From 26a029d407be480d791972afb5975cf62c9360a6 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Fri, 19 Apr 2024 02:47:55 +0200
Subject: Adding upstream version 124.0.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 dom/security/test/sri/file_bug_1271796.css         |   2 +
 .../test/sri/iframe_script_crossdomain.html        | 135 +++++++++++
 .../test/sri/iframe_script_sameorigin.html         | 249 +++++++++++++++++++++
 .../test/sri/iframe_style_crossdomain.html         | 117 ++++++++++
 dom/security/test/sri/iframe_style_sameorigin.html | 164 ++++++++++++++
 dom/security/test/sri/mochitest.toml               |  56 +++++
 dom/security/test/sri/script.js                    |   1 +
 dom/security/test/sri/script.js^headers^           |   1 +
 dom/security/test/sri/script_301.js                |   1 +
 dom/security/test/sri/script_301.js^headers^       |   2 +
 dom/security/test/sri/script_302.js                |   1 +
 dom/security/test/sri/script_302.js^headers^       |   2 +
 dom/security/test/sri/script_401.js                |   1 +
 dom/security/test/sri/script_401.js^headers^       |   2 +
 dom/security/test/sri/script_crossdomain1.js       |   4 +
 .../test/sri/script_crossdomain1.js^headers^       |   1 +
 dom/security/test/sri/script_crossdomain2.js       |   5 +
 dom/security/test/sri/script_crossdomain3.js       |   1 +
 .../test/sri/script_crossdomain3.js^headers^       |   1 +
 dom/security/test/sri/script_crossdomain4.js       |   1 +
 .../test/sri/script_crossdomain4.js^headers^       |   1 +
 dom/security/test/sri/script_crossdomain5.js       |   1 +
 .../test/sri/script_crossdomain5.js^headers^       |   1 +
 dom/security/test/sri/style1.css                   |   3 +
 dom/security/test/sri/style1.css^headers^          |   1 +
 dom/security/test/sri/style2.css                   |   1 +
 dom/security/test/sri/style3.css                   |   3 +
 dom/security/test/sri/style4.css                   |   4 +
 dom/security/test/sri/style4.css^headers^          |   1 +
 dom/security/test/sri/style5.css                   |   4 +
 dom/security/test/sri/style6.css                   |   4 +
 dom/security/test/sri/style6.css^headers^          |   1 +
 dom/security/test/sri/style_301.css                |   3 +
 dom/security/test/sri/style_301.css^headers^       |   2 +
 dom/security/test/sri/test_bug_1271796.html        |  30 +++
 dom/security/test/sri/test_bug_1364262.html        |  34 +++
 dom/security/test/sri/test_script_crossdomain.html |  15 ++
 dom/security/test/sri/test_script_sameorigin.html  |  15 ++
 dom/security/test/sri/test_style_crossdomain.html  |  15 ++
 dom/security/test/sri/test_style_sameorigin.html   |  15 ++
 40 files changed, 901 insertions(+)
 create mode 100644 dom/security/test/sri/file_bug_1271796.css
 create mode 100644 dom/security/test/sri/iframe_script_crossdomain.html
 create mode 100644 dom/security/test/sri/iframe_script_sameorigin.html
 create mode 100644 dom/security/test/sri/iframe_style_crossdomain.html
 create mode 100644 dom/security/test/sri/iframe_style_sameorigin.html
 create mode 100644 dom/security/test/sri/mochitest.toml
 create mode 100644 dom/security/test/sri/script.js
 create mode 100644 dom/security/test/sri/script.js^headers^
 create mode 100644 dom/security/test/sri/script_301.js
 create mode 100644 dom/security/test/sri/script_301.js^headers^
 create mode 100644 dom/security/test/sri/script_302.js
 create mode 100644 dom/security/test/sri/script_302.js^headers^
 create mode 100644 dom/security/test/sri/script_401.js
 create mode 100644 dom/security/test/sri/script_401.js^headers^
 create mode 100644 dom/security/test/sri/script_crossdomain1.js
 create mode 100644 dom/security/test/sri/script_crossdomain1.js^headers^
 create mode 100644 dom/security/test/sri/script_crossdomain2.js
 create mode 100644 dom/security/test/sri/script_crossdomain3.js
 create mode 100644 dom/security/test/sri/script_crossdomain3.js^headers^
 create mode 100644 dom/security/test/sri/script_crossdomain4.js
 create mode 100644 dom/security/test/sri/script_crossdomain4.js^headers^
 create mode 100644 dom/security/test/sri/script_crossdomain5.js
 create mode 100644 dom/security/test/sri/script_crossdomain5.js^headers^
 create mode 100644 dom/security/test/sri/style1.css
 create mode 100644 dom/security/test/sri/style1.css^headers^
 create mode 100644 dom/security/test/sri/style2.css
 create mode 100644 dom/security/test/sri/style3.css
 create mode 100644 dom/security/test/sri/style4.css
 create mode 100644 dom/security/test/sri/style4.css^headers^
 create mode 100644 dom/security/test/sri/style5.css
 create mode 100644 dom/security/test/sri/style6.css
 create mode 100644 dom/security/test/sri/style6.css^headers^
 create mode 100644 dom/security/test/sri/style_301.css
 create mode 100644 dom/security/test/sri/style_301.css^headers^
 create mode 100644 dom/security/test/sri/test_bug_1271796.html
 create mode 100644 dom/security/test/sri/test_bug_1364262.html
 create mode 100644 dom/security/test/sri/test_script_crossdomain.html
 create mode 100644 dom/security/test/sri/test_script_sameorigin.html
 create mode 100644 dom/security/test/sri/test_style_crossdomain.html
 create mode 100644 dom/security/test/sri/test_style_sameorigin.html

(limited to 'dom/security/test/sri')

diff --git a/dom/security/test/sri/file_bug_1271796.css b/dom/security/test/sri/file_bug_1271796.css
new file mode 100644
index 0000000000..c0928f2cf0
--- /dev/null
+++ b/dom/security/test/sri/file_bug_1271796.css
@@ -0,0 +1,2 @@
+/*! Simple test for bug 1271796 */
+p::before { content: "\2014"; }
