inline script with nonce "abc" (as returned by
+      // support/echo-policy-multiple.py), otherwise the test might
+      // return false negatives.
       { "name": "'strict-dynamic' is ineffective for `style-src`.", 
         "required_csp": "style-src http://example1.com/foo/ 'self'", 
@@ -28 +32 @@
       { "name": "'strict-dynamic' is effective only for `script-src`.", 
         "required_csp": "script-src http://example1.com/foo/ 'self'", 
-        "returned_csp_1": "script-src 'strict-dynamic' http://example1.com/foo/bar.html",
+        "returned_csp_1": "script-src 'strict-dynamic' http://example1.com/foo/bar.html 'nonce-abc'",
         "expected": IframeLoad.EXPECT_BLOCK },
-      { "name": "'strict-dynamic' is proper handled for finding effective policy.", 
+      { "name": "'strict-dynamic' is properly handled for finding effective policy.",
         "required_csp": "script-src http://example1.com/foo/ 'self'", 
-        "returned_csp_1": "script-src 'strict-dynamic' http://example1.com/foo/bar.html",
+        "returned_csp_1": "script-src 'strict-dynamic' http://example1.com/foo/bar.html 'nonce-abc'",
         "returned_csp_2": "script-src 'strict-dynamic' 'nonce-abc'",
         "expected": IframeLoad.EXPECT_BLOCK },

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html

@@ -70 +70 @@
         "returned_csp_2": null,
         "expected": IframeLoad.EXPECT_BLOCK },
-      { "name": "Returned csp whitelists a nonce.", 
+      { "name": "Returned csp allows a nonce.", 
         "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'", 
         "returned_csp_1": "style-src 'unsafe-inline' 'nonce-abc'",
         "returned_csp_2": "style-src 'nonce-abc'",
         "expected": IframeLoad.EXPECT_BLOCK },
-      { "name": "Returned csp whitelists a hash.", 
+      { "name": "Returned csp allows a hash.", 
         "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'", 
         "returned_csp_1": "style-src 'unsafe-inline' 'sha256-abc123'",

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/testharness-helper.sub.js

@@ -130 +130 @@
         assert_equals(loaded[urlId], undefined);
       }), 500);
-      assert_throws("SecurityError", () => {
+      assert_throws_dom("SecurityError", () => {
         var x = i.contentWindow.location.href;
       });

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/w3c-import.log

@@ -18 +18 @@
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-policy-multiple.py
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-required-csp.py
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/executor.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/testharness-helper.sub.js

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/w3c-import.log

@@ -16 +16 @@
 List of files:
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/allow_csp_from-header.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/idlharness.window.js
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/iframe-csp-attribute.html

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https.html

@@ -18 +18 @@
         // Load iframe.
         var iframe = document.createElement("iframe");
-        function iframeLoaded(ev) {
+        let timer;
+        function pollForLoadCompletion() {
+          timer = t.step_timeout(() => iframeMayBeLoaded({isPoll: true}), 10);
+        }
+        function iframeMayBeLoaded({isPoll}) {
           var failed = false;
+          clearTimeout(timer);
           try {
-            ev.target.contentWindow.location.href;
+            let href = iframe.contentWindow.location.href;
+            if (isPoll && (href === "about:blank" || iframe.contentDocument.readyState !== "complete")) {
+              pollForLoadCompletion();
+              return;
+            }
             failed = true;
           } catch (ex) {}
           t.step_func_done(() => assert_false(failed, "The IFrame should have been blocked. It wasn't."))();
         };
-        iframe.addEventListener("load", iframeLoaded);
-        iframe.addEventListener("error", iframeLoaded);
+        iframe.addEventListener("load", () => iframeMayBeLoaded({isPoll: false}));
+        iframe.addEventListener("error", () => iframeMayBeLoaded({isPoll: false}));
         iframe.src = "/content-security-policy/frame-ancestors/support/service-worker/frame-ancestors-none.html";
         document.body.appendChild(iframe);
+        pollForLoadCompletion();
       });
   </script>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo.html

@@ -19 +19 @@
             var i = document.createElement('iframe');
             i.src = "support/frame-ancestors-and-x-frame-options.sub.html?policy=other-origin.com&xfo=SAMEORIGIN";
-            i.onload = t.step_func_done(function () {
+            checkDone = t.step_func(function() {
+                clearTimeout(timer);
+                try {
+                    if (i.contentWindow.location.href === "about:blank" ||
+                        (i.contentDocument && i.contentDocument.readyState !== "complete")) {
+                        timer = t.step_timeout(checkDone, 10);
+                        return;
+                    }
+                } catch(e) {}
                 assert_equals(i.contentDocument, null);
+                t.done();
             });
+            i.onload = checkDone;
+            let timer = t.step_timeout(checkDone, 10);
             document.body.appendChild(i);
         }, "A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would allow the page.");

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js

@@ -48 +48 @@
 }
 
+let timer;
+function pollForLoadCompletion({iframe, expectBlock}) {
+    let fn = iframeLoaded({expectBlock, isPoll: true});
+    timer = test.step_timeout(() => fn({target: iframe}), 10);
+}
+
 function injectIFrame(policy, sameOrigin, expectBlock) {
     var iframe = document.createElement("iframe");
-    iframe.addEventListener("load", iframeLoaded(expectBlock));
-    iframe.addEventListener("error", iframeLoaded(expectBlock));
+    iframe.addEventListener("load", iframeLoaded({expectBlock, isPoll: false}));
+    iframe.addEventListener("error", iframeLoaded({expectBlock, isPoll: false}));
 
     var url = "/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=" + policy;
@@ -61 +67 @@
     iframe.src = url;
     document.body.appendChild(iframe);
+    pollForLoadCompletion({iframe, expectBlock});
 }
 
