Adding upstream version 124.0.1.upstream/124.0.1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

26 files changed, 867 insertions, 0 deletions

diff --git a/testing/web-platform/tests/network-error-logging/META.yml b/testing/web-platform/tests/network-error-logging/META.yml
new file mode 100644
index 0000000000..6c1f88eafc
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/META.yml
@@ -0,0 +1,3 @@
+spec: https://w3c.github.io/network-error-logging/
+suggested_reviewers:
+  - dcreager
diff --git a/testing/web-platform/tests/network-error-logging/README.md b/testing/web-platform/tests/network-error-logging/README.md
new file mode 100644
index 0000000000..7cf2c6fdce
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/README.md
@@ -0,0 +1,74 @@
+# Network Error Logging
+
+The tests in this directory exercise the user agent's implementation of [Network
+Error Logging](https://w3c.github.io/network-error-logging/) and
+[Reporting](https://w3c.github.io/reporting/).
+
+## Collector
+
+Each test case generates a unique `reportID` that is used to distinguish the NEL
+reports generated by that test case.
+
+The [support/report.py][] file is a [Python file handler][] that can be used as
+a Reporting collector.  Its default operation is to save any reports that it
+receives into the [stash][].  If you pass in the optional `op` URL parameter,
+with a value of `retrieve_report`, it will instead return a list of all of the
+reports received for a particular `reportID`.
+
+[Python file handler]: https://wptserve.readthedocs.io/en/latest/handlers.html#python-file-handlers
+[stash]: https://wptserve.readthedocs.io/en/latest/stash.html
+[support/report.py]: support/report.py
+
+## Installing NEL policies
+
+NEL reports are only generated if the user agent has received a NEL policy for
+the origin of the request.  The current request counts; if its response contains
+a policy, that policy is used for the current request and all future requests,
+modulo the policy's `max_age` field.
+
+Most of the test cases will therefore make a request or two to install NEL
+policies, and then make another request that should or should not be covered by
+those policies.  It will then assert that NEL reports were or were not created,
+as required by the spec.
+
+The [support][] directory contains several images, each of which defines a
+particular "kind" of NEL policy (e.g., `include_subdomains` set vs unset, no
+policy at all, etc.).  The [support/nel.sub.js][] file contains helper
+JavaScript methods for requesting those images, so that the test cases
+themselves are more descriptive.
+
+[support]: support
+[support/nel.sub.js]: support/nel.sub.js
+
+## Avoiding spurious reports
+
+NEL policies apply to **all** future requests to the origin.  We therefore serve
+all of the test case's "infrastructure" (the test case itself,
+[support/report.py][] and [support/nel.sub.js][]) on a different origin than
+the requests that exercise the NEL implementation.  That ensures that we don't
+have to wade through NEL reports about the infrastructure when verifying the NEL
+reports about the requests that we care about.
+
+## Browser configuration
+
+You must configure your browser's Reporting implementation to upload reports for
+a request immediately.  The test cases do not currently have any timeouts; they
+assume that as soon as the Fetch API promise resolves, any NEL reports for the
+request have already been uploaded.
+
+## Test parallelism
+
+Because NEL policies are stored in a global cache in the user agent, we need to
+run the tests in this directory serially instead of in parallel.  We implement a
+simple spin-lock in [support/lock.py][] to ensure that only one test is allowed
+to perform any NEL-related requests at a time.
+
+[support/lock.py]: support/lock.py
+
+## CORS preflights
+
+Reporting uploads are subject to CORS preflights.  We want to test normal
+operation (when preflight requests succeed) as well as failures of the CORS
+preflight logic in the user agent.  To support this, our test collector is
+configured to always reject the CORS preflight for a single domain (www2), and
+to always grant the CORS preflight for all other test subdomains.
diff --git a/testing/web-platform/tests/network-error-logging/no-report-on-failed-cors-preflight.https.html b/testing/web-platform/tests/network-error-logging/no-report-on-failed-cors-preflight.https.html
new file mode 100644
index 0000000000..3a35651b4e
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/no-report-on-failed-cors-preflight.https.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>
+    Test that NEL reports are not sent if the CORS preflight fails
+  </title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='./support/nel.sub.js'></script>
+</head>
+<body>
+  <script>
+    nel_test(async t => {
+      // Make a request to a resource whose response headers include a NEL
+      // policy, but where the report uploader will reject the CORS preflight.