diff --git a/dom/security/test/sri/iframe_script_crossdomain.html b/dom/security/test/sri/iframe_script_crossdomain.html
new file mode 100644
index 0000000000..fe91834db5
--- /dev/null
+++ b/dom/security/test/sri/iframe_script_crossdomain.html
@@ -0,0 +1,135 @@
+<!DOCTYPE HTML>
+<!-- Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/ -->
+<html>
+<head>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+<pre id="test">
+</pre>
+
+<script type="application/javascript">
+  SimpleTest.waitForExplicitFinish();
+
+  window.hasCORSLoaded = false;
+  window.hasNonCORSLoaded = false;
+
+  function good_nonsriLoaded() {
+    ok(true, "Non-eligible non-SRI resource was loaded correctly.");
+  }
+  function bad_nonsriBlocked() {
+    ok(false, "Non-eligible non-SRI resources should be loaded!");
+  }
+
+  function good_nonCORSInvalidBlocked() {
+    ok(true, "A non-CORS resource with invalid metadata was correctly blocked.");
+  }
+  function bad_nonCORSInvalidLoaded() {
+    ok(false, "Non-CORS resources with invalid metadata should be blocked!");
+  }
+
+  window.onerrorCalled = false;
+  window.onloadCalled = false;
+
+  function bad_onloadCalled() {
+    window.onloadCalled = true;
+  }
+
+  function good_onerrorCalled() {
+    window.onerrorCalled = true;
+  }
+
+  function good_incorrect301Blocked() {
+    ok(true, "A non-CORS load with incorrect hash redirected to a different origin was blocked correctly.");
+  }
+  function bad_incorrect301Loaded() {
+    ok(false, "Non-CORS loads with incorrect hashes redirecting to a different origin should be blocked!");
+  }
+
+  function good_correct301Blocked() {
+    ok(true, "A non-CORS load with correct hash redirected to a different origin was blocked correctly.");
+  }
+  function bad_correct301Loaded() {
+    ok(false, "Non-CORS loads with correct hashes redirecting to a different origin should be blocked!");
+  }
+
+  function good_correctDataLoaded() {
+    ok(true, "Since data: URLs are same-origin, they should be loaded.");
+  }
+  function bad_correctDataBlocked() {
+    todo(false, "We should not block scripts in data: URIs!");
+  }
+  function good_correctDataCORSLoaded() {
+    ok(true, "A data: URL with a CORS load was loaded correctly.");
+  }
+  function bad_correctDataCORSBlocked() {
+    ok(false, "We should not BLOCK scripts!");
+  }
+
+  window.onload = function() {
+    SimpleTest.finish()
+  }
+</script>
+
+<!-- cors-enabled. should be loaded -->
+<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain1.js"
+        crossorigin=""
+        integrity="sha512-9Tv2DL1fHvmPQa1RviwKleE/jq72jgxj8XGLyWn3H6Xp/qbtfK/jZINoPFAv2mf0Nn1TxhZYMFULAbzJNGkl4Q=="></script>
+
+<!-- not cors-enabled. should be blocked -->
+<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain2.js"
+        crossorigin="anonymous"
+        integrity="sha256-ntgU2U1xv7HfK1XWMTSWz6vJkyVtGzMrIAxQkux1I94="
+        onload="bad_onloadCalled()"
+        onerror="good_onerrorCalled()"></script>
+
+<!-- non-cors but not actually using SRI. should trigger onload -->
+<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain3.js"
+        integrity="    "
+        onload="good_nonsriLoaded()"
+        onerror="bad_nonsriBlocked()"></script>
+
+<!-- non-cors with invalid metadata -->
+<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain4.js"
+        integrity="sha256-bogus"
+        onload="bad_nonCORSInvalidLoaded()"
+        onerror="good_nonCORSInvalidBlocked()"></script>
+
+<!-- non-cors that's same-origin initially but redirected to another origin -->
+<script src="script_301.js"
+        integrity="sha384-invalid"
+        onerror="good_incorrect301Blocked()"
+        onload="bad_incorrect301Loaded()"></script>
+
+<!-- non-cors that's same-origin initially but redirected to another origin -->
+<script src="script_301.js"
+        integrity="sha384-1NpiDI6decClMaTWSCAfUjTdx1BiOffsCPgH4lW5hCLwmHk0VyV/g6B9Sw2kD2K3"
+        onerror="good_correct301Blocked()"
+        onload="bad_correct301Loaded()"></script>
+
+<!-- data: URLs are same-origin -->
+<script src="data:,console.log('data:valid');"
+        integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg="
+        onerror="bad_correctDataBlocked()"
+        onload="good_correctDataLoaded()"></script>
+
+<!-- not cors-enabled with data: URLs. should trigger onload -->
+<script src="data:,console.log('data:valid');"
+        crossorigin="anonymous"
+        integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg="
+        onerror="bad_correctDataCORSBlocked()"
+        onload="good_correctDataCORSLoaded()"></script>
+
+<script>
+  ok(window.hasCORSLoaded, "CORS-enabled resource with a correct hash");
+  ok(!window.hasNonCORSLoaded, "Correct hash, but non-CORS, should be blocked");
+  ok(!window.onloadCalled, "Failed loads should not call onload when they're cross-domain");
+  ok(window.onerrorCalled, "Failed loads should call onerror when they're cross-domain");
+</script>
+</body>
+</html>
diff --git a/dom/security/test/sri/iframe_script_sameorigin.html b/dom/security/test/sri/iframe_script_sameorigin.html
new file mode 100644
index 0000000000..8c1994fec4
--- /dev/null
+++ b/dom/security/test/sri/iframe_script_sameorigin.html
@@ -0,0 +1,249 @@
+<!DOCTYPE HTML>
+<!-- Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/ -->
+<html>
+<head>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+    SimpleTest.waitForExplicitFinish();
+    window.onload = function() {
+      SimpleTest.finish();
+    }
+  </script>
+  <script>
+    function good_correctHashLoaded() {
+      ok(true, "A script was correctly loaded when integrity matched")