-function iframeLoaded(expectBlock) {
+function iframeLoaded({isPoll, expectBlock}) {
     return function(ev) {
+        clearTimeout(timer);
         var failed = true;
         var message = "";
         try {
-            ev.target.contentWindow.location.href;
+            let url = ev.target.contentWindow.location.href;
+            if (isPoll && (url === "about:blank" || ev.target.contentDocument.readyState !== "complete")) {
+                pollForLoadCompletion({iframe: ev.target, expectBlock});
+                return;
+            }
             if (expectBlock) {
                 message = "The IFrame should have been blocked (or cross-origin). It wasn't.";

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.sub.html

@@ -10 +10 @@
         iframe.name = "theiframe";
         iframe.src =
-          "http://www1.{{host}}/content-security-policy/support/frame.html#0";
-        let iframeLoaded = new Promise(resolve => { iframe.onload = resolve; });
+          "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-src/support/frame.html?0";
+        let iframeLoaded = new Promise(resolve => { iframe.onload = resolve });
         document.body.appendChild(iframe);
         await iframeLoaded;
@@ -27 +27 @@
       {
         let violation = new Promise(resolve => {
-          window.addEventListener('securitypolicyviolation', resolve);
+          window.addEventListener('securitypolicyviolation', () => resolve());
         });
         iframe.src =
-          "http://www1.{{host}}/content-security-policy/support/frame.html#1";
+          "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-src/support/frame.html?1";
         await violation;
       }
@@ -40 +40 @@
         });
         window.open(
-          "http://www1.{{host}}/content-security-policy/support/frame.html#2",
+          "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-src/support/frame.html?2",
           "theiframe");
         await violation;

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.sub.html

@@ -5 +5 @@
 <script>
     let crossOriginUrl =
-      "http://www1.{{host}}/content-security-policy/support/frame.html";
+      "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/frame.html";
 
     async_test(async test => {

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/w3c-import.log

@@ -22 +22 @@
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html.headers
-/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.html
-/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html.headers
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-self-unique-origin.html

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html

@@ -11 +11 @@
     <script nonce='abc'>
     test(function() {
-      assert_throws(new EvalError, function() {
+      assert_throws_js(EvalError, function() {
         eval("0");
       }, "eval of a string should reach host callout");

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes.sub-expected.txt

@@ -4 +4 @@
 PASS <iframe src='blob:...'>'s inherits policy. 
 PASS <iframe src='data:...'>'s inherits policy. 
-PASS <iframe src='javascript:...'>'s inherits policy. 
+PASS <iframe src='javascript:...'>'s inherits policy (static <img> is blocked) 
+PASS <iframe src='javascript:...'>'s inherits policy (dynamically inserted <img> is blocked) 
 PASS <iframe sandbox src='blob:...'>'s inherits policy. (opaque origin sandbox) 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html

@@ -81 +81 @@
 
     document.body.appendChild(i);
-  }, "<iframe src='javascript:...'>'s inherits policy.");
+  }, "<iframe src='javascript:...'>'s inherits policy (static <img> is blocked)");
+
+  // Same as the previous javascript-URL test, but instead of loading the <img>
+  // from the new document, this one is created from the initial empty document,
+  // while evaluating the javascript-url.
+  // See https://crbug.com/1064676
+  async_test(t => {
+    let url = `javascript:
+      let img = document.createElement('img');
+      img.onload = () => window.top.postMessage('load', '*');
+      img.onerror = () => window.top.postMessage('error', '*');
+      img.src = '{{location[server]}}/images/red-16x16.png';
+      document.body.appendChild(img);
+    `;
+    var i = document.createElement('iframe');
+    i.src = encodeURI(url.replace(/\n/g, ""));
+    wait_for_error_from_frame(i, t);
+
+    document.body.appendChild(i);
+  }, "<iframe src='javascript:...'>'s inherits policy (dynamically inserted <img> is blocked)");
 
   async_test(t => {

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/w3c-import.log

@@ -15 +15 @@
 ------------------------------------------------------------------------
 List of files:
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/empty.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/navigate-self-to-blob.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/w3c-import.log

@@ -18 +18 @@
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/document-write-iframe.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/frame-src-javascript-url.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/window.html

@@ -24 +24 @@
     img.onerror = t.step_func_done(_ => w.close());
     img.onload = t.unreached_func();
+    img.src = "/images/red-16x16.png";
     w.document.body.appendChild(img);
-    img.src = "/images/red-16x16.png";
   }, "window.open() inherits policy.");
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/connect-src-self.sub.js

@@ -55 +55 @@
 
   // TODO(mkwst): A 'securitypolicyviolation' event should fire.
-  return promise_rejects(t, new TypeError, fetch(url));
+  return promise_rejects_js(t, TypeError, fetch(url));
 }, "Same-origin => cross-origin 'fetch()' in " + self.location.protocol + self.location.search);
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/script-src-self.sub.js

@@ -4 +4 @@
 test(t => {
   self.a = false;
-  assert_throws("NetworkError",
-                _ => importScripts("http://{{hosts[alt][]}}:{{ports[http][1]}}/content-security-policy/support/var-a.js"),
-                "importScripts should throw `NetworkError`");
+  assert_throws_dom("NetworkError",
+                    _ => importScripts("http://{{hosts[alt][]}}:{{ports[http][1]}}/content-security-policy/support/var-a.js"),
+                    "importScripts should throw `NetworkError`");
   assert_false(self.a);
 }, "Cross-origin `importScripts()` blocked in " + self.location.protocol + self.location.search);
 
 test(t => {
-  assert_throws(EvalError(),
-                _ => eval("1 + 1"),
-                "`eval()` should throw 'EvalError'.");
+  assert_throws_js(EvalError,
+                   _ => eval("1 + 1"),
+                   "`eval()` should throw 'EvalError'.");
 