+      await fetchResourceWithBasicPolicy('www2');
+      // Because the CORS preflight is rejected, we should never receive a
+      // report about the request.
+      assert_false(await reportExists({
+        url: getURLForResourceWithBasicPolicy('www2'),
+        type: "network-error",
+      }));
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/network-error-logging/no-report-on-subdomain-404.https.html b/testing/web-platform/tests/network-error-logging/no-report-on-subdomain-404.https.html
new file mode 100644
index 0000000000..462f99e842
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/no-report-on-subdomain-404.https.html
@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>
+    Test that include_subdomains policies do NOT report HTTP errors
+  </title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='./support/nel.sub.js'></script>
+</head>
+<body>
+  <script>
+    nel_test(async t => {
+      // Make a request to a resource whose response headers include an
+      // include_subdomains NEL policy.
+      await fetchResourceWithIncludeSubdomainsPolicy();
+      // Make a request to another resource on a subdomain of the above.  This
+      // resource doesn't exist, so the server should return a 404.
+      await fetchMissingResource('www');
+      // The include_subdomains policy that we just received should NOT cover
+      // the second request, since include_subdomains policies can only report
+      // on DNS errors.
+      assert_false(await reportExists({
+        url: getURLForMissingResource('www'),
+        type: "network-error",
+      }));
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/network-error-logging/no-report-on-subdomain-success.https.html b/testing/web-platform/tests/network-error-logging/no-report-on-subdomain-success.https.html
new file mode 100644
index 0000000000..5fd6d4fb41
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/no-report-on-subdomain-success.https.html
@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>
+    Test that include_subdomains policies do NOT report successful requests
+  </title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='./support/nel.sub.js'></script>
+</head>
+<body>
+  <script>
+    nel_test(async t => {
+      // Make a request to a resource whose response headers include an
+      // include_subdomains NEL policy.
+      await fetchResourceWithIncludeSubdomainsPolicy();
+      // Make a request to another resource on a subdomain of the above, which
+      // does not define its own NEL policy.
+      await fetchResourceWithNoPolicy('www');
+      // The include_subdomains policy that we just received should NOT cover
+      // the second request, since include_subdomains policies can only report
+      // on DNS errors.
+      assert_false(await reportExists({
+        url: getURLForResourceWithNoPolicy('www'),
+        type: "network-error",
+      }));
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/network-error-logging/no-report-on-unexpired-cached-response.https.html b/testing/web-platform/tests/network-error-logging/no-report-on-unexpired-cached-response.https.html
new file mode 100644
index 0000000000..8248aa52ec
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/no-report-on-unexpired-cached-response.https.html
@@ -0,0 +1,33 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>
+    Test that NEL reports are not sent for cached responses that don't hit the
+    network
+  </title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='./support/nel.sub.js'></script>
+</head>
+<body>
+  <script>
+    nel_test(async t => {
+      // Fetch a resource that can be cached without validation.  Do this
+      // *before* fetching the NEL policy for this origin, to ensure that we
+      // don't generate any report about this request.
+      await fetchCachedResource();
+      // Fetch the NEL policy for this origin.
+      await fetchResourceWithBasicPolicy();
+      // Fetch the now-cached resource again.  This should not generate a new
+      // network request.
+      await fetchCachedResource();
+      // Because the cached request did not generate a network request, we
+      // should never receive a report about the request.
+      assert_false(await reportExists({
+        url: getURLForCachedResource(),
+        type: "network-error",
+      }));
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/network-error-logging/reports-are-not-observable.https.html b/testing/web-platform/tests/network-error-logging/reports-are-not-observable.https.html
new file mode 100644
index 0000000000..35ab4f3c23
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/reports-are-not-observable.https.html
@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>
+    Test that NEL reports are not observable from JavaScript
+  </title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='./support/nel.sub.js'></script>
+</head>
+<body>
+  <script>
+    nel_test(async t => {
+      // Register an observer for NEL reports.
+      var observer = new ReportingObserver((reports, _) => {
+        assert_unreached("NEL reports should not be observable");
+      }, {"types": ["network-error"]});
+      observer.observe();
+      // Make a request to a resource whose response headers include a NEL
+      // policy.  If NEL reports are observable, this will queue a task that
+      // calls the observer function above (which we don't want).