+    }
+    function bad_correctHashBlocked() {
+      ok(false, "We should load scripts with hashes that match!");
+    }
+
+    function good_correctHashArrayLoaded() {
+      ok(true, "A script was correctly loaded when one of the hashes in the integrity attribute matched")
+    }
+    function bad_correctHashArrayBlocked() {
+      ok(false, "We should load scripts with at least one hash that match!");
+    }
+
+    function good_emptyIntegrityLoaded() {
+      ok(true, "A script was correctly loaded when the integrity attribute was empty")
+    }
+    function bad_emptyIntegrityBlocked() {
+      ok(false, "We should load scripts with empty integrity attributes!");
+    }
+
+    function good_whitespaceIntegrityLoaded() {
+      ok(true, "A script was correctly loaded when the integrity attribute only contained whitespace")
+    }
+    function bad_whitespaceIntegrityBlocked() {
+      ok(false, "We should load scripts with integrity attributes containing only whitespace!");
+    }
+
+    function good_incorrectHashBlocked() {
+      ok(true, "A script was correctly blocked, because the hash digest was wrong");
+    }
+    function bad_incorrectHashLoaded() {
+      ok(false, "We should not load scripts with hashes that do not match the content!");
+    }
+
+    function good_incorrectHashArrayBlocked() {
+      ok(true, "A script was correctly blocked, because all the hashes were wrong");
+    }
+    function bad_incorrectHashArrayLoaded() {
+      ok(false, "We should not load scripts when none of the hashes match the content!");
+    }
+
+    function good_incorrectHashLengthBlocked() {
+      ok(true, "A script was correctly blocked, because the hash length was wrong");
+    }
+    function bad_incorrectHashLengthLoaded() {
+      ok(false, "We should not load scripts with hashes that don't have the right length!");
+    }
+
+    function bad_incorrectHashFunctionBlocked() {
+      ok(false, "We should load scripts with invalid/unsupported hash functions!");
+    }
+    function good_incorrectHashFunctionLoaded() {
+      ok(true, "A script was correctly loaded, despite the hash function being invalid/unsupported.");
+    }
+
+    function bad_missingHashFunctionBlocked() {
+      ok(false, "We should load scripts with missing hash functions!");
+    }
+    function good_missingHashFunctionLoaded() {
+      ok(true, "A script was correctly loaded, despite a missing hash function.");
+    }
+
+    function bad_missingHashValueBlocked() {
+      ok(false, "We should load scripts with missing hash digests!");
+    }
+    function good_missingHashValueLoaded() {
+      ok(true, "A script was correctly loaded, despite the missing hash digest.");
+    }
+
+    function good_401Blocked() {
+      ok(true, "A script was not loaded because of 401 response.");
+    }
+    function bad_401Loaded() {
+      ok(false, "We should nt load scripts with a 401 response!");
+    }
+
+    function good_valid302Loaded() {
+      ok(true, "A script was loaded successfully despite a 302 response.");
+    }
+    function bad_valid302Blocked() {
+      ok(false, "We should load scripts with a 302 response and the right hash!");
+    }
+
+    function good_invalid302Blocked() {
+      ok(true, "A script was blocked successfully after a 302 response.");
+    }
+    function bad_invalid302Loaded() {
+      ok(false, "We should not load scripts with a 302 response and the wrong hash!");
+    }
+
+    function good_validBlobLoaded() {
+      ok(true, "A script was loaded successfully from a blob: URL.");
+    }
+    function bad_validBlobBlocked() {
+      ok(false, "We should load scripts using blob: URLs with the right hash!");
+    }
+
+    function good_invalidBlobBlocked() {
+      ok(true, "A script was blocked successfully from a blob: URL.");
+    }
+    function bad_invalidBlobLoaded() {
+      ok(false, "We should not load scripts using blob: URLs with the wrong hash!");
+    }
+</script>
+</head>
+<body>
+  <!-- valid hash. should trigger onload -->
+  <!-- the hash value comes from running this command:
+       cat script.js | openssl dgst -sha256 -binary | openssl enc -base64 -A
+  -->
+  <script src="script.js"
+          integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
+          onerror="bad_correctHashBlocked()"
+          onload="good_correctHashLoaded()"></script>
+
+  <!-- valid sha512 hash. should trigger onload -->
+  <script src="script.js"
+          integrity="sha512-mzSqH+vC6qrXX46JX2WEZ0FtY/lGj/5+5yYCBlk0jfYHLm0vP6XgsURbq83mwMApsnwbDLXdgjp5J8E93GT6Mw==?ignore=this"
+          onerror="bad_correctHashBlocked()"
+          onload="good_correctHashLoaded()"></script>
+
+  <!-- one valid sha256 hash. should trigger onload -->
+  <script src="script.js"
+          integrity="sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
+          onerror="bad_correctHashArrayBlocked()"
+          onload="good_correctHashArrayLoaded()"></script>
+
+  <!-- empty integrity. should trigger onload -->
+  <script src="script.js"
+          integrity=""
+          onerror="bad_emptyIntegrityBlocked()"
+          onload="good_emptyIntegrityLoaded()"></script>
+
+  <!-- whitespace integrity. should trigger onload -->
+  <script src="script.js"
+          integrity="  
+	
+"
+          onerror="bad_whitespaceIntegrityBlocked()"
+          onload="good_whitespaceIntegrityLoaded()"></script>
+
+  <!-- invalid sha256 hash but valid sha384 hash. should trigger onload -->
+  <script src="script.js"
+          integrity="sha256-bogus sha384-zDCkvKOHXk8mM6Nk07oOGXGME17PA4+ydFw+hq0r9kgF6ZDYFWK3fLGPEy7FoOAo?"