-  assert_throws(EvalError(),
-                _ => new Function("1 + 1"),
-                "`new Function()` should throw 'EvalError'.");
+  assert_throws_js(EvalError,
+                   _ => new Function("1 + 1"),
+                   "`new Function()` should throw 'EvalError'.");
 }, "`eval()` blocked in " + self.location.protocol + self.location.search);
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-expected.txt

@@ -1 @@
-async_test(t => { requestAnimationFrame(t.step_func_done(_ => { var script = document.querySelector('#cssTest'); var style = getComputedStyle(script); assert_equals(style['display'], 'block'); assert_equals(style['background-image'], 'none'); })); }, "Nonces don't leak via CSS side-channels.");
 
 FAIL Reading 'nonce' content attribute and IDL attribute. assert_equals: expected Element node <script nonce="abc" id="testScript" executed="yay">
@@ -12 +11 @@
 FAIL setAttribute('nonce') overwrites '.nonce' upon insertion. assert_equals: expected "" but got "abc"
 FAIL createElement.setAttribute. assert_equals: Post-insertion content expected "" but got "abc"
-FAIL Custom elements expose the correct events. assert_equals: expected 3 but got 2
+FAIL Custom elements expose the correct events. assert_object_equals: AttributeChanged 2 value is undefined, expected object
 FAIL Nonces don't leak via CSS side-channels. assert_equals: expected "none" but got "url(\"http://localhost:8800/security/resources/abe.png\")"
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.sub-expected.txt

@@ -1 @@
-async_test(t => { requestAnimationFrame(t.step_func_done(_ => { var script = document.querySelector('#cssTest'); var style = getComputedStyle(script); assert_equals(style['display'], 'block'); assert_equals(style['background-image'], "url(\"http://localhost:8800/security/resources/abe.png\")"); })); }, "Nonces leak via CSS side-channels.");
 
 PASS Reading 'nonce' content attribute and IDL attribute. 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.sub.html

@@ -73 +73 @@
       s.innerText = script.innerText;
       s.nonce = 'abc';
+      assert_equals(s.nonce, 'abc');
+      assert_equals(s.getAttribute('nonce'), null);
       document.head.appendChild(s);
       assert_equals(s.nonce, 'abc');
@@ -120 +122 @@
 </style>
 <script nonce="abc" id="cssTest">
-    async_test(t => {
-      requestAnimationFrame(t.step_func_done(_ => {
-        var script = document.querySelector('#cssTest');
-        var style = getComputedStyle(script);
-        assert_equals(style['display'], 'block');
-        assert_equals(style['background-image'], "url(\"http://{{domains[]}}:{{ports[http][0]}}/security/resources/abe.png\")");
-      }));
+    test(t => {
+      const script = document.querySelector('#cssTest');
+      t.add_cleanup(() => script.remove());
+      var style = getComputedStyle(script);
+      assert_equals(style['display'], 'block');
+      assert_equals(style['background-image'], "url(\"http://{{domains[]}}:{{ports[http][0]}}/security/resources/abe.png\")");
     }, "Nonces leak via CSS side-channels.");
 </script>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.html

@@ -74 +74 @@
       s.innerText = script.innerText;
       s.nonce = 'abc';
+      assert_equals(s.nonce, 'abc');
+      assert_equals(s.getAttribute('nonce'), null);
       document.head.appendChild(s);
       assert_equals(s.nonce, 'abc');
@@ -148 +150 @@
 <script nonce="abc">
   test(t => {
+    assert_object_equals(eventList[0], { type: "AttributeChanged", name: "nonce", oldValue: null, newValue: "abc" }, "AttributeChanged 1");
+    assert_object_equals(eventList[1], { type: "Connected" }, "Connected");
+    assert_object_equals(eventList[2], { type: "AttributeChanged", name: "nonce", oldValue: "abc", newValue: "" }, "AttributeChanged 2");
     assert_equals(eventList.length, 3);
-    assert_object_equals(eventList[0], { type: "AttributeChanged", name: "nonce", oldValue: null, newValue: "abc" });
-    assert_object_equals(eventList[1], { type: "Connected" });
-    assert_object_equals(eventList[2], { type: "AttributeChanged", name: "nonce", oldValue: "abc", newValue: "" });
   }, "Custom elements expose the correct events.");
 </script>
@@ -161 +163 @@
 </style>
 <script nonce="abc" id="cssTest">
-    async_test(t => {
-      requestAnimationFrame(t.step_func_done(_ => {
-        var script = document.querySelector('#cssTest');
-        var style = getComputedStyle(script);
-        assert_equals(style['display'], 'block');
-        assert_equals(style['background-image'], 'none');
-      }));
+    test(t => {
+      const script = document.querySelector('#cssTest');
+      t.add_cleanup(() => script.remove());
+      var style = getComputedStyle(script);
+      assert_equals(style['display'], 'block');
+      assert_equals(style['background-image'], 'none');
     }, "Nonces don't leak via CSS side-channels.");
 </script>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-expected.txt

@@ -5 +5 @@
 FAIL Cloned node retains nonce. assert_equals: IDL attribute expected (string) "abc" but got (undefined) undefined
 FAIL Cloned node retains nonce when inserted. assert_equals: expected (string) "abc" but got (undefined) undefined
-FAIL Writing 'nonce' content attribute. assert_equals: expected (string) "abc" but got (undefined) undefined
+FAIL Writing 'nonce' content attribute. assert_equals: expected (string) "foo" but got (undefined) undefined
 PASS Writing 'nonce' IDL attribute. 
 PASS Document-written script executes. 
@@ -11 +11 @@
 FAIL createElement.nonce. assert_equals: expected (object) null but got (string) "abc"
 FAIL createElement.setAttribute. assert_equals: Post-insertion content expected "" but got "abc"
-FAIL Nonces don't leak via CSS side-channels. assert_equals: expected "none" but got "url(\"http://localhost:8800/security/resources/abe.png\")"
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.sub-expected.txt