+      await fetchResourceWithBasicPolicy();
+      // Wait for one second to give any observer callback task a chance to
+      // fire.
+      await new Promise(resolve => t.step_timeout(resolve, 1000 /* msec */));
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/network-error-logging/sends-report-on-404.https.html b/testing/web-platform/tests/network-error-logging/sends-report-on-404.https.html
new file mode 100644
index 0000000000..38bdc01450
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/sends-report-on-404.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>
+    Test that NEL reports are sent for HTTP errors
+  </title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='./support/nel.sub.js'></script>
+</head>
+<body>
+  <script>
+    nel_test(async t => {
+      // Make a request to a resource whose response headers include a NEL
+      // policy.
+      await fetchResourceWithBasicPolicy();
+      // Make a request to another resource on the same domain.  This resource
+      // doesn't exist, so the server should return a 404.
+      await fetchMissingResource();
+      // The 404 won't contain its own NEL policy, but the policy we received in
+      // the first request should cover the second request, too, since they're
+      // at the same origin, so the collector should have received a report
+      // about it.
+      assert_true(await reportExists({
+        url: getURLForMissingResource(),
+        user_agent: navigator.userAgent,
+        type: "network-error",
+        body: {
+          method: "GET",
+          sampling_fraction: 1.0,
+          status_code: 404,
+          phase: "application",
+          type: "http.error",
+        },
+        metadata: {
+          content_type: "application/reports+json",
+        },
+      }));
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/network-error-logging/sends-report-on-cache-validation.https.html b/testing/web-platform/tests/network-error-logging/sends-report-on-cache-validation.https.html
new file mode 100644
index 0000000000..b87053cb7f
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/sends-report-on-cache-validation.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>
+    Test that NEL reports are sent for cache validation requests
+  </title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='./support/nel.sub.js'></script>
+</head>
+<body>
+  <script>
+    nel_test(async t => {
+      // Fetch a resource that can be cached, but whose response requires
+      // validation.  Do this *before* fetching the NEL policy for this origin,
+      // to ensure that we don't generate any report about this request.
+      await fetchValidatedCachedResource();
+      // Fetch the NEL policy for this origin.
+      await fetchResourceWithBasicPolicy();
+      // Fetch the now-cached resource again.  Because the response requires
+      // validation, this will result in a network request.
+      await fetchValidatedCachedResource();
+      // We should receive a report about the cache validation request.
+      assert_true(await reportExists({
+        url: getURLForValidatedCachedResource(),
+        user_agent: navigator.userAgent,
+        type: "network-error",
+        body: {
+          method: "GET",
+          sampling_fraction: 1.0,
+          status_code: 304,
+          phase: "application",
+          type: "ok",
+        },
+        metadata: {
+          content_type: "application/reports+json",
+        },
+      }));
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/network-error-logging/sends-report-on-redirect.https.html b/testing/web-platform/tests/network-error-logging/sends-report-on-redirect.https.html
new file mode 100644
index 0000000000..da6ae72c5a
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/sends-report-on-redirect.https.html
@@ -0,0 +1,55 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>
+    Test that NEL reports are sent for redirects
+  </title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='./support/nel.sub.js'></script>
+</head>
+<body>
+  <script>
+    nel_test(async t => {
+      // Make a request to a resource whose response headers include a NEL
+      // policy.
+      await fetchResourceWithBasicPolicy();
+      // Then make a request that results in a redirect.
+      await fetchRedirectedResource();
+      // We should receive a report about the redirect itself, and also about
+      // the resource that we were redirected to.
+      assert_true(await reportExists({
+        url: getURLForRedirectedResource(),
+        user_agent: navigator.userAgent,
+        type: "network-error",
+        body: {
+          method: "GET",
+          sampling_fraction: 1.0,
+          status_code: 302,
+          phase: "application",
+          type: "ok",
+        },
+        metadata: {
+          content_type: "application/reports+json",
+        },
+      }, true /* retain */), "receive report about redirected resource");
+      assert_true(await reportExists({
+        // This happens to be where we're redirected to.