+          onerror="bad_correctHashBlocked()"
+          onload="good_correctHashLoaded()"></script>
+
+  <!-- valid sha256 and invalid sha384. should trigger onerror -->
+  <script src="script.js"
+          integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha384-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
+          onerror="good_incorrectHashLengthBlocked()"
+          onload="bad_incorrectHashLengthLoaded()"></script>
+
+  <!-- invalid hash. should trigger onerror -->
+  <script src="script.js"
+          integrity="sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
+          onerror="good_incorrectHashBlocked()"
+          onload="bad_incorrectHashLoaded()"></script>
+
+  <!-- invalid hashes. should trigger onerror -->
+  <script src="script.js"
+          integrity="sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-ZkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-zkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
+          onerror="good_incorrectHashBlocked()"
+          onload="bad_incorrectHashLoaded()"></script>
+
+  <!-- invalid hash function. should trigger onload -->
+  <script src="script.js"
+          integrity="rot13-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
+          onerror="bad_incorrectHashFunctionBlocked()"
+          onload="good_incorrectHashFunctionLoaded()"></script>
+
+  <!-- missing hash function. should trigger onload -->
+  <script src="script.js"
+          integrity="RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
+          onerror="bad_missingHashFunctionBlocked()"
+          onload="good_missingHashFunctionLoaded()"></script>
+
+  <!-- missing hash value. should trigger onload -->
+  <script src="script.js"
+          integrity="sha512-"
+          onerror="bad_missingHashValueBlocked()"
+          onload="good_missingHashValueLoaded()"></script>
+
+  <!-- 401 response. should trigger onerror -->
+  <script src="script_401.js"
+          integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
+          onerror="good_401Blocked()"
+          onload="bad_401Loaded()"></script>
+
+  <!-- valid sha256 after a redirection. should trigger onload -->
+  <script src="script_302.js"
+          integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
+          onerror="bad_valid302Blocked()"
+          onload="good_valid302Loaded()"></script>
+
+  <!-- invalid sha256 after a redirection. should trigger onerror -->
+  <script src="script_302.js"
+          integrity="sha256-JSi74NSN8WQNr9syBGmNg2APJp9PnHUO5ioZo5hmIiQ="
+          onerror="good_invalid302Blocked()"
+          onload="bad_invalid302Loaded()"></script>
+
+  <!-- valid sha256 for a blob: URL -->
+  <script>
+   var blob = new Blob(["console.log('blob:valid');"],
+                       {type:"application/javascript"});
+   var script = document.createElement('script');
+   script.setAttribute('src', URL.createObjectURL(blob));
+   script.setAttribute('integrity', 'sha256-AwLdXiGfCqOxOXDPUim73G8NVEL34jT0IcQR/tqv/GQ=');
+   script.onerror = bad_validBlobBlocked;
+   script.onload = good_validBlobLoaded;
+   var head = document.getElementsByTagName('head').item(0);
+   head.appendChild(script);
+  </script>
+
+  <!-- invalid sha256 for a blob: URL -->
+  <script>
+   var blob = new Blob(["console.log('blob:invalid');"],
+                       {type:"application/javascript"});
+   var script = document.createElement('script');
+   script.setAttribute('src', URL.createObjectURL(blob));
+   script.setAttribute('integrity', 'sha256-AwLdXiGfCqOxOXDPUim73G8NVEL34jT0IcQR/tqv/GQ=');
+   script.onerror = good_invalidBlobBlocked;
+   script.onload = bad_invalidBlobLoaded;
+   var head = document.getElementsByTagName('head').item(0);
+   head.appendChild(script);
+  </script>
+
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+<pre id="test">
+</pre>
+</body>
+</html>
diff --git a/dom/security/test/sri/iframe_style_crossdomain.html b/dom/security/test/sri/iframe_style_crossdomain.html
new file mode 100644
index 0000000000..f5eb57cbe7
--- /dev/null
+++ b/dom/security/test/sri/iframe_style_crossdomain.html
@@ -0,0 +1,117 @@
+<!DOCTYPE HTML>
+<!-- Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/ -->
+<html>
+<head>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+    function check_styles() {
+      var redText = document.getElementById('red-text');
+      var greenText = document.getElementById('green-text');
+      var blueText = document.getElementById('blue-text');
+      var redTextColor = window.getComputedStyle(redText).getPropertyValue('color');
+      var greenTextColor = window.getComputedStyle(greenText).getPropertyValue('color');
+      var blueTextColor = window.getComputedStyle(blueText).getPropertyValue('color');
+      ok(redTextColor == 'rgb(255, 0, 0)', "The first part should be red.");
+      ok(greenTextColor == 'rgb(0, 255, 0)', "The second part should be green.");
+      ok(blueTextColor == 'rgb(0, 0, 255)', "The third part should be blue.");
+    }
+
+    SimpleTest.waitForExplicitFinish();
+    window.onload = function() {
+      check_styles();
+      SimpleTest.finish();
+    }
+  </script>
+  <script>
+    function good_correctHashCORSLoaded() {
+      ok(true, "A CORS cross-domain stylesheet with correct hash was correctly loaded.");
+    }
+    function bad_correctHashCORSBlocked() {
+      ok(false, "We should load CORS cross-domain stylesheets with hashes that match!");
+    }
+    function good_correctHashBlocked() {
+      ok(true, "A non-CORS cross-domain stylesheet with correct hash was correctly blocked.");
+    }
+    function bad_correctHashLoaded() {
+      ok(false, "We should block non-CORS cross-domain stylesheets with hashes that match!");
+    }
+
+    function good_incorrectHashBlocked() {
+      ok(true, "A non-CORS cross-domain stylesheet with incorrect hash was correctly blocked.");
+    }
+    function bad_incorrectHashLoaded() {
+      ok(false, "We should load non-CORS cross-domain stylesheets with incorrect hashes!");
+    }
+
+    function bad_correctDataBlocked() {
+      ok(false, "We should not block non-CORS cross-domain stylesheets in data: URI!");
+    }
+    function good_correctDataLoaded() {
+      ok(true, "A non-CORS cross-domain stylesheet with data: URI was correctly loaded.");
+    }
+    function bad_correctDataCORSBlocked() {
+      ok(false, "We should not block CORS stylesheets in data: URI!");
+    }
+    function good_correctDataCORSLoaded() {
+      ok(true, "A CORS stylesheet with data: URI was correctly loaded.");
+    }
+
