summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/mixed-content
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
commit36d22d82aa202bb199967e9512281e9a53db42c9 (patch)
tree105e8c98ddea1c1e4784a60a5a6410fa416be2de /testing/web-platform/tests/mixed-content
parentInitial commit. (diff)
downloadfirefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz
firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/mixed-content')
-rw-r--r--testing/web-platform/tests/mixed-content/META.yml3
-rw-r--r--testing/web-platform/tests/mixed-content/README.md4
-rw-r--r--testing/web-platform/tests/mixed-content/blob.https.sub.html54
-rw-r--r--testing/web-platform/tests/mixed-content/csp.https.window.js41
-rw-r--r--testing/web-platform/tests/mixed-content/csp.https.window.js.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/fetch.https.html172
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/fetch.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/websocket.https.html67
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/websocket.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/xhr.https.html172
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/xhr.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/opt-in/fetch.https.html68
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/opt-in/websocket.https.html68
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/opt-in/xhr.https.html68
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/unset/fetch.https.html142
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/unset/websocket.https.html67
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/unset/xhr.https.html142
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/opt-in/fetch.https.html232
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/opt-in/websocket.https.html85
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/opt-in/xhr.https.html232
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/fetch.https.html142
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/fetch.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/websocket.https.html67
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/websocket.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/xhr.https.html142
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/xhr.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/fetch.https.html172
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/fetch.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/websocket.https.html67
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/websocket.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/xhr.https.html172
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/xhr.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/opt-in/fetch.https.html68
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/opt-in/websocket.https.html68
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/opt-in/xhr.https.html68
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/unset/fetch.https.html142
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/unset/websocket.https.html67
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/unset/xhr.https.html142
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/opt-in/fetch.https.html232
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/opt-in/websocket.https.html85
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/opt-in/xhr.https.html232
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/fetch.https.html142
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/fetch.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/websocket.https.html67
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/websocket.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/xhr.https.html142
-rw-r--r--testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/xhr.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/audio-tag.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/audio-tag.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/beacon.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/beacon.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/fetch.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/fetch.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/img-tag.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/img-tag.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/link-css-tag.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/link-css-tag.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/link-prefetch-tag.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/link-prefetch-tag.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/object-tag.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/object-tag.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/picture-tag.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/picture-tag.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/script-tag-dynamic-import.https.html42
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/script-tag-dynamic-import.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/script-tag.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/script-tag.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-classic.https.html62
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-classic.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-import-data.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-import-data.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-import.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-import.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-module.https.html62
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-module.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/video-tag.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/video-tag.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/websocket.https.html52
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/websocket.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-classic.https.html62
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-classic.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-import-data.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-import-data.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-import.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-import.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-module.https.html62
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-module.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-animation-import-data.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-animation-import-data.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-animation.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-animation.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-audio-import-data.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-audio-import-data.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-audio.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-audio.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-layout-import-data.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-layout-import-data.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-layout.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-layout.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-paint-import-data.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-paint-import-data.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-paint.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-paint.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/xhr.https.html122
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/xhr.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/audio-tag.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/beacon.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/fetch.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/img-tag.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/link-css-tag.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/link-prefetch-tag.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/object-tag.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/picture-tag.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/script-tag-dynamic-import.https.html33
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/script-tag.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/sharedworker-classic.https.html43
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/sharedworker-import-data.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/sharedworker-import.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/sharedworker-module.https.html43
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/video-tag.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/websocket.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worker-classic.https.html43