+        url: getURLForResourceWithNoPolicy(),
+        user_agent: navigator.userAgent,
+        type: "network-error",
+        body: {
+          method: "GET",
+          sampling_fraction: 1.0,
+          status_code: 200,
+          phase: "application",
+          type: "ok",
+        },
+        metadata: {
+          content_type: "application/reports+json",
+        },
+      }), "receive report about redirect target");
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/network-error-logging/sends-report-on-subdomain-dns-failure.https.html b/testing/web-platform/tests/network-error-logging/sends-report-on-subdomain-dns-failure.https.html
new file mode 100644
index 0000000000..8913857af8
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/sends-report-on-subdomain-dns-failure.https.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>
+    Test that include_subdomains policies report DNS failures for subdomains
+  </title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='./support/nel.sub.js'></script>
+</head>
+<body>
+  <script>
+    nel_test(async t => {
+      // Make a request to a resource whose response headers include an
+      // include_subdomains NEL policy.
+      await fetchResourceWithIncludeSubdomainsPolicy();
+      // Make a request to another resource on a nonexistent subdomain of the
+      // above.  Since the subdomain doesn't exist, the request should fail with
+      // a DNS error.
+      await fetchResourceWithNoPolicy('nonexistent').then((response) => {
+        assert_unreached("Request to nonexistent domain should fail");
+      }, (err) => {
+        // Silence the error, since it's expected.
+      });
+      // The include_subdomains policy that we just received should cover the
+      // second request, since include_subdomains policies can report on DNS
+      // errors, so the collector should have received a report about it.
+      assert_true(await reportExists({
+        url: getURLForResourceWithNoPolicy('nonexistent'),
+        user_agent: navigator.userAgent,
+        type: "network-error",
+        body: {
+          method: "GET",
+          sampling_fraction: 1.0,
+          status_code: 0,
+          phase: "dns",
+          type: "dns.name_not_resolved",
+        },
+        metadata: {
+          content_type: "application/reports+json",
+        },
+      }));
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/network-error-logging/sends-report-on-success-with-subdomain-policy.https.html b/testing/web-platform/tests/network-error-logging/sends-report-on-success-with-subdomain-policy.https.html
new file mode 100644
index 0000000000..fce12cd3e9
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/sends-report-on-success-with-subdomain-policy.https.html
@@ -0,0 +1,40 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>
+    Test that NEL reports are sent for successful requests
+  </title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='./support/nel.sub.js'></script>
+</head>
+<body>
+  <script>
+    nel_test(async t => {
+      // Make a request to a resource whose response headers include an
+      // include_subdomains NEL policy.
+      await fetchResourceWithIncludeSubdomainsPolicy();
+      // That policy should apply to the request that delivered it.  Even though
+      // the policy has include_subdomains set, it SHOULD generate a full,
+      // non-downgraded report about the request, since the request has the
+      // same origin as the policy.  (I.e., since the origins are the same, the
+      // include_subdomains setting is irrelevant.)
+      assert_true(await reportExists({
+        url: getURLForResourceWithIncludeSubdomainsPolicy(),
+        user_agent: navigator.userAgent,
+        type: "network-error",
+        body: {
+          method: "GET",
+          sampling_fraction: 1.0,
+          status_code: 200,
+          phase: "application",
+          type: "ok",
+        },
+        metadata: {
+          content_type: "application/reports+json",
+        },
+      }));
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/network-error-logging/sends-report-on-success.https.html b/testing/web-platform/tests/network-error-logging/sends-report-on-success.https.html
new file mode 100644
index 0000000000..68fddaa0c7
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/sends-report-on-success.https.html
@@ -0,0 +1,37 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>
+    Test that NEL reports are sent for successful requests
+  </title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='./support/nel.sub.js'></script>
+</head>
+<body>
+  <script>
+    nel_test(async t => {
+      // Make a request to a resource whose response headers include a NEL
+      // policy.
+      await fetchResourceWithBasicPolicy();
+      // That policy should apply to the request that delivered it, so the
+      // collector should have received a report about the request.