+    function good_correctHashOpaqueBlocked() {
+      ok(true, "A non-CORS(Opaque) cross-domain stylesheet with correct hash was correctly blocked.");
+    }
+    function bad_correctHashOpaqueLoaded() {
+      ok(false, "We should not load non-CORS(Opaque) cross-domain stylesheets with correct hashes!");
+    }
+  </script>
+
+  <!-- valid CORS sha256 hash -->
+  <link rel="stylesheet" href="http://example.com/tests/dom/security/test/sri/style1.css"
+        crossorigin="anonymous"
+        integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8="
+        onerror="bad_correctHashCORSBlocked()"
+        onload="good_correctHashCORSLoaded()">
+
+  <!-- valid non-CORS sha256 hash -->
+  <link rel="stylesheet" href="style_301.css"
+        integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8="
+        onerror="good_correctHashBlocked()"
+        onload="bad_correctHashLoaded()">
+
+  <!-- invalid non-CORS sha256 hash -->
+  <link rel="stylesheet" href="style_301.css?again"
+        integrity="sha256-bogus"
+        onerror="good_incorrectHashBlocked()"
+        onload="bad_incorrectHashLoaded()">
+
+  <!-- valid non-CORS sha256 hash in a data: URL -->
+  <link rel="stylesheet" href="data:text/css,.green-text{color:rgb(0, 255, 0)}"
+        integrity="sha256-EhVtGGyovvffvYdhyqJxUJ/ekam7zlxxo46iM13cwP0="
+        onerror="bad_correctDataBlocked()"
+        onload="good_correctDataLoaded()">
+
+  <!-- valid CORS sha256 hash in a data: URL -->
+  <link rel="stylesheet" href="data:text/css,.blue-text{color:rgb(0, 0, 255)}"
+        crossorigin="anonymous"
+        integrity="sha256-m0Fs2hNSyPOn1030Dp+c8pJFHNmwpeTbB+8J/DcqLss="
+        onerror="bad_correctDataCORSBlocked()"
+        onload="good_correctDataCORSLoaded()">
+
+  <!-- valid non-CORS sha256 hash -->
+  <link rel="stylesheet" href="http://example.com/tests/dom/security/test/sri/style1.css"
+        integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8="
+        onerror="good_correctHashOpaqueBlocked()"
+        onload="bad_correctHashOpaqueLoaded()">
+</head>
+<body>
+<p><span id="red-text">This should be red</span> but
+  <span id="green-text" class="green-text">this should be green</span> and
+  <span id="blue-text" class="blue-text">this should be blue</span></p>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+<pre id="test">
+</pre>
+</body>
+</html>
diff --git a/dom/security/test/sri/iframe_style_sameorigin.html b/dom/security/test/sri/iframe_style_sameorigin.html
new file mode 100644
index 0000000000..52ebd10d9b
--- /dev/null
+++ b/dom/security/test/sri/iframe_style_sameorigin.html
@@ -0,0 +1,164 @@
+<!DOCTYPE HTML>
+<!-- Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/ -->
+<html>
+<head>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+    function check_styles() {
+      var redText = document.getElementById('red-text');
+      var blueText = document.getElementById('blue-text-element');
+      var blackText1 = document.getElementById('black-text');
+      var blackText2 = document.getElementById('black-text-2');
+      var redTextColor = window.getComputedStyle(redText).getPropertyValue('color');
+      var blueTextColor = window.getComputedStyle(blueText).getPropertyValue('color');
+      var blackTextColor1 = window.getComputedStyle(blackText1).getPropertyValue('color');
+      var blackTextColor2 = window.getComputedStyle(blackText2).getPropertyValue('color');
+      ok(redTextColor == 'rgb(255, 0, 0)', "The first part should be red.");
+      ok(blueTextColor == 'rgb(0, 0, 255)', "The second part should be blue.");
+      ok(blackTextColor1 == 'rgb(0, 0, 0)', "The second last part should still be black.");
+      ok(blackTextColor2 == 'rgb(0, 0, 0)', "The last part should still be black.");
+    }
+
+    SimpleTest.waitForExplicitFinish();
+    window.onload = function() {
+      check_styles();
+      SimpleTest.finish();
+    }
+  </script>
+  <script>
+    function good_correctHashLoaded() {
+      ok(true, "A stylesheet was correctly loaded when integrity matched");
+    }
+    function bad_correctHashBlocked() {
+      ok(false, "We should load stylesheets with hashes that match!");
+    }
+
+    function good_emptyIntegrityLoaded() {
+      ok(true, "A stylesheet was correctly loaded when the integrity attribute was empty");
+    }
+    function bad_emptyIntegrityBlocked() {
+      ok(false, "We should load stylesheets with empty integrity attributes!");
+    }
+
+    function good_incorrectHashBlocked() {
+      ok(true, "A stylesheet was correctly blocked, because the hash digest was wrong");
+    }
+    function bad_incorrectHashLoaded() {
+      ok(false, "We should not load stylesheets with hashes that do not match the content!");
+    }
+
+    function good_validBlobLoaded() {
+      ok(true, "A stylesheet was loaded successfully from a blob: URL with the right hash.");
+    }
+    function bad_validBlobBlocked() {
+      ok(false, "We should load stylesheets using blob: URLs with the right hash!");
+    }
+    function good_invalidBlobBlocked() {
+      ok(true, "A stylesheet was blocked successfully from a blob: URL with an invalid hash.");
+    }
+    function bad_invalidBlobLoaded() {
+      ok(false, "We should not load stylesheets using blob: URLs when they have the wrong hash!");
+    }
+
+    function good_correctUTF8HashLoaded() {
+      ok(true, "A UTF8 stylesheet was correctly loaded when integrity matched");
+    }
+    function bad_correctUTF8HashBlocked() {
+      ok(false, "We should load UTF8 stylesheets with hashes that match!");
+    }
+    function good_correctUTF8BOMHashLoaded() {
+      ok(true, "A UTF8 stylesheet (with BOM) was correctly loaded when integrity matched");
+    }
+    function bad_correctUTF8BOMHashBlocked() {
+      ok(false, "We should load UTF8 (with BOM) stylesheets with hashes that match!");
+    }
+    function good_correctUTF8ishHashLoaded() {
+      ok(true, "A UTF8ish stylesheet was correctly loaded when integrity matched");
+    }
+    function bad_correctUTF8ishHashBlocked() {
+      ok(false, "We should load UTF8ish stylesheets with hashes that match!");
+    }
+  </script>
+
+  <!-- valid sha256 hash. should trigger onload -->
+  <link rel="stylesheet" href="style1.css"
+        integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8="
+        onerror="bad_correctHashBlocked()"
+        onload="good_correctHashLoaded()">
+
+  <!-- empty metadata. should trigger onload -->
+  <link rel="stylesheet" href="style2.css"
+        integrity=""
+        onerror="bad_emptyIntegrityBlocked()"