@@ -4 +4 @@
 FAIL Cloned node retains nonce. assert_equals: IDL attribute expected (string) "abc" but got (undefined) undefined
 FAIL Cloned node retains nonce when inserted. assert_equals: expected (string) "abc" but got (undefined) undefined
-FAIL Writing 'nonce' content attribute. assert_equals: expected (string) "abc" but got (undefined) undefined
+FAIL Writing 'nonce' content attribute. assert_equals: expected (string) "foo" but got (undefined) undefined
 PASS Writing 'nonce' IDL attribute. 
 PASS Document-written script executes. 
@@ -10 +10 @@
 PASS createElement.nonce. 
 PASS createElement.setAttribute. 
-PASS Nonces don't leak via CSS side-channels. 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.sub.html

@@ -50 +50 @@
       script.setAttribute('nonce', 'foo');
       assert_equals(script.getAttribute('nonce'), 'foo');
-      assert_equals(script.nonce, 'abc');
+      assert_equals(script.nonce, 'foo');
     }, "Writing 'nonce' content attribute.");
 
@@ -78 +78 @@
       innerScript.nonce = 'abc';
       s.appendChild(innerScript);
+      assert_equals(innerScript.nonce, 'abc');
+      assert_equals(innerScript.getAttribute('nonce'), null, 'innerScript.getAttribute nonce');
       document.body.appendChild(s);
       assert_equals(innerScript.nonce, 'abc');
@@ -97 +99 @@
     }, "createElement.setAttribute.");
 </script>
-
-<!-- CSS Leakage -->
-<style>
-    #cssTest { display: block; }
-    #cssTest[nonce=abc] { background: url(/security/resources/abe.png); }
-</style>
-<svg xmlns="http://www.w3.org/2000/svg">
-  <script nonce="abc" id="cssTest">
-      async_test(t => {
-        requestAnimationFrame(t.step_func_done(_ => {
-          var script = document.querySelector('#cssTest');
-          var style = getComputedStyle(script);
-          assert_equals(style['display'], 'block');
-          assert_equals(style['background-image'], "url(\"http://{{domains[]}}:{{ports[http][0]}}/security/resources/abe.png\")");
-        }));
-      }, "Nonces don't leak via CSS side-channels.");
-  </script>
-</svg>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.html

@@ -50 +50 @@
       script.setAttribute('nonce', 'foo');
       assert_equals(script.getAttribute('nonce'), 'foo');
-      assert_equals(script.nonce, 'abc');
+      assert_equals(script.nonce, 'foo');
     }, "Writing 'nonce' content attribute.");
 
@@ -97 +97 @@
     }, "createElement.setAttribute.");
 </script>
-
-<!-- CSS Leakage -->
-<style>
-    #cssTest { display: block; }
-    #cssTest[nonce=abc] { background: url(/security/resources/abe.png); }
-</style>
-<svg xmlns="http://www.w3.org/2000/svg">
-  <script nonce="abc" id="cssTest">
-      async_test(t => {
-        requestAnimationFrame(t.step_func_done(_ => {
-          var script = document.querySelector('#cssTest');
-          var style = getComputedStyle(script);
-          assert_equals(style['display'], 'block');
-          assert_equals(style['background-image'], 'none');
-        }));
-      }, "Nonces don't leak via CSS side-channels.");
-  </script>
-</svg>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/w3c-import.log

@@ -15 +15 @@
 ------------------------------------------------------------------------
 List of files:
-/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.sub.html
-/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html
-/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html.headers
-/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.tentative.sub.html
-/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html
-/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html.headers
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonces.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonces.html.headers
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.sub.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.html.headers
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.sub.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.html.headers

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-allowed.html

@@ -5 +5 @@
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
-    <!-- Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} -->
+    <!--
+      Content-Security-Policy:
+        object-src 'self';
+        script-src 'self' 'unsafe-inline';
+        report-uri ../support/report.py?op=put&reportID={{$id}}
+    -->
 </head>
 
 <body>
     <object type="image/png" data="/content-security-policy/support/pass.png"></object>
-
-    <!-- we rely on the report because we can't rely on the onload event for
-         "allowed" tests as it is not fired for object and embed -->
-    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+    <!--
+      We rely on the report because we can't rely on the onload event for
+      "allowed" tests as it is not fired for object and embed
+    -->
+    <script src='../support/checkReport.sub.js?reportExists=false'></script>
 </body>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-allowed.html

@@ -5 +5 @@
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
-    <!-- Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} -->
+    <!--
+      Content-Security-Policy:
+        object-src 'self';
+        script-src 'self' 'unsafe-inline';
+        report-uri ../support/report.py?op=put&reportID={{$id}}
+    -->
 </head>
 
@@ -11 +16 @@
   <embed height="40" width="40" type="image/png"
          src="/content-security-policy/support/pass.png"></embed>
-
-         <!-- we rely on the report because we can't rely on the onload event for
-              "allowed" tests as it is not fired for object and embed -->
-    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+  <!--
+    We rely on the report because we can't rely on the onload event for
+    "allowed" tests as it is not fired for object and embed
+  -->
+  <script src='../support/checkReport.sub.js?reportExists=false'></script>
 </body>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html

@@ -2 +2 @@
 <html>
 <head>
-  <title>Test that report-to overrides report-uri. This tests report-uri before report-to in the policy</title>
+  <title>Test that report-to ignores tokens after the first one</title>
   <script src='/resources/testharness.js'></script>
   <script src='/resources/testharnessreport.js'></script>
@@ -20 +20 @@
        onload='t1.unreached_func("The image should not have loaded");'
        onerror='t1.done();'>
-  <!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint -->
-  <script async defer src='../support/checkReport.sub.js?reportExists=false></script>
+  <!-- The second token of the report-to directive should be ignored, since the directive only supports one token. So we should not have any reports sent to this endpoint. -->
+  <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
 </body>
 </html>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html

