summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/unsafe-hashes
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:47:29 +0000
commit0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d (patch)
treea31f07c9bcca9d56ce61e9a1ffd30ef350d513aa /testing/web-platform/tests/content-security-policy/unsafe-hashes
parentInitial commit. (diff)
downloadfirefox-esr-0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d.tar.xz
firefox-esr-0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d.zip
Adding upstream version 115.8.0esr.upstream/115.8.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/unsafe-hashes')
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html15
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html18
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html15
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html15
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html15
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html18
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html15
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html15
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html30
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html15
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html18
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html15
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html15
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html30
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html26
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html30
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html21
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js40
26 files changed, 581 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html
new file mode 100644
index 0000000000..0c2a43a6e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+ 'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=';">
+ <script src="/resources/testharness.js" nonce="abc"></script>
+ <script src="/resources/testharnessreport.js" nonce="abc"></script>
+ <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+ <script nonce="abc">
+ runTest(true, '<a href>', '');
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html
new file mode 100644
index 0000000000..f2b3e1ff72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-hashes' 'nonce-abc'
+ 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+ <script src="/resources/testharness.js" nonce="abc"></script>
+ <script src="/resources/testharnessreport.js" nonce="abc"></script>
+ <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+ <script nonce="abc">
+ // script-src-attr CSP should not have effects because navigation CSP
+ // checks are done against script-src-elem.
+ // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
+ runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)');
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html
new file mode 100644
index 0000000000..642d9768a5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src-elem 'unsafe-hashes' 'nonce-abc'
+ 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+ <script src="/resources/testharness.js" nonce="abc"></script>
+ <script src="/resources/testharnessreport.js" nonce="abc"></script>
+ <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+ <script nonce="abc">
+ runTest(true, '<a href target=_blank>', '');
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html
new file mode 100644
index 0000000000..a321521e04
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+ 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+ <script src="/resources/testharness.js" nonce="abc"></script>
+ <script src="/resources/testharnessreport.js" nonce="abc"></script>
+ <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+ <script nonce="abc">
+ runTest(true, '<a href target=_blank>', '');
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html
new file mode 100644
index 0000000000..2fbda19924
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <!--
+ 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+ -->
+ <script src='/resources/testharness.js' nonce='abc'></script>
+ <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+ <div id='log'></div>
+ <script nonce='abc'>
+ var t1 = async_test("Test that the javascript: src is allowed to run");
+
+ window.onmessage = t1.step_func_done(function(e) {
+ assert_equals(e.data, "pass");
+ });
+
+ window.open('support/child_window_location_navigate.sub.html' +
+ '?csp=' + encodeURI("script-src 'unsafe-hashes' 'nonce-abc' 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y='") +
+ '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')"));
+ </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html
new file mode 100644
index 0000000000..970290e3f6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html
@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+ 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=';">
+ <!--
+ 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+ -->
+ <script src='/resources/testharness.js' nonce='abc'></script>
+ <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+ <div id='log'></div>
+ <script nonce='abc'>
+ var t1 = async_test("Test that the javascript: src is allowed to run");
+
+ window.onmessage = t1.step_func_done(function(e) {
+ assert_equals(e.data, "pass");
+ });
+
+ window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
+
+ window.open("javascript:opener.postMessage('pass', '*')");
+ </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html
new file mode 100644
index 0000000000..0f0dc67aa3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
+ 'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=';">
+ <script src="/resources/testharness.js" nonce="abc"></script>
+ <script src="/resources/testharnessreport.js" nonce="abc"></script>
+ <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+ <script nonce="abc">
+ runTest(false, '<a href>', ' due to missing unsafe-hashes');
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html
new file mode 100644
index 0000000000..6b863e7a99
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src-attr 'nonce-abc'
+ 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+ <script src="/resources/testharness.js" nonce="abc"></script>
+ <script src="/resources/testharnessreport.js" nonce="abc"></script>
+ <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+ <script nonce="abc">
+ // script-src-attr CSP should not have effects because navigation CSP
+ // checks are done against script-src-elem.
+ // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
+ runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)');
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html
new file mode 100644
index 0000000000..23e9bdc187
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc'
+ 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+ <script src="/resources/testharness.js" nonce="abc"></script>
+ <script src="/resources/testharnessreport.js" nonce="abc"></script>
+ <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+ <script nonce="abc">
+ runTest(false, '<a href target=_blank>', ' due to missing unsafe-hashes');
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html
new file mode 100644
index 0000000000..81805a1f87
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
+ 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+ <script src="/resources/testharness.js" nonce="abc"></script>
+ <script src="/resources/testharnessreport.js" nonce="abc"></script>
+ <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+ <script nonce="abc">
+ runTest(false, '<a href target=_blank>', ' due to missing unsafe-hashes');
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html
new file mode 100644
index 0000000000..d7a786078a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <!--
+ 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+ -->
+ <script src='/resources/testharness.js' nonce='abc'></script>
+ <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+ <div id='log'></div>
+ <script nonce='abc'>
+ var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+ window.onmessage = t1.step_func_done(function(e) {
+ assert_equals(e.data, "fail");
+ });
+
+ window.open('support/child_window_location_navigate.sub.html' +
+ '?csp=' + encodeURI("script-src 'nonce-abc' 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y='") +
+ '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')"));
+ </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html
new file mode 100644
index 0000000000..12c9b09985
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html
@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
+ 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=';">
+ <!--
+ 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+ -->
+ <script src='/resources/testharness.js' nonce='abc'></script>
+ <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+ <div id='log'></div>
+ <script nonce='abc'>
+ var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+ window.onmessage = t1.unreached_func("Should have not received any message");
+
+ window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, 'script-src-elem');
+ assert_equals(e.blockedURI, 'inline');
+ }));
+
+ window.open("javascript:opener.postMessage('pass', '*')");
+ </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html
new file mode 100644
index 0000000000..6558a03aed
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+ 'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
+ <script src="/resources/testharness.js" nonce="abc"></script>
+ <script src="/resources/testharnessreport.js" nonce="abc"></script>
+ <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+ <script nonce="abc">
+ runTest(false, '<a href>', ' due to wrong hash');
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html
new file mode 100644
index 0000000000..fa394b1d0a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-hashes' 'nonce-abc'
+ 'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
+ <script src="/resources/testharness.js" nonce="abc"></script>
+ <script src="/resources/testharnessreport.js" nonce="abc"></script>
+ <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+ <script nonce="abc">
+ // script-src-attr CSP should not have effects because navigation CSP
+ // checks are done against script-src-elem.
+ // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
+ runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)');
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html
new file mode 100644
index 0000000000..8ca49da775
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src-elem 'unsafe-hashes' 'nonce-abc'
+ 'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
+ <script src="/resources/testharness.js" nonce="abc"></script>
+ <script src="/resources/testharnessreport.js" nonce="abc"></script>
+ <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+ <script nonce="abc">
+ runTest(false, '<a href target=_blank>', ' due to wrong hash');
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html
new file mode 100644
index 0000000000..257899af29
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+ 'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
+ <script src="/resources/testharness.js" nonce="abc"></script>
+ <script src="/resources/testharnessreport.js" nonce="abc"></script>
+ <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+ <script nonce="abc">
+ runTest(false, '<a href target=_blank>', ' due to wrong hash');
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html
new file mode 100644
index 0000000000..96ff062101
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <!--
+ 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+ -->
+ <script src='/resources/testharness.js' nonce='abc'></script>
+ <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+ <div id='log'></div>
+ <script nonce='abc'>
+ var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+ window.onmessage = t1.step_func_done(function(e) {
+ assert_equals(e.data, "fail");
+ });
+
+ window.open('support/child_window_location_navigate.sub.html' +
+ '?csp=' + encodeURI("script-src 'unsafe-hashes' 'nonce-abc' 'sha256-VjH6k67F4kobUnNDOBE85QiJ9cuZMiYT6desKXvezVg='") +
+ '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')"));
+ </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html
new file mode 100644
index 0000000000..c653d4f617
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html
@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+ 'sha256-VjH6k67F4kobUnNDOBE85QiJ9cuZMiYT6desKXvezVg=';">
+ <!--
+ 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+ -->
+ <script src='/resources/testharness.js' nonce='abc'></script>
+ <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+ <div id='log'></div>
+ <script nonce='abc'>
+ var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+ window.onmessage = t1.unreached_func("Should have not received any message");
+
+ window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, 'script-src-elem');
+ assert_equals(e.blockedURI, 'inline');
+ }));
+
+ window.open("javascript:opener.postMessage('pass', '*')");
+ </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html
new file mode 100644
index 0000000000..7d50941d36
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' 'sha256-wmuLCpoj8EMqfQlPnt5NIMgKkCK62CxAkAiewI0zZps='; img-src *;">