+        onload="good_emptyIntegrityLoaded()">
+
+  <!-- invalid sha256 hash. should trigger onerror -->
+  <link rel="stylesheet" href="style3.css"
+        integrity="sha256-bogus"
+        onerror="good_incorrectHashBlocked()"
+        onload="bad_incorrectHashLoaded()">
+
+  <!-- valid sha384 hash of a utf8 file. should trigger onload -->
+  <link rel="stylesheet" href="style4.css"
+        integrity="sha384-13rt+j7xMDLhohLukb7AZx8lDGS3hkahp0IoeuyvxSNVPyc1QQmTDcwXGhQZjoMH"
+        onerror="bad_correctUTF8HashBlocked()"
+        onload="good_correctUTF8HashLoaded()">
+
+  <!-- valid sha384 hash of a utf8 file with a BOM. should trigger onload -->
+  <link rel="stylesheet" href="style5.css"
+        integrity="sha384-udAqVKPIHf/OD1isAYKrgzsog/3Q6lSEL2nKhtLSTmHryiae0+y6x1akeTzEF446"
+        onerror="bad_correctUTF8BOMHashBlocked()"
+        onload="good_correctUTF8BOMHashLoaded()">
+
+  <!-- valid sha384 hash of a utf8 file with the wrong charset. should trigger onload -->
+  <link rel="stylesheet" href="style6.css"
+        integrity="sha384-Xli4ROFoVGCiRgXyl7y8jv5Vm2yuqj+8tkNL3cUI7AHaCocna75JLs5xID437W6C"
+        onerror="bad_correctUTF8ishHashBlocked()"
+        onload="good_correctUTF8ishHashLoaded()">
+</head>
+<body>
+
+<!-- valid sha256 for a blob: URL -->
+<script>
+   var blob = new Blob(['.blue-text{color:blue}'],
+                       {type: 'text/css'});
+   var link = document.createElement('link');
+   link.rel = 'stylesheet';
+   link.href = window.URL.createObjectURL(blob);
+   link.setAttribute('integrity', 'sha256-/F+EMVnTWYJOAzN5n7/21idiydu6nRi33LZOISZtwOM=');
+   link.onerror = bad_validBlobBlocked;
+   link.onload = good_validBlobLoaded;
+   document.body.appendChild(link);
+</script>
+
+<!-- invalid sha256 for a blob: URL -->
+<script>
+   var blob = new Blob(['.black-text{color:blue}'],
+                       {type: 'text/css'});
+   var link = document.createElement('link');
+   link.rel = 'stylesheet';
+   link.href = window.URL.createObjectURL(blob);
+   link.setAttribute('integrity', 'sha256-/F+EMVnTWYJOAzN5n7/21idiydu6nRi33LZOISZtwOM=');
+   link.onerror = good_invalidBlobBlocked;
+   link.onload = bad_invalidBlobLoaded;
+   document.body.appendChild(link);
+</script>
+
+<p><span id="red-text">This should be red </span>,
+  <span id="purple-text">this should be purple</span>,
+  <span id="brown-text">this should be brown</span>,
+  <span id="orange-text">this should be orange</span>, and
+  <span class="blue-text" id="blue-text-element">this should be blue.</span>
+  However, <span id="black-text">this should stay black</span> and
+  <span class="black-text" id="black-text-2">this should also stay black.</span>
+</p>
+
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+<pre id="test">
+</pre>
+</body>
+</html>
diff --git a/dom/security/test/sri/mochitest.toml b/dom/security/test/sri/mochitest.toml
new file mode 100644
index 0000000000..e40ffa6cbc
--- /dev/null
+++ b/dom/security/test/sri/mochitest.toml
@@ -0,0 +1,56 @@
+[DEFAULT]
+support-files = [
+  "file_bug_1271796.css",
+  "iframe_script_crossdomain.html",
+  "iframe_script_sameorigin.html",
+  "iframe_style_crossdomain.html",
+  "iframe_style_sameorigin.html",
+  "script_crossdomain1.js",
+  "script_crossdomain1.js^headers^",
+  "script_crossdomain2.js",
+  "script_crossdomain3.js",
+  "script_crossdomain3.js^headers^",
+  "script_crossdomain4.js",
+  "script_crossdomain4.js^headers^",
+  "script_crossdomain5.js",
+  "script_crossdomain5.js^headers^",
+  "script.js",
+  "script.js^headers^",
+  "script_301.js",
+  "script_301.js^headers^",
+  "script_302.js",
+  "script_302.js^headers^",
+  "script_401.js",
+  "script_401.js^headers^",
+  "style1.css",
+  "style1.css^headers^",
+  "style2.css",
+  "style3.css",
+  "style4.css",
+  "style4.css^headers^",
+  "style5.css",
+  "style6.css",
+  "style6.css^headers^",
+  "style_301.css",
+  "style_301.css^headers^",
+]
+
+["test_bug_1271796.html"]
+
+["test_bug_1364262.html"]
+
+["test_script_crossdomain.html"]
+skip-if = [
+  "http3",
+  "http2",
+]
+
+["test_script_sameorigin.html"]
+
+["test_style_crossdomain.html"]
+skip-if = [
+  "http3",
+  "http2",
+]
+
+["test_style_sameorigin.html"]
diff --git a/dom/security/test/sri/script.js b/dom/security/test/sri/script.js
new file mode 100644
index 0000000000..8fd8f96b2f
--- /dev/null
+++ b/dom/security/test/sri/script.js
@@ -0,0 +1 @@
+var load=true;
diff --git a/dom/security/test/sri/script.js^headers^ b/dom/security/test/sri/script.js^headers^
new file mode 100644
index 0000000000..b77232d81d
--- /dev/null
+++ b/dom/security/test/sri/script.js^headers^
@@ -0,0 +1 @@
+Cache-control: public
diff --git a/dom/security/test/sri/script_301.js b/dom/security/test/sri/script_301.js
new file mode 100644
index 0000000000..9a95de77cf
--- /dev/null
+++ b/dom/security/test/sri/script_301.js
@@ -0,0 +1 @@
+var load=false;
diff --git a/dom/security/test/sri/script_301.js^headers^ b/dom/security/test/sri/script_301.js^headers^
new file mode 100644
index 0000000000..efbfb73346
--- /dev/null
+++ b/dom/security/test/sri/script_301.js^headers^
@@ -0,0 +1,2 @@
+HTTP 301 Moved Permanently
+Location: http://example.com/tests/dom/security/test/sri/script_crossdomain5.js
diff --git a/dom/security/test/sri/script_302.js b/dom/security/test/sri/script_302.js
new file mode 100644
index 0000000000..9a95de77cf
--- /dev/null
+++ b/dom/security/test/sri/script_302.js
@@ -0,0 +1 @@
+var load=false;
diff --git a/dom/security/test/sri/script_302.js^headers^ b/dom/security/test/sri/script_302.js^headers^
new file mode 100644
index 0000000000..05a545a6a1
--- /dev/null
+++ b/dom/security/test/sri/script_302.js^headers^
@@ -0,0 +1,2 @@
+HTTP 302 Found
+Location: /tests/dom/security/test/sri/script.js
diff --git a/dom/security/test/sri/script_401.js b/dom/security/test/sri/script_401.js
new file mode 100644
index 0000000000..8fd8f96b2f
--- /dev/null
+++ b/dom/security/test/sri/script_401.js
@@ -0,0 +1 @@
+var load=true;
diff --git a/dom/security/test/sri/script_401.js^headers^ b/dom/security/test/sri/script_401.js^headers^
new file mode 100644
index 0000000000..889fbe081a
--- /dev/null
+++ b/dom/security/test/sri/script_401.js^headers^
@@ -0,0 +1,2 @@
+HTTP 401 Authorization Required
+Cache-control: public
diff --git a/dom/security/test/sri/script_crossdomain1.js b/dom/security/test/sri/script_crossdomain1.js
new file mode 100644
index 0000000000..1f17a6db24
--- /dev/null
+++ b/dom/security/test/sri/script_crossdomain1.js
@@ -0,0 +1,4 @@
+/*
+ * this file should be loaded, because it has CORS enabled.