+      assert_true(await reportExists({
+        url: getURLForResourceWithBasicPolicy(),
+        user_agent: navigator.userAgent,
+        type: "network-error",
+        body: {
+          method: "GET",
+          sampling_fraction: 1.0,
+          status_code: 200,
+          phase: "application",
+          type: "ok",
+        },
+        metadata: {
+          content_type: "application/reports+json",
+        },
+      }));
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/network-error-logging/support/cached-for-one-minute.png b/testing/web-platform/tests/network-error-logging/support/cached-for-one-minute.png
new file mode 100644
index 0000000000..2fa1e0ac06
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/support/cached-for-one-minute.png
diff --git a/testing/web-platform/tests/network-error-logging/support/cached-for-one-minute.png.sub.headers b/testing/web-platform/tests/network-error-logging/support/cached-for-one-minute.png.sub.headers
new file mode 100644
index 0000000000..63d4c4de03
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/support/cached-for-one-minute.png.sub.headers
@@ -0,0 +1 @@
+Cache-Control: public, max-age=60, must-revalidate
diff --git a/testing/web-platform/tests/network-error-logging/support/cached-with-validation.py b/testing/web-platform/tests/network-error-logging/support/cached-with-validation.py
new file mode 100644
index 0000000000..e5090e0392
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/support/cached-with-validation.py
@@ -0,0 +1,17 @@
+ETAG = b'"123abc"'
+CONTENT_TYPE = b"text/plain"
+CONTENT = u"lorem ipsum dolor sit amet"
+
+def main(request, response):
+    # let caching kick in if possible (conditional GET)
+    etag = request.headers.get(b"If-None-Match", None)
+    if etag == ETAG:
+        response.headers.set(b"X-HTTP-STATUS", 304)
+        response.status = (304, b"Not Modified")
+        return u""
+
+    # cache miss, so respond with the actual content
+    response.status = (200, b"OK")
+    response.headers.set(b"ETag", ETAG)
+    response.headers.set(b"Content-Type", CONTENT_TYPE)
+    return CONTENT
diff --git a/testing/web-platform/tests/network-error-logging/support/clear-policy-pass.png b/testing/web-platform/tests/network-error-logging/support/clear-policy-pass.png
new file mode 100644
index 0000000000..2fa1e0ac06
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/support/clear-policy-pass.png
diff --git a/testing/web-platform/tests/network-error-logging/support/clear-policy-pass.png.sub.headers b/testing/web-platform/tests/network-error-logging/support/clear-policy-pass.png.sub.headers
new file mode 100644
index 0000000000..1085b8a987
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/support/clear-policy-pass.png.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Report-To: { "group": "nel-group", "max_age": 0, "endpoints": [] }
+NEL: {"max_age": 0}
diff --git a/testing/web-platform/tests/network-error-logging/support/lock.py b/testing/web-platform/tests/network-error-logging/support/lock.py
new file mode 100644
index 0000000000..0c5ae6b6f5
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/support/lock.py
@@ -0,0 +1,48 @@
+# This file implements a shared lock that lets us ensure that the test cases in
+# this directory run serially.  Each test case obtains this lock as its first
+# step, and releases it as its last.  (The nel_test helper function in
+# nel.sub.js automates this process.)  Because the lock needs to be shared
+# across all of the test cases, we use a hard-coded stash key.  This hard-coded
+# key is a random UUID, which should not conflict with any other auto-generated
+# stash keys.
+
+import time
+
+_LOCK_KEY = b"67966d2e-a847-41d8-b7c3-5f6aee3375ba"
+_TIMEOUT = 5  # seconds
+
+def wait_for_lock(request):
+  t0 = time.time()
+  while time.time() - t0 < _TIMEOUT:
+    time.sleep(0.5)
+    value = request.server.stash.take(key=_LOCK_KEY)
+    if value is None:
+      return True
+  return False
+
+def lock(request, report_id):
+  with request.server.stash.lock:
+    # Loop until the lock is free
+    if not wait_for_lock(request):
+      return (503, [], b"Cannot obtain lock")
+    request.server.stash.put(key=_LOCK_KEY, value=report_id)
+    return b"Obtained lock for %s" % report_id
+
+def unlock(request, report_id):
+  with request.server.stash.lock:
+    lock_holder = request.server.stash.take(key=_LOCK_KEY)
+    if lock_holder != report_id:
+      # Return the lock holder to the stash
+      request.server.stash.put(key=_LOCK_KEY, value=lock_holder)
+      return (503, [], b"Cannot release lock held by %s" % lock_holder)
+  return b"Released lock for %s" % report_id
+
+def main(request, response):
+  op = request.GET.first(b"op")
+  report_id = request.GET.first(b"reportID")
+  if op == b"lock":
+    return lock(request, report_id)
+  elif op == b"unlock":
+    return unlock(request, report_id)
+  else:
+    return (400, [], b"Invalid op")
diff --git a/testing/web-platform/tests/network-error-logging/support/nel.sub.js b/testing/web-platform/tests/network-error-logging/support/nel.sub.js
new file mode 100644
index 0000000000..856af10cf7
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/support/nel.sub.js
@@ -0,0 +1,293 @@
+const reportID = "{{$id:uuid()}}";
+
+/*
+ * NEL tests have to run serially, since the user agent maintains a global cache
+ * of Reporting and NEL policies, and we don't want the policies for multiple
+ * tests to interfere with each other.  These functions (along with a Python
+ * handler in lock.py) implement a simple spin lock.