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worker-import-data.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worker-import.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worker-module.https.html43
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-animation-import-data.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-animation.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-audio-import-data.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-audio.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-layout-import-data.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-layout.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-paint-import-data.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-paint.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/xhr.https.html53
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/audio-tag.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/beacon.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/fetch.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/img-tag.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/link-css-tag.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/link-prefetch-tag.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/object-tag.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/picture-tag.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/script-tag-dynamic-import.https.html42
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/script-tag.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/sharedworker-classic.https.html62
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/sharedworker-import-data.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/sharedworker-import.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/sharedworker-module.https.html62
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/video-tag.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/websocket.https.html52
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/worker-classic.https.html62
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/worker-import-data.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/worker-import.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/worker-module.https.html62
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-animation-import-data.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-animation.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-audio-import-data.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-audio.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-layout-import-data.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-layout.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-paint-import-data.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-paint.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/top.meta/unset/xhr.https.html102
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/fetch.https.html172
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/fetch.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/websocket.https.html67
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/websocket.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/xhr.https.html172
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/xhr.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/opt-in/fetch.https.html68
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/opt-in/websocket.https.html68
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/opt-in/xhr.https.html68
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/unset/fetch.https.html142
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/unset/websocket.https.html67
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/unset/xhr.https.html142
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/fetch.https.html232
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/websocket.https.html85
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/worker-classic.https.html106
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/worker-module.https.html106
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/xhr.https.html232
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/fetch.https.html142
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/fetch.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/websocket.https.html67
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/websocket.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/worker-classic.https.html82
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/worker-classic.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/worker-module.https.html82
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/worker-module.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/xhr.https.html142
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/xhr.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/fetch.https.html172
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/fetch.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/websocket.https.html67
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/websocket.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/xhr.https.html172
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/xhr.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/opt-in/fetch.https.html68
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/opt-in/websocket.https.html68
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/opt-in/xhr.https.html68
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/unset/fetch.https.html142
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/unset/websocket.https.html67
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/unset/xhr.https.html142
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/fetch.https.html232
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/websocket.https.html85
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/worker-classic.https.html106
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/worker-module.https.html106
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/xhr.https.html232
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/fetch.https.html142
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/fetch.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/websocket.https.html67
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/websocket.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/worker-classic.https.html82
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/worker-classic.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/worker-module.https.html82
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/worker-module.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/xhr.https.html142
-rw-r--r--testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/xhr.https.html.headers1
-rw-r--r--testing/web-platform/tests/mixed-content/generic/sanity-checker.js53
-rw-r--r--testing/web-platform/tests/mixed-content/generic/test-case.sub.js61
-rw-r--r--testing/web-platform/tests/mixed-content/imageset.https.sub.html31
-rw-r--r--testing/web-platform/tests/mixed-content/nested-iframes.window.js25
-rw-r--r--testing/web-platform/tests/mixed-content/resources/blob-popup.html10
-rw-r--r--testing/web-platform/tests/mixed-content/resources/middle-frame.html39
-rw-r--r--testing/web-platform/tests/mixed-content/spec.src.json437
-rw-r--r--testing/web-platform/tests/mixed-content/tentative/autoupgrades/audio-upgrade.https.sub.html40
-rw-r--r--testing/web-platform/tests/mixed-content/tentative/autoupgrades/image-upgrade.https.sub.html43
-rw-r--r--testing/web-platform/tests/mixed-content/tentative/autoupgrades/mixed-content-cors.https.sub.html84
-rw-r--r--testing/web-platform/tests/mixed-content/tentative/autoupgrades/video-upgrade.https.sub.html41
-rw-r--r--testing/web-platform/tests/mixed-content/tentative/resources/pass.pngbin0 -> 1689 bytes
-rw-r--r--testing/web-platform/tests/mixed-content/tentative/resources/test.ogvbin0 -> 2344665 bytes
-rw-r--r--testing/web-platform/tests/mixed-content/tentative/resources/test.wavbin0 -> 353022 bytes
231 files changed, 16553 insertions, 0 deletions
diff --git a/testing/web-platform/tests/mixed-content/META.yml b/testing/web-platform/tests/mixed-content/META.yml
new file mode 100644
index 0000000000..a2889eb6c7
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/META.yml
@@ -0,0 +1,3 @@
+spec: https://w3c.github.io/webappsec-mixed-content/
+suggested_reviewers:
+ - andypaicu
diff --git a/testing/web-platform/tests/mixed-content/README.md b/testing/web-platform/tests/mixed-content/README.md
new file mode 100644
index 0000000000..488432d41e
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/README.md
@@ -0,0 +1,4 @@
+# Mixed Content Test Suite
+
+The subdirectory `gen/` is generated using the generator at `common/security-features`.