+*/
+window.hasCORSLoaded = true;
diff --git a/dom/security/test/sri/script_crossdomain1.js^headers^ b/dom/security/test/sri/script_crossdomain1.js^headers^
new file mode 100644
index 0000000000..3a6a85d894
--- /dev/null
+++ b/dom/security/test/sri/script_crossdomain1.js^headers^
@@ -0,0 +1 @@
+Access-Control-Allow-Origin: http://mochi.test:8888
diff --git a/dom/security/test/sri/script_crossdomain2.js b/dom/security/test/sri/script_crossdomain2.js
new file mode 100644
index 0000000000..4b0208ab34
--- /dev/null
+++ b/dom/security/test/sri/script_crossdomain2.js
@@ -0,0 +1,5 @@
+/*
+ * this file should not be loaded, because it does not have CORS
+ * enabled.
+ */
+window.hasNonCORSLoaded = true;
diff --git a/dom/security/test/sri/script_crossdomain3.js b/dom/security/test/sri/script_crossdomain3.js
new file mode 100644
index 0000000000..eed05d59b7
--- /dev/null
+++ b/dom/security/test/sri/script_crossdomain3.js
@@ -0,0 +1 @@
+// This script intentionally left blank
diff --git a/dom/security/test/sri/script_crossdomain3.js^headers^ b/dom/security/test/sri/script_crossdomain3.js^headers^
new file mode 100644
index 0000000000..3a6a85d894
--- /dev/null
+++ b/dom/security/test/sri/script_crossdomain3.js^headers^
@@ -0,0 +1 @@
+Access-Control-Allow-Origin: http://mochi.test:8888
diff --git a/dom/security/test/sri/script_crossdomain4.js b/dom/security/test/sri/script_crossdomain4.js
new file mode 100644
index 0000000000..eed05d59b7
--- /dev/null
+++ b/dom/security/test/sri/script_crossdomain4.js
@@ -0,0 +1 @@
+// This script intentionally left blank
diff --git a/dom/security/test/sri/script_crossdomain4.js^headers^ b/dom/security/test/sri/script_crossdomain4.js^headers^
new file mode 100644
index 0000000000..3a6a85d894
--- /dev/null
+++ b/dom/security/test/sri/script_crossdomain4.js^headers^
@@ -0,0 +1 @@
+Access-Control-Allow-Origin: http://mochi.test:8888
diff --git a/dom/security/test/sri/script_crossdomain5.js b/dom/security/test/sri/script_crossdomain5.js
new file mode 100644
index 0000000000..eed05d59b7
--- /dev/null
+++ b/dom/security/test/sri/script_crossdomain5.js
@@ -0,0 +1 @@
+// This script intentionally left blank
diff --git a/dom/security/test/sri/script_crossdomain5.js^headers^ b/dom/security/test/sri/script_crossdomain5.js^headers^
new file mode 100644
index 0000000000..cb762eff80
--- /dev/null
+++ b/dom/security/test/sri/script_crossdomain5.js^headers^
@@ -0,0 +1 @@
+Access-Control-Allow-Origin: *
diff --git a/dom/security/test/sri/style1.css b/dom/security/test/sri/style1.css
new file mode 100644
index 0000000000..c7ab9ecffa
--- /dev/null
+++ b/dom/security/test/sri/style1.css
@@ -0,0 +1,3 @@
+#red-text {
+  color: red;
+}
diff --git a/dom/security/test/sri/style1.css^headers^ b/dom/security/test/sri/style1.css^headers^
new file mode 100644
index 0000000000..3a6a85d894
--- /dev/null
+++ b/dom/security/test/sri/style1.css^headers^
@@ -0,0 +1 @@
+Access-Control-Allow-Origin: http://mochi.test:8888
diff --git a/dom/security/test/sri/style2.css b/dom/security/test/sri/style2.css
new file mode 100644
index 0000000000..9eece75e5b
--- /dev/null
+++ b/dom/security/test/sri/style2.css
@@ -0,0 +1 @@
+; A valid but somewhat uninteresting stylesheet
diff --git a/dom/security/test/sri/style3.css b/dom/security/test/sri/style3.css
new file mode 100644
index 0000000000..b64fa3b749
--- /dev/null
+++ b/dom/security/test/sri/style3.css
@@ -0,0 +1,3 @@
+#black-text {
+  color: green;
+}
diff --git a/dom/security/test/sri/style4.css b/dom/security/test/sri/style4.css
new file mode 100644
index 0000000000..eab83656ed
--- /dev/null
+++ b/dom/security/test/sri/style4.css
@@ -0,0 +1,4 @@
+/* François was here. */
+#purple-text {
+  color: purple;
+}
diff --git a/dom/security/test/sri/style4.css^headers^ b/dom/security/test/sri/style4.css^headers^
new file mode 100644
index 0000000000..e13897f157
--- /dev/null
+++ b/dom/security/test/sri/style4.css^headers^
@@ -0,0 +1 @@
+Content-Type: text/css; charset=utf-8
diff --git a/dom/security/test/sri/style5.css b/dom/security/test/sri/style5.css
new file mode 100644
index 0000000000..5d59134cc6
--- /dev/null
+++ b/dom/security/test/sri/style5.css
@@ -0,0 +1,4 @@
+/* François was here. */
+#orange-text {
+  color: orange;
+}
diff --git a/dom/security/test/sri/style6.css b/dom/security/test/sri/style6.css
new file mode 100644
index 0000000000..569557694d
--- /dev/null
+++ b/dom/security/test/sri/style6.css
@@ -0,0 +1,4 @@
+/* François was here. */
+#brown-text {
+  color: brown;
+}
diff --git a/dom/security/test/sri/style6.css^headers^ b/dom/security/test/sri/style6.css^headers^
new file mode 100644
index 0000000000..d866aa5224
--- /dev/null
+++ b/dom/security/test/sri/style6.css^headers^
@@ -0,0 +1 @@
+Content-Type: text/css; charset=iso-8859-8
diff --git a/dom/security/test/sri/style_301.css b/dom/security/test/sri/style_301.css
new file mode 100644
index 0000000000..c7ab9ecffa
--- /dev/null
+++ b/dom/security/test/sri/style_301.css
@@ -0,0 +1,3 @@
+#red-text {
+  color: red;
+}
diff --git a/dom/security/test/sri/style_301.css^headers^ b/dom/security/test/sri/style_301.css^headers^
new file mode 100644
index 0000000000..c5b78ee04b
--- /dev/null
+++ b/dom/security/test/sri/style_301.css^headers^
@@ -0,0 +1,2 @@
+HTTP 301 Moved Permanently