@@ -21 +21 @@
        onerror='t1.done();'>
   <!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint -->
-  <script async defer src='../support/checkReport.sub.js?reportExists=false></script>
+  <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
 </body>
 </html>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html

@@ -21 +21 @@
        onerror='t1.done();'>
   <!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint -->
-  <script async defer src='../support/checkReport.sub.js?reportExists=false></script>
+  <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
 </body>
 </html>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html

@@ -28 +28 @@
           assert_equals(reports[0].url, document_url);
           assert_equals(reports[0].body.documentURL, document_url);
-          assert_equals(reports[0].body.referrer, null);
+          assert_equals(reports[0].body.referrer, "");
           assert_equals(reports[0].body.blockedURL,
                         base_url + "support/fail.png");
@@ -35 +35 @@
                         "script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group");
           assert_equals(reports[0].body.sourceFile, document_url);
-          assert_equals(reports[0].body.sample, null);
+          assert_equals(reports[0].body.sample, "");
           assert_equals(reports[0].body.disposition, "enforce");
           assert_equals(reports[0].body.statusCode, 0);

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/w3c-import.log

@@ -19 +19 @@
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.sub.headers
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html

@@ -35 +35 @@
     var i = document.createElement('img');
     var url = "{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/common/redirect.py?location=" + encodeURIComponent("{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png?t=3");
-    createListener("{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png?t=3", t);
+    createListener(url, t);
     i.src = url;
 }, "Block after redirect, same-origin = original URL in report");
@@ -42 +42 @@
     var i = document.createElement('img');
     var url = "{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/common/redirect.py?location=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png?t=4");
-    createListener("{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}", t);
+    createListener(url, t);
     i.src = url;
 }, "Block after redirect, cross-origin = original URL in report");

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/w3c-import.log

@@ -17 +17 @@
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/generate-csp-report.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/generate-csp-report.html.sub.headers
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/redirect-throw-function.sub.py
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/set-cookie.py
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/throw-function.js

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/w3c-import.log

@@ -17 +17 @@
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies.html.sub.headers
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/post-redirect-stacktrace.https.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/post-redirect-stacktrace.https.html.headers
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-and-enforce.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-and-enforce.html.sub.headers
@@ -25 +27 @@
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri.html.sub.headers
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-clips-sample.https.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html.sub.headers
@@ -35 +38 @@
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval.html.sub.headers
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub.html.sub.headers
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html.sub.headers

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4.html

@@ -20 +20 @@
         var evalRan = false;
 
-        test(function() {assert_throws(new EvalError(), function() { eval('evalRan = true;') })}, "eval() should throw without 'unsafe-eval' keyword source in script-src directive.");
+        test(function() {assert_throws_js(EvalError, function() { eval('evalRan = true;') })}, "eval() should throw without 'unsafe-eval' keyword source in script-src directive.");
 
         test(function() {assert_false(evalRan);})

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html

@@ -20 +20 @@
 
         test(function() {
-            assert_throws(
-                new EvalError(),
+            assert_throws_js(
+                EvalError,
                 function() {
                     var funq = new Function('');

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub-expected.txt

@@ -10 +10 @@
 PASS multiple mismatched integrity 
 PASS partially matching integrity 
-FAIL crossorigin no integrity but whitelisted host assert_unreached: Script should load! http://127.0.0.1:8800/content-security-policy/script-src/crossoriginScript.js Reached unreachable code
-FAIL crossorigin mismatched integrity but whitelisted host assert_unreached: Script should load! http://127.0.0.1:8800/content-security-policy/script-src/crossoriginScript.js Reached unreachable code
+FAIL crossorigin no integrity but allowed host assert_unreached: Script should load! http://127.0.0.1:8800/content-security-policy/script-src/crossoriginScript.js Reached unreachable code
+FAIL crossorigin mismatched integrity but allowed host assert_unreached: Script should load! http://127.0.0.1:8800/content-security-policy/script-src/crossoriginScript.js Reached unreachable code
 FAIL External script in a script tag with matching SRI hash should run. assert_true: External script ran. expected true got false
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub.html

@@ -50 +50 @@
             'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha256-xyz',
             false ],
-          [ 'crossorigin no integrity but whitelisted host',
+          [ 'crossorigin no integrity but allowed host',
             crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js',
             '',
             true ],
-          [ 'crossorigin mismatched integrity but whitelisted host',
+          [ 'crossorigin mismatched integrity but allowed host',
             crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js',
             'sha256-kKJ5c48yxzaaSBupJSCmY50hkD8xbVgZgLHLtmnkeAo=',

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html

@@ -3 +3 @@
 
 <head>
-    <title>Whitelists are discarded with `strict-dynamic` in the script-src directive.</title>
+    <title>Source expressions are discarded with `strict-dynamic` in the script-src directive.</title>
     <script src='/resources/testharness.js' nonce='dummy'></script>
     <script src='/resources/testharnessreport.js' nonce='dummy'></script>
@@ -11 +11 @@
 
 <body>
-    <h1>Whitelists are discarded with `strict-dynamic` in the script-src directive.</h1>
+    <h1>Source expressions are discarded with `strict-dynamic` in the script-src directive.</h1>
     <div id='log'></div>
 