+ */
+
+function obtainNELLock() {
+  return fetch("/network-error-logging/support/lock.py?op=lock&reportID=" + reportID);
+}
+
+function releaseNELLock() {
+  return fetch("/network-error-logging/support/lock.py?op=unlock&reportID=" + reportID);
+}
+
+function nel_test(callback, name, properties) {
+  promise_test(async t => {
+    await obtainNELLock();
+    await clearReportingAndNELConfigurations();
+    await callback(t);
+    await releaseNELLock();
+  }, name, properties);
+}
+
+function nel_iframe_test(callback, name, properties) {
+  promise_test(async t => {
+    await obtainNELLock();
+    await clearReportingAndNELConfigurationsInIframe();
+    await callback(t);
+    await releaseNELLock();
+  }, name, properties);
+}
+
+/*
+ * Helper functions for constructing domain names that contain NEL policies.
+ */
+function _monitoredDomain(subdomain) {
+  if (subdomain == "www") {
+    return "{{hosts[alt][www]}}"
+  } else if (subdomain == "www1") {
+    return "{{hosts[alt][www1]}}"
+  } else if (subdomain == "www2") {
+    return "{{hosts[alt][www2]}}"
+  } else if (subdomain == "nonexistent") {
+    return "{{hosts[alt][nonexistent]}}"
+  } else {
+    return "{{hosts[alt][]}}"
+  }
+}
+
+function _getNELResourceURL(subdomain, suffix) {
+  return "https://" + _monitoredDomain(subdomain) +
+    ":{{ports[https][0]}}/network-error-logging/support/" + suffix;
+}
+
+/*
+ * Fetches a resource whose headers define a basic NEL policy (i.e., with no
+ * include_subdomains flag).  We ensure that we request the resource from a
+ * different origin than is used for the main test case HTML file or for report
+ * uploads.  This minimizes the number of reports that are generated for this
+ * policy.
+ */
+
+function getURLForResourceWithBasicPolicy(subdomain) {
+  return _getNELResourceURL(subdomain, "pass.png?id="+reportID+"&success_fraction=1.0");
+}
+
+function fetchResourceWithBasicPolicy(subdomain) {
+  const url = getURLForResourceWithBasicPolicy(subdomain);
+  return fetch(url, {mode: "no-cors"});
+}
+
+function fetchResourceWithZeroSuccessFractionPolicy(subdomain) {
+  const url = _getNELResourceURL(subdomain, "pass.png?id="+reportID+"&success_fraction=0.0");
+  return fetch(url, {mode: "no-cors"});
+}
+
+/*
+ * Similar to the above methods, but fetch resources in an iframe. Allows matching
+ * full context of reports sent from an iframe that's same-site relative to the domains
+ * a policy set.
+ */
+
+ function loadResourceWithBasicPolicyInIframe(subdomain) {
+  return loadResourceWithPolicyInIframe(
+      getURLForResourceWithBasicPolicy(subdomain));
+}
+
+function loadResourceWithZeroSuccessFractionPolicyInIframe(subdomain) {
+  return loadResourceWithPolicyInIframe(
+      _getNELResourceURL(subdomain, "pass.png?id="+reportID+"&success_fraction=0.0"));
+}
+
+function clearResourceWithBasicPolicyInIframe(subdomain) {
+  return loadResourceWithPolicyInIframe(
+      getURLForClearingConfiguration(subdomain));
+}
+
+function loadResourceWithPolicyInIframe(url) {
+  return new Promise((resolve, reject) => {
+    const frame = document.createElement('iframe');
+    frame.src = url;
+    frame.onload = () => resolve(frame);
+    frame.onerror = () => reject('failed to load ' + url);
+    document.body.appendChild(frame);
+  });
+}
+
+/*
+ * Fetches a resource whose headers define an include_subdomains NEL policy.