+Location: http://example.com/tests/dom/security/test/sri/style1.css
diff --git a/dom/security/test/sri/test_bug_1271796.html b/dom/security/test/sri/test_bug_1271796.html
new file mode 100644
index 0000000000..9c74cc64ea
--- /dev/null
+++ b/dom/security/test/sri/test_bug_1271796.html
@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<!-- Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/ -->
+<html>
+<head>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+      SimpleTest.waitForExplicitFinish();
+
+      function good_shouldLoadEncodingProblem() {
+        ok(true, "Problematically encoded file correctly loaded.")
+      };
+      function bad_shouldntEncounterBug1271796() {
+        ok(false, "Problematically encoded should load!")
+      }
+      window.onload = function() {
+        SimpleTest.finish();
+      }
+    </script>
+   <link rel="stylesheet" href="file_bug_1271796.css" crossorigin="anonymous"
+         integrity="sha384-8Xl0mTN4S2QZ5xeliG1sd4Ar9o1xMw6JoJy9RNjyHGQDha7GiLxo8l1llwLVgTNG"
+         onload="good_shouldLoadEncodingProblem();"
+         onerror="bad_shouldntEncounterBug1271796();">
+</head>
+<body>
+<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1271796">Bug 1271796</a><br>
+<p>This text is prepended by emdash if css has loaded</p>
+</body>
+</html>
diff --git a/dom/security/test/sri/test_bug_1364262.html b/dom/security/test/sri/test_bug_1364262.html
new file mode 100644
index 0000000000..cf77c7dac1
--- /dev/null
+++ b/dom/security/test/sri/test_bug_1364262.html
@@ -0,0 +1,34 @@
+<!DOCTYPE HTML>
+<!-- Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/ -->
+<html>
+<head>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+      SimpleTest.waitForExplicitFinish();
+      SimpleTest.setExpected(["pass", 1]);
+
+      function good_correctlyBlockedStylesheet() {
+        ok(true, "Non-base64 hash blocked the load.")
+      };
+      function bad_shouldNotLoadStylesheet() {
+        ok(false, "Non-base64 hashes should not load!")
+      }
+      window.onload = function() {
+        SimpleTest.finish();
+      }
+
+      let link = document.createElement('link');
+      document.head.appendChild(link);
+      link.setAttribute('rel', 'stylesheet');
+      link.onerror = good_correctlyBlockedStylesheet;
+      link.onload = bad_shouldNotLoadStylesheet;
+      link.integrity = 'sha512-\uD89D\uDF05\uD89D\uDEE6';
+      link.setAttribute('href', 'data:text/css;small[contenteditable^="false"], summary { }');
+    </script>
+</head>
+<body>
+    <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1364262">Bug 1364262</a>
+</body>
+</html>
diff --git a/dom/security/test/sri/test_script_crossdomain.html b/dom/security/test/sri/test_script_crossdomain.html
new file mode 100644
index 0000000000..2f9b27bfa4
--- /dev/null
+++ b/dom/security/test/sri/test_script_crossdomain.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<!-- Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/ -->
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Cross-domain script tests for Bug 992096</title>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=992096">Mozilla Bug 992096</a>
+<div>
+  <iframe src="iframe_script_crossdomain.html" height="100%" width="90%" frameborder="0"></iframe>
+</div>
+</body>
+</html>
diff --git a/dom/security/test/sri/test_script_sameorigin.html b/dom/security/test/sri/test_script_sameorigin.html
new file mode 100644
index 0000000000..d975132a2e
--- /dev/null
+++ b/dom/security/test/sri/test_script_sameorigin.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<!-- Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/ -->
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Same-origin script tests for Bug 992096</title>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=992096">Mozilla Bug 992096</a>
+<div>
+  <iframe src="iframe_script_sameorigin.html" height="100%" width="90%" frameborder="0"></iframe>
+</div>
+</body>
+</html>
diff --git a/dom/security/test/sri/test_style_crossdomain.html b/dom/security/test/sri/test_style_crossdomain.html
new file mode 100644
index 0000000000..eb4dac4cc4
--- /dev/null
+++ b/dom/security/test/sri/test_style_crossdomain.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<!-- Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/ -->
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Cross-domain stylesheet tests for Bug 1196740</title>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1196740">Mozilla Bug 1196740</a>
+<div>
+  <iframe src="iframe_style_crossdomain.html" height="100%" width="90%" frameborder="0"></iframe>
+</div>
+</body>
+</html>
diff --git a/dom/security/test/sri/test_style_sameorigin.html b/dom/security/test/sri/test_style_sameorigin.html
new file mode 100644
index 0000000000..9b85eaf71b
--- /dev/null
+++ b/dom/security/test/sri/test_style_sameorigin.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<!-- Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/ -->
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Same-origin stylesheet tests for Bug 992096</title>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=992096">Mozilla Bug 992096</a>
+<div>
+  <iframe src="iframe_style_sameorigin.html" height="100%" width="90%" frameborder="0"></iframe>
+</div>
+</body>
+</html>
-- 
cgit v1.2.3