@@ -17 +17 @@
         async_test(function(t) {
             window.addEventListener('message', t.step_func(function(e) {
-                if (e.data === 'whitelistedScript') {
-                    assert_unreached('Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.');
+                if (e.data === 'allowedScript') {
+                    assert_unreached('Allowed scripts without a correct nonce are not permitted with `strict-dynamic`.');
                 }
             }));
@@ -24 +24 @@
                 assert_equals(e.effectiveDirective, 'script-src-elem');
             }));
-        }, 'Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.');
+        }, 'Allowed scripts without a correct nonce are not permitted with `strict-dynamic`.');
     </script>
-    <script id='whitelistedScript' src='simpleSourcedScript.js'></script>
+    <script id='allowedScript' src='simpleSourcedScript.js'></script>
 
 </body>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.html

@@ -3 +3 @@
 
 <head>
-    <title>Whitelists in a separate policy are honored with `strict-dynamic` in the script-src directive.</title>
+    <title>Source expressions in a separate policy are honored with `strict-dynamic` in the script-src directive.</title>
     <script src='/resources/testharness.js' nonce='dummy'></script>
     <script src='/resources/testharnessreport.js' nonce='dummy'></script>
@@ -14 +14 @@
 
 <body>
-    <h1>Whitelists in a separate policy are honored with `strict-dynamic` in the script-src directive.</h1>
+    <h1>Source expressions in a separate policy are honored with `strict-dynamic` in the script-src directive.</h1>
     <div id='log'></div>
 
@@ -20 +20 @@
         async_test(function(t) {
             window.addEventListener('message', t.step_func(function(e) {
-                if (e.data === 'whitelisted-appendChild') {
+                if (e.data === 'allowed-appendChild') {
                     t.done();
                 }
             }));
             window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
-                if (violation.blockedURI.split('?')[1] !== 'whitelisted-appendChild') {
+                if (violation.blockedURI.split('?')[1] !== 'allowed-appendChild') {
                     return;
                 }
-                assert_unreached('Script injected via `appendChild` is allowed with `strict-dynamic` + a nonce+whitelist double policy.');
+                assert_unreached('Script injected via `appendChild` is permitted with `strict-dynamic` + a nonce+allowed double policy.');
             }));
 
             var e = document.createElement('script');
-            e.id = 'whitelisted-appendChild';
+            e.id = 'allowed-appendChild';
             e.src = 'simpleSourcedScript.js?' + e.id;
             e.onerror = t.unreached_func('Error should not be triggered.');
             document.body.appendChild(e);
-        }, 'Script injected via `appendChild` is allowed with `strict-dynamic` + a nonce+whitelist double policy.');
+        }, 'Script injected via `appendChild` is permitted with `strict-dynamic` + a nonce+allowed double policy.');
     </script>
 
@@ -42 +42 @@
         async_test(function(t) {
             window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
-                if (violation.blockedURI.split('?')[1] !== 'nonWhitelisted-appendChild') {
+                if (violation.blockedURI.split('?')[1] !== 'nonAllowed-appendChild') {
                     return;
                 }
@@ -51 +51 @@
 
             var e = document.createElement('script');
-            e.id = 'nonWhitelisted-appendChild';
+            e.id = 'nonAllowed-appendChild';
             e.src = '{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/nonexisting.js?' + e.id;
             e.onload = t.unreached_func('OnLoad should not be triggered.');
             document.body.appendChild(e);
-        }, 'Non-whitelisted script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce+whitelist double policy.');
+        }, 'Non-allowed script injected via `appendChild` is not permitted with `strict-dynamic` + a nonce+allowed double policy.');
     </script>
 </body>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html

@@ -23 +23 @@
             }));
 
-            assert_throws(new Error(),
+            assert_throws_js(Error,
                 function() {
                     try {

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html

@@ -3 +3 @@
 
 <head>
-    <title>`strict-dynamic` does not drop whitelists in `img-src`.</title>
+    <title>`strict-dynamic` does not drop allowed source expressions in `img-src`.</title>
     <script src='/resources/testharness.js' nonce='dummy'></script>
     <script src='/resources/testharnessreport.js' nonce='dummy'></script>
@@ -11 +11 @@
 
 <body>
-    <h1>`strict-dynamic` does not drop whitelists in `img-src`.</h1>
+    <h1>`strict-dynamic` does not drop allowed source expressions in `img-src`.</h1>
     <div id='log'></div>
 
@@ -21 +21 @@
         async_test(function(t) {
             var e = document.createElement('img');
-            e.id = 'whitelistedImage';
+            e.id = 'allowedImage';
             e.src = '/content-security-policy/support/pass.png';
             e.onerror = t.unreached_func('Error should not be triggered.');
             e.onload = t.step_func_done();
             document.body.appendChild(e);
-        }, '`strict-dynamic` does not drop whitelists in `img-src`.');
+        }, '`strict-dynamic` does not drop allowed source expressions in `img-src`.');
     </script>
 </body>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html

@@ -23 +23 @@
             }));
 
-            assert_throws(new Error(),
+            assert_throws_js(Error,
                 function() {
                     try {

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/w3c-import.log

@@ -57 +57 @@
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html.headers
-/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html
-/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html.headers
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html.headers
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.headers
-/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html
-/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html.headers
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.html.headers
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.headers

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/constructor-required-fields-expected.txt