+ */
+
+function getURLForResourceWithIncludeSubdomainsPolicy(subdomain) {
+  return _getNELResourceURL(subdomain, "subdomains-pass.png?id="+reportID);
+}
+
+function fetchResourceWithIncludeSubdomainsPolicy(subdomain) {
+  const url = getURLForResourceWithIncludeSubdomainsPolicy(subdomain);
+  return fetch(url, {mode: "no-cors"});
+}
+
+/*
+ * Fetches a resource whose headers do NOT define a NEL policy.  This may or may
+ * not generate a NEL report, depending on whether you've already successfully
+ * requested a resource from the same origin that included a NEL policy.
+ */
+
+function getURLForResourceWithNoPolicy(subdomain) {
+  return _getNELResourceURL(subdomain, "no-policy-pass.png");
+}
+
+function fetchResourceWithNoPolicy(subdomain) {
+  const url = getURLForResourceWithNoPolicy(subdomain);
+  return fetch(url, {mode: "no-cors"});
+}
+
+/*
+ * Fetches a resource that doesn't exist.  This may or may not generate a NEL
+ * report, depending on whether you've already successfully requested a resource
+ * from the same origin that included a NEL policy.
+ */
+
+function getURLForMissingResource(subdomain) {
+  return _getNELResourceURL(subdomain, "nonexistent.png");
+}
+
+function fetchMissingResource(subdomain) {
+  const url = getURLForMissingResource(subdomain);
+  return fetch(url, {mode: "no-cors"});
+}
+
+/*
+ * Fetches a resource that can be cached without validation.
+ */
+
+function getURLForCachedResource(subdomain) {
+  return _getNELResourceURL(subdomain, "cached-for-one-minute.png");
+}
+
+function fetchCachedResource(subdomain) {
+  const url = getURLForCachedResource(subdomain);
+  return fetch(url, {mode: "no-cors"});
+}
+
+/*
+ * Fetches a resource that can be cached but requires validation.
+ */
+
+function getURLForValidatedCachedResource(subdomain) {
+  return _getNELResourceURL(subdomain, "cached-with-validation.py");
+}
+
+function fetchValidatedCachedResource(subdomain) {
+  const url = getURLForValidatedCachedResource(subdomain);
+  return fetch(url, {mode: "no-cors"});
+}
+
+/*
+ * Fetches a resource that redirects once before returning a successful
+ * response.
+ */
+
+function getURLForRedirectedResource(subdomain) {
+  return _getNELResourceURL(subdomain, "redirect.py?id="+reportID);
+}
+
+function fetchRedirectedResource(subdomain) {
+  const url = getURLForRedirectedResource(subdomain);
+  return fetch(url, {mode: "no-cors"});
+}
+
+/*
+ * Fetches resources that clear out any existing Reporting or NEL configurations
+ * for all origins that any test case might use.
+ */
+
+function getURLForClearingConfiguration(subdomain) {
+  return _getNELResourceURL(subdomain, "clear-policy-pass.png?id="+reportID);
+}
+
+async function clearReportingAndNELConfigurations(subdomain) {
+  await Promise.all([
+    fetch(getURLForClearingConfiguration(""), {mode: "no-cors"}),
+    fetch(getURLForClearingConfiguration("www"), {mode: "no-cors"}),
+    fetch(getURLForClearingConfiguration("www1"), {mode: "no-cors"}),
+    fetch(getURLForClearingConfiguration("www2"), {mode: "no-cors"}),
+  ]);
+  return;
+}
+
+async function clearReportingAndNELConfigurationsInIframe(subdomain) {
+  await Promise.all([
+    clearResourceWithBasicPolicyInIframe(""),
+    clearResourceWithBasicPolicyInIframe("www"),
+    clearResourceWithBasicPolicyInIframe("www1"),
+    clearResourceWithBasicPolicyInIframe("www2"),
+  ]);
+  return;
+}
+
+/*
+ * Returns whether all of the fields in obj1 also exist in obj2 with the same
+ * values.  (Put another way, returns whether obj1 and obj2 are equal, ignoring
+ * any extra fields in obj2.)
