1 files changed, 27 insertions, 0 deletions

diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcard-host-part.sub.window.js b/testing/web-platform/tests/content-security-policy/generic/wildcard-host-part.sub.window.js
new file mode 100644
index 0000000000..d210cc6670
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcard-host-part.sub.window.js
@@ -0,0 +1,27 @@
+setup(_ => {
+  const meta = document.createElement("meta");
+  meta.httpEquiv = "content-security-policy";
+  meta.content = "img-src http://*:{{ports[http][0]}}";
+  document.head.appendChild(meta);
+});
+
+async_test((t) => {
+  const img = document.createElement("img");
+  img.onerror = t.step_func_done();
+  img.onload = t.unreached_func("`data:` image should have been blocked.");
+  img.src = "data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="
+}, "Host wildcard doesn't affect scheme matching.");
+
+async_test((t) => {
+  const img = document.createElement("img");
+  img.onload = t.step_func_done();
+  img.onerror = t.unreached_func("Image from www2 host should have loaded.");
+  img.src = "http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/pass.png";
+}, "Host wildcard allows arbitrary hosts (www1).");
+
+async_test((t) => {
+  const img = document.createElement("img");
+  img.onload = t.step_func_done();
+  img.onerror = t.unreached_func("Image from www2 host should have loaded.");
+  img.src = "http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/pass.png";
+}, "Host wildcard allows arbitrary hosts (www2).");