@@ -2 +2 @@
 PASS SecurityPolicyViolationEvent constructor should throw with no parameters 
 PASS SecurityPolicyViolationEvent constructor works with an init dict 
-FAIL SecurityPolicyViolationEvent constructor requires documentURI assert_throws: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+FAIL SecurityPolicyViolationEvent constructor requires documentURI assert_throws_js: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {
           // documentURI: "http://example.com",
           referrer: "http://example.com",
@@ -16 +16 @@
           columnNumber: 1,
       })}" did not throw
-FAIL SecurityPolicyViolationEvent constructor requires violatedDirective assert_throws: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+FAIL SecurityPolicyViolationEvent constructor requires violatedDirective assert_throws_js: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {
           documentURI: "http://example.com",
           referrer: "http://example.com",
@@ -30 +30 @@
           columnNumber: 1,
       })}" did not throw
-FAIL SecurityPolicyViolationEvent constructor requires effectiveDirective assert_throws: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+FAIL SecurityPolicyViolationEvent constructor requires effectiveDirective assert_throws_js: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {
           documentURI: "http://example.com",
           referrer: "http://example.com",
@@ -44 +44 @@
           columnNumber: 1,
       })}" did not throw
-FAIL SecurityPolicyViolationEvent constructor requires originalPolicy assert_throws: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+FAIL SecurityPolicyViolationEvent constructor requires originalPolicy assert_throws_js: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {
           documentURI: "http://example.com",
           referrer: "http://example.com",
@@ -58 +58 @@
           columnNumber: 1,
       })}" did not throw
-FAIL SecurityPolicyViolationEvent constructor requires disposition assert_throws: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+FAIL SecurityPolicyViolationEvent constructor requires disposition assert_throws_js: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {
           documentURI: "http://example.com",
           referrer: "http://example.com",
@@ -72 +72 @@
           columnNumber: 1,
       })}" did not throw
-FAIL SecurityPolicyViolationEvent constructor requires statusCode assert_throws: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+FAIL SecurityPolicyViolationEvent constructor requires statusCode assert_throws_js: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {
           documentURI: "http://example.com",
           referrer: "http://example.com",

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/constructor-required-fields.html

@@ -5 +5 @@
     // basic tests.
     test(function() {
-      assert_throws(TypeError(),
-                    function() { new SecurityPolicyViolationEvent(); });
+      assert_throws_js(TypeError,
+                       function() { new SecurityPolicyViolationEvent(); });
     }, "SecurityPolicyViolationEvent constructor should throw with no parameters");
 
@@ -28 +28 @@
     // missing required members
     test(function() {
-      assert_throws(TypeError(),
+      assert_throws_js(TypeError,
         function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
           // documentURI: "http://example.com",
@@ -46 +46 @@
 
     test(function() {
-      assert_throws(TypeError(),
+      assert_throws_js(TypeError,
         function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
           documentURI: "http://example.com",
@@ -64 +64 @@
 
     test(function() {
-      assert_throws(TypeError(),
+      assert_throws_js(TypeError,
         function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
           documentURI: "http://example.com",
@@ -82 +82 @@
 
     test(function() {
-      assert_throws(TypeError(),
+      assert_throws_js(TypeError,
         function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
           documentURI: "http://example.com",
@@ -100 +100 @@
 
     test(function() {
-      assert_throws(TypeError(),
+      assert_throws_js(TypeError,
         function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
           documentURI: "http://example.com",
@@ -118 +118 @@
 
     test(function() {
-      assert_throws(TypeError(),
+      assert_throws_js(TypeError,
         function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
           documentURI: "http://example.com",

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https-expected.txt

@@ -1 +1 @@
 
-FAIL Upgraded image is reported Can't find variable: generateURL
-FAIL Upgraded iframe is reported Can't find variable: generateURL
-FAIL Navigated iframe is upgraded and reported Can't find variable: generateURL
 
+Harness Error (TIMEOUT), message = null
+
+TIMEOUT Upgraded image is reported Test timed out
+TIMEOUT Upgraded iframe is reported Test timed out
+TIMEOUT Navigated iframe is upgraded and reported Test timed out
+

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html

@@ -2 +2 @@
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="/upgrade-insecure-requests/support/testharness-helper.sub.js"></script>
+<script src="/common/security-features/resources/common.sub.js"></script>
 <body></body>
 <script>
@@ -15 +15 @@
 
     async_test(t => {
-      var url = generateURL(Host.SAME_ORIGIN, Protocol.INSECURE, ResourceType.IMAGE).url;
+      var url = getRequestURLs("img-tag",
+                               "same-http-downgrade",
+                               "no-redirect").testUrl;
       var i = document.createElement('img');
       var loaded = false;
@@ -36 +38 @@
 
     async_test(t => {
-      var url = generateURL(Host.SAME_ORIGIN, Protocol.INSECURE, ResourceType.FRAME).url;
+      var url = getRequestURLs("iframe-tag",
+                               "same-http-downgrade",
+                               "no-redirect").testUrl;
       var i = document.createElement('iframe');
       var loaded = false;
@@ -60 +64 @@
     async_test(t => {
       // Load an HTTPS iframe, then navigate it to an HTTP URL and check that the HTTP URL is both upgraded and reported.
-      var url = generateURL(Host.SAME_ORIGIN, Protocol.SECURE, ResourceType.FRAME).url;
-      var navigate_to = generateURL(Host.CROSS_ORIGIN, Protocol.INSECURE, ResourceType.FRAME).url;
+      var url = getRequestURLs("iframe-tag",
+                               "same-https",
+                               "no-redirect").testUrl;
+      var navigate_to = getRequestURLs("iframe-tag",
+                                       "cross-http-downgrade",
+                                       "no-redirect").testUrl;
       var upgraded = new URL(navigate_to);
       upgraded.protocol = "https";

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-allowed.sub.html

@@ -52 +52 @@
 
     </script>
-    <p>Style correctly whitelisted via a 'nonce-*' expression in 'style-src' should be applied to the page.</p>
+    <p>Style correctly allowed via a 'nonce-*' expression in 'style-src' should be applied to the page.</p>
     <div id="log"></div>
 </body>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/checkReport.sub.js