+ */
+
+function _isSubsetOf(obj1, obj2) {
+  for (const prop in obj1) {
+    if (typeof obj1[prop] === 'object') {
+      if (typeof obj2[prop] !== 'object') {
+        return false;
+      }
+      if (!_isSubsetOf(obj1[prop], obj2[prop])) {
+        return false;
+      }
+    } else if (obj1[prop] != obj2[prop]) {
+      return false;
+    }
+  }
+  return true;
+}
+
+/*
+ * Verifies that a report was uploaded that contains all of the fields in
+ * expected.
+ */
+
+async function reportExists(expected, retain_reports) {
+  var timeout =
+    document.querySelector("meta[name=timeout][content=long]") ? 50 : 1;
+  var reportLocation =
+    "/reporting/resources/report.py?op=retrieve_report&timeout=" +
+    timeout + "&reportID=" + reportID;
+  if (retain_reports)
+    reportLocation += "&retain=1";
+  const response = await fetch(reportLocation);
+  const json = await response.json();
+  for (const report of json) {
+    if (_isSubsetOf(expected, report)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+/*
+ * Verifies that reports were uploaded that contains all of the fields in
+ * expected.
+ */
+
+async function reportsExist(expected_reports, retain_reports) {
+  const timeout = 10;
+  let reportLocation =
+    "/reporting/resources/report.py?op=retrieve_report&timeout=" +
+    timeout + "&reportID=" + reportID;
+  if (retain_reports)
+    reportLocation += "&retain";
+  // There must be the report of pass.png, so adding 1.
+  const min_count = expected_reports.length + 1;
+  reportLocation += "&min_count=" + min_count;
+  const response = await fetch(reportLocation);
+  const json = await response.json();
+  for (const expected of expected_reports) {
+    const found = json.some((report) => {
+      return _isSubsetOf(expected, report);
+    });
+    if (!found)
+      return false;
+  }
+  return true;
+}
diff --git a/testing/web-platform/tests/network-error-logging/support/no-policy-pass.png b/testing/web-platform/tests/network-error-logging/support/no-policy-pass.png
new file mode 100644
index 0000000000..2fa1e0ac06
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/support/no-policy-pass.png
diff --git a/testing/web-platform/tests/network-error-logging/support/pass.png b/testing/web-platform/tests/network-error-logging/support/pass.png
new file mode 100644
index 0000000000..2fa1e0ac06
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/support/pass.png
diff --git a/testing/web-platform/tests/network-error-logging/support/pass.png.sub.headers b/testing/web-platform/tests/network-error-logging/support/pass.png.sub.headers
new file mode 100644
index 0000000000..4cf91f1359
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/support/pass.png.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Report-To: { "group": "nel-group", "max_age": 10886400, "endpoints": [{ "url": "https://{{hosts[][www]}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{GET[id]}}" }] }
+NEL: {"report_to": "nel-group", "max_age": 10886400, "success_fraction": {{GET[success_fraction]}}}
diff --git a/testing/web-platform/tests/network-error-logging/support/redirect.py b/testing/web-platform/tests/network-error-logging/support/redirect.py
new file mode 100644
index 0000000000..7da4504764
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/support/redirect.py
@@ -0,0 +1,3 @@
+# Always redirects to no-policy-pass.png.
+def main(request, response):
+  return 302, [(b"Location", b"no-policy-pass.png")], u""
diff --git a/testing/web-platform/tests/network-error-logging/support/subdomains-pass.png b/testing/web-platform/tests/network-error-logging/support/subdomains-pass.png
new file mode 100644
index 0000000000..2fa1e0ac06
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/support/subdomains-pass.png
diff --git a/testing/web-platform/tests/network-error-logging/support/subdomains-pass.png.sub.headers b/testing/web-platform/tests/network-error-logging/support/subdomains-pass.png.sub.headers
new file mode 100644
index 0000000000..ae6ce3f43c
--- /dev/null
+++ b/testing/web-platform/tests/network-error-logging/support/subdomains-pass.png.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Report-To: { "group": "nel-group", "max_age": 10886400, "include_subdomains": true, "endpoints": [{ "url": "https://{{hosts[][www]}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{GET[id]}}" }] }
+NEL: {"report_to": "nel-group", "max_age": 10886400, "include_subdomains": true, "success_fraction": 1.0}