+ <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title>
+ <script src='/resources/testharness.js' nonce='abc'></script>
+ <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+ <div id='log'></div>
+ <script nonce='abc'>
+ var t1 = async_test("Test that the inline event handler is allowed to run");
+
+ window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
+ </script>
+ <img src='../support/pass.png'
+ onload='t1.done();'>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html
new file mode 100644
index 0000000000..7ba9d30bcf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'sha256-Cb9N8BP42Neca22vQ9VaXlPU8oPF8HPxZHxRVcnLZJ4='; img-src *;">
+ <title>Event handlers should not be allowed if a matching hash is present without 'unsafe-hashes'</title>
+ <script src='/resources/testharness.js' nonce='abc'></script>
+ <script src='/resources/testharnessreport.js' nonce='abc'></script>
+
+</head>
+
+<body>
+ <div id='log'></div>
+ <script nonce='abc'>
+ var t1 = async_test("Test that the inline event handler is not allowed to run");
+
+ window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, 'script-src-attr');
+ assert_equals(e.blockedURI, 'inline');
+ }));
+ </script>
+ <img src='../support/pass.png'
+ onload='t1.unreached_func("Should not have executed handler");'>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html
new file mode 100644
index 0000000000..2de6a48eb2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' 'sha256-thisdoesnotmatch'; img-src *;">
+ <title>Event handlers should be not allowed if a matching hash is not present</title>
+ <script src='/resources/testharness.js' nonce='abc'></script>
+ <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+ <div id='log'></div>
+ <script nonce='abc'>
+ var t1 = async_test("Test that the inline event handler is not allowed to run");
+
+ window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, 'script-src-attr');
+ assert_equals(e.blockedURI, 'inline');
+ }));
+ </script>
+ <img src='../support/pass.png'
+ onload='t1.unreached_func("Should not have executed handler");'>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html
new file mode 100644
index 0000000000..568c469b06
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html
@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <meta http-equiv="Content-Security-Policy" content="img-src *;
+ style-src 'unsafe-hashes' 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=';">
+ <!--
+ 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green'
+ -->
+ <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body>
+ <div id='log'></div>
+ <script>
+ var t1 = async_test("Test that the inline style attribute is loaded");
+
+ self.check_for_style = t1.step_func_done(function() {
+ assert_equals("green", document.getElementById('test').style.background);
+ });
+
+ window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
+ </script>
+ <img src='../support/pass.png' id='test' style='background: green'
+ onload='check_for_style()'>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html
new file mode 100644
index 0000000000..e8070acba9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html
@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <meta http-equiv="Content-Security-Policy" content="img-src *;
+ style-src 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=';">
+ <!--
+ 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green'
+ -->
+ <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body>
+ <div id='log'></div>
+ <script>
+ var t1 = async_test("Test that the inline style attribute is blocked");
+
+ window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, 'style-src-attr');
+ assert_equals(e.blockedURI, 'inline');
+ }));
+
+ </script>
+ <img src='../support/pass.png' id='test' style='background: green'>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html
new file mode 100644
index 0000000000..be27637224
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html
@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <meta http-equiv="Content-Security-Policy" content="img-src *;
+ style-src 'unsafe-hashes' 'sha256-UI8QfroYhb0WX073XBuM+RTPntpjZfkyFLsMw5vQfd0=';">
+ <!--
+ 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green'
+ -->
+ <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body>
+ <div id='log'></div>
+ <script>
+ var t1 = async_test("Test that the inline style attribute is blocked");
+
+ window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, 'style-src-attr');
+ assert_equals(e.blockedURI, 'inline');
+ }));
+
+ </script>
+ <img src='../support/pass.png' id='test' style='background: green'>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html
new file mode 100644
index 0000000000..3068822f37
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html
@@ -0,0 +1,21 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}">
+</head>
+
+<body>
+
+ <span id="escape">{{GET[url]}}</span>
+
+ <script nonce='abc'>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ opener.postMessage('fail', '*');
+ });
+
+ window.location.href = document.getElementById("escape").textContent;
+ </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js
new file mode 100644
index 0000000000..26db3289ea
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js
@@ -0,0 +1,40 @@
+// Typical CSP hashes are:
+// 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=' ==> javascript:opener.navigated();
+// 'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=' ==> javascript:navigated();
+
+function runTest(navigationShouldAllowed, navigationMethod, description) {
+ const t1 = async_test(
+ 'javascript: navigation using ' + navigationMethod + ' should be ' +
+ (navigationShouldAllowed ? 'allowed' : 'refused') + description);
+
+ if (navigationShouldAllowed) {
+ window.navigated = () => t1.done();
+ window.addEventListener('securitypolicyviolation',
+ t1.unreached_func('Should have not raised any event'));
+ } else {
+ window.navigated =
+ t1.unreached_func('Should not have run javascript: URL');
+ window.addEventListener('securitypolicyviolation',
+ t1.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, 'script-src-elem');
+ assert_equals(e.blockedURI, 'inline');
+ }));
+ }
+
+ if (navigationMethod === '<a href target=_blank>') {
+ const a = document.createElement('a');
+ a.setAttribute('target', '_blank');
+ a.setAttribute('rel', 'opener');
+ a.setAttribute('href', 'javascript:opener.navigated();');
+ document.body.appendChild(a);
+ a.click();
+ }
+ else if (navigationMethod === '<a href>') {
+ const a = document.createElement('a');
+ a.setAttribute('href', 'javascript:navigated();');
+ document.body.appendChild(a);
+ a.click();
+ } else {
+ t1.unreached_func('Invalid navigationMethod: ' + navigationMethod)();
+ }
+}