@@ -48 +48 @@
   // received to conclude that no report has been generated. These timeouts must
   // not exceed the test timeouts set by vendors otherwise the test would fail.
-  var timeout = document.querySelector("meta[name=timeout][content=long]") ? 25 : 5;
+  var timeout = document.querySelector("meta[name=timeout][content=long]") ? 20 : 3;
   var reportLocation = location.protocol + "//" + location.host + "/content-security-policy/support/report.py?op=retrieve_report&timeout=" + timeout + "&reportID=" + reportID;
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/testharness-helper.js

@@ -11 +11 @@
 }
 
-function waitUntilCSPEventForURL(test, url) {
+function waitUntilCSPEventForURLOrLine(test, url, line) {
   return new Promise((resolve, reject) => {
     self.addEventListener("securitypolicyviolation", test.step_func(e => {
-      if (e.blockedURI == url)
+      if (e.blockedURI == url && (!line || line == e.lineNumber))
         resolve(e);
     }));
@@ -20 +20 @@
 }
 
+function waitUntilCSPEventForURL(test, url) {
+  return waitUntilCSPEventForURLOrLine(test, url);
+}
+
 function waitUntilCSPEventForEval(test, line) {
-  return new Promise((resolve, reject) => {
-    self.addEventListener("securitypolicyviolation", test.step_func(e => {
-      if (e.blockedURI == "eval" && e.lineNumber == line)
-        resolve(e);
-    }));
-  });
+  return waitUntilCSPEventForURLOrLine(test, "eval", line);
+}
+
+function waitUntilCSPEventForTrustedTypes(test) {
+  return waitUntilCSPEventForURLOrLine(test, "trusted-types-sink");
 }
 
@@ -97 +100 @@
     // TODO(mkwst): We shouldn't be throwing here. We should be firing an
     // `error` event on the Worker. https://crbug.com/663298
-    assert_throws("SecurityError", function () {
+    assert_throws_dom("SecurityError", function () {
       var w = new Worker(url);
     });
@@ -116 +119 @@
     // TODO(mkwst): We shouldn't be throwing here. We should be firing an
     // `error` event on the SharedWorker. https://crbug.com/663298
-    assert_throws("SecurityError", function () {
+    assert_throws_dom("SecurityError", function () {
       var w = new SharedWorker(url);
     });
@@ -134 +137 @@
           assert_equals(e.effectiveDirective, "worker-src");
         })),
-      promise_rejects(t, "SecurityError", navigator.serviceWorker.register(url, { scope: url }))
+      promise_rejects_dom(t, "SecurityError", navigator.serviceWorker.register(url, { scope: url }))
     ]);
   }, description);

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-none.sub-expected.txt

@@ -1 +1 @@
 
-FAIL Same-origin dedicated worker blocked by host-source expression. assert_throws: function "function () {
+FAIL Same-origin dedicated worker blocked by host-source expression. assert_throws_dom: function "function () {
       var w = new Worker(url);
     }" did not throw
-FAIL blob: dedicated worker blocked by 'blob:'. assert_throws: function "function () {
+FAIL blob: dedicated worker blocked by 'blob:'. assert_throws_dom: function "function () {
       var w = new Worker(url);
     }" did not throw

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub.html

@@ -5 +5 @@
 <script src=/resources/testharnessreport.js></script>
 <script src="../support/testharness-helper.js"></script>
-<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.-->
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
 <meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
 <script src="../support/dedicated-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin dedicated worker allowed by child-src 'self'."></script>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub.html

@@ -5 +5 @@
 <script src=/resources/testharnessreport.js></script>
 <script src="../support/testharness-helper.js"></script>
-<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.-->
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
 <meta http-equiv="Content-Security-Policy" content="worker-src 'self'; child-src 'none'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
 <script src="../support/dedicated-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin dedicated worker allowed by worker-src 'self'."></script>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub.html

@@ -5 +5 @@
 <script src=/resources/testharnessreport.js></script>
 <script src="../support/testharness-helper.js"></script>
-<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.-->
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
 <meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
 <script src="../support/service-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin service worker allowed by child-src 'self'."></script>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html

@@ -5 +5 @@
 <script src=/resources/testharnessreport.js></script>
 <script src="../support/testharness-helper.js"></script>
-<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.-->
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
 <meta http-equiv="Content-Security-Policy" content="worker-src 'self'; child-src 'none'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
 <script src="../support/service-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin service worker allowed by worker-src 'self'."></script>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-child-fallback.sub.html

@@ -5 +5 @@
 <script src=/resources/testharnessreport.js></script>
 <script src="../support/testharness-helper.js"></script>
-<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.-->
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
 <meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
 <script src="../support/shared-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin shared worker allowed by child-src 'self'."></script>

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html

@@ -5 +5 @@
 <script src=/resources/testharnessreport.js></script>
 <script src="../support/testharness-helper.js"></script>
-<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.-->
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
 <meta http-equiv="Content-Security-Policy" content="worker-src 'self'; child-src 'none'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
 <script src="../support/shared-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin shared worker allowed by worker-src 'self'."></script>

trunk/LayoutTests/platform/gtk/TestExpectations

@@ -1172 +1172 @@
 
 webkit.org/b/206586 imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https.html [ Failure ]
-webkit.org/b/206586 imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.html [ Failure ]
 
 webkit.org/b/206588 fast/history/page-cache-media-recorder.html [ Failure ]

trunk/LayoutTests/platform/wpe/TestExpectations

@@ -503 +503 @@
 
 webkit.org/b/206586 imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https.html [ Failure ]
-webkit.org/b/206586 imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.html [ Failure ]
 
 webkit.org/b/197473 imported/w3c/web-platform-tests/resource-timing/resource-timing-level1.sub.html [ Failure ]

trunk/LayoutTests/tests-options.json

@@ -561 +561 @@
         "slow"
     ],
+    "imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required_csp-header.html": [
+        "slow"
+    ],
     "imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-blocked-frame.sub.html": [
         "slow"