+See [common/security-features/README.md](../common/security-features/README.md) for how to generate tests.
diff --git a/testing/web-platform/tests/mixed-content/blob.https.sub.html b/testing/web-platform/tests/mixed-content/blob.https.sub.html
new file mode 100644
index 0000000000..4e4bba6e0c
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/blob.https.sub.html
@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Mixed-Content: blob tests</title>
+ <meta charset="utf-8">
+ <meta name="description" content="Test a request to a blob: URL is mixed content if the blob's origin is not potentially trustworthy.">
+ <meta name="help" href="https://w3c.github.io/webappsec-mixed-content/#should-block-fetch">
+ <meta name="help" href="https://w3c.github.io/webappsec-secure-contexts/#potentially-trustworthy-url">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+ <body>
+ <script>
+ async function try_fetch_request(url) {
+ try {
+ const response = await fetch(url);
+ return response.ok;
+ } catch(e) {
+ return false;
+ }
+ }
+
+ function try_script_load(url) {
+ return new Promise(resolve => {
+ let script = document.createElement("script");
+ script.onload = () => resolve(true);
+ script.onerror = () => resolve(false);
+ script.src = url;
+ document.body.appendChild(script);
+ });
+ }
+
+ const popup_http = "http://{{domains[]}}:{{ports[http][0]}}/mixed-content/resources/blob-popup.html";
+ const popup_https = "https://{{domains[]}}:{{ports[https][0]}}/mixed-content/resources/blob-popup.html";
+ [popup_https, popup_http].forEach(popup_url => {
+ promise_test(t => {
+ return new Promise(resolve => {
+ window.addEventListener("message", resolve, {once: true});
+ window.open(popup_url);
+ }).then(async function(event) {
+ let data = event.data;
+ assert_equals(await try_fetch_request(data.js_blob_url),
+ data.potentially_trustworthy,
+ "Fetch request");
+ assert_equals(await try_script_load(data.js_blob_url),
+ data.potentially_trustworthy,
+ "Script load");
+ event.source.close();
+ });
+ });
+ });
+ </script>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/csp.https.window.js b/testing/web-platform/tests/mixed-content/csp.https.window.js
new file mode 100644
index 0000000000..5428fb4791
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/csp.https.window.js
@@ -0,0 +1,41 @@
+// META: script=/common/dispatcher/dispatcher.js
+// META: script=/common/get-host-info.sub.js
+// META: script=/common/utils.js
+
+promise_test((t) => {
+ const url = `${get_host_info().HTTP_ORIGIN}/common/text-plain.txt`;
+ const promise = fetch(url, { mode: "no-cors" });
+ return promise_rejects_js(t, TypeError, promise, "mixed content fetch");
+}, "Mixed content checks apply to fetches in sandboxed documents");
+
+promise_test(async (t) => {
+ const uuid = token();
+ const context = new RemoteContext(uuid);
+
+ const iframe = document.body.appendChild(document.createElement("iframe"));
+ iframe.src = remoteExecutorUrl(uuid, { protocol: "http:" });
+
+ const result = await Promise.race([
+ context.execute_script(() => "loaded"),
+ new Promise((resolve) => t.step_timeout(() => {
+ resolve("timed out");
+ }, 1000 /* ms */)),
+ ]);
+ assert_equals(result, "timed out");
+}, "Mixed content checks apply to iframes in sandboxed documents");
+
+
+promise_test(async (t) => {
+ const uuid = token();
+
+ const popup = window.open(remoteExecutorUrl(uuid, { protocol: "http:" }));
+
+ const context = new RemoteContext(uuid);
+ const result = await Promise.race([
+ context.execute_script(() => "loaded"),
+ new Promise((resolve) => t.step_timeout(() => {
+ resolve("timed out");
+ }, 1000 /* ms */)),
+ ]);
+ assert_equals(result, "timed out");
+}, "Mixed content checks apply to popups in sandboxed documents");
diff --git a/testing/web-platform/tests/mixed-content/csp.https.window.js.headers b/testing/web-platform/tests/mixed-content/csp.https.window.js.headers
new file mode 100644
index 0000000000..6b6605899c
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/csp.https.window.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: sandbox allow-scripts allow-popups;
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/fetch.https.html
new file mode 100644
index 0000000000..040c611834
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/fetch.https.html
@@ -0,0 +1,172 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/fetch.https.html.headers b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/fetch.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/fetch.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/websocket.https.html
new file mode 100644
index 0000000000..3103c00962
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/websocket.https.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/websocket.https.html.headers b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/websocket.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/websocket.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/xhr.https.html
new file mode 100644
index 0000000000..d5c5d86fec
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/xhr.https.html
@@ -0,0 +1,172 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/xhr.https.html.headers b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/xhr.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.http-rp/opt-in/xhr.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/opt-in/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/opt-in/fetch.https.html
new file mode 100644
index 0000000000..e9953505ea
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/opt-in/fetch.https.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/opt-in/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/opt-in/websocket.https.html
new file mode 100644
index 0000000000..cf0d0afaf0
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/opt-in/websocket.https.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/opt-in/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/opt-in/xhr.https.html
new file mode 100644
index 0000000000..930816e391
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/opt-in/xhr.https.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/unset/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/unset/fetch.https.html
new file mode 100644
index 0000000000..7c3009e4b9
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/unset/fetch.https.html
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/unset/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/unset/websocket.https.html
new file mode 100644
index 0000000000..3103c00962
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/unset/websocket.https.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/unset/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/unset/xhr.https.html
new file mode 100644
index 0000000000..d67d3dfbc1
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic-data.meta/unset/xhr.https.html
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/opt-in/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/opt-in/fetch.https.html
new file mode 100644
index 0000000000..31550a1378
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/opt-in/fetch.https.html
@@ -0,0 +1,232 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/opt-in/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/opt-in/websocket.https.html
new file mode 100644
index 0000000000..e259b1dcce
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/opt-in/websocket.https.html
@@ -0,0 +1,85 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/opt-in/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/opt-in/xhr.https.html
new file mode 100644
index 0000000000..d14a58c118
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/opt-in/xhr.https.html
@@ -0,0 +1,232 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/fetch.https.html
new file mode 100644
index 0000000000..41a7a328d7
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/fetch.https.html
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/fetch.https.html.headers b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/fetch.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/fetch.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/websocket.https.html
new file mode 100644
index 0000000000..825f9b105c
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/websocket.https.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/websocket.https.html.headers b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/websocket.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/websocket.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/xhr.https.html
new file mode 100644
index 0000000000..f2590c6ecd
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/xhr.https.html
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/xhr.https.html.headers b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/xhr.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-classic.http-rp/unset/xhr.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/fetch.https.html
new file mode 100644
index 0000000000..928365fd34
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/fetch.https.html
@@ -0,0 +1,172 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/fetch.https.html.headers b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/fetch.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/fetch.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/websocket.https.html
new file mode 100644
index 0000000000..d04a361ee8
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/websocket.https.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/websocket.https.html.headers b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/websocket.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/websocket.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/xhr.https.html
new file mode 100644
index 0000000000..6c5090f2c4
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/xhr.https.html
@@ -0,0 +1,172 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/xhr.https.html.headers b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/xhr.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.http-rp/opt-in/xhr.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/opt-in/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/opt-in/fetch.https.html
new file mode 100644
index 0000000000..037f931626
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/opt-in/fetch.https.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/opt-in/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/opt-in/websocket.https.html
new file mode 100644
index 0000000000..2fbfc48915
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/opt-in/websocket.https.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/opt-in/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/opt-in/xhr.https.html
new file mode 100644
index 0000000000..853bc1270b
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/opt-in/xhr.https.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/unset/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/unset/fetch.https.html
new file mode 100644
index 0000000000..14c3103fe5
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/unset/fetch.https.html
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/unset/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/unset/websocket.https.html
new file mode 100644
index 0000000000..d04a361ee8
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/unset/websocket.https.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/unset/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/unset/xhr.https.html
new file mode 100644
index 0000000000..68e2a490cc
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module-data.meta/unset/xhr.https.html
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/opt-in/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/opt-in/fetch.https.html
new file mode 100644
index 0000000000..2a13933ff9
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/opt-in/fetch.https.html
@@ -0,0 +1,232 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/opt-in/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/opt-in/websocket.https.html
new file mode 100644
index 0000000000..3486ab3889
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/opt-in/websocket.https.html
@@ -0,0 +1,85 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/opt-in/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/opt-in/xhr.https.html
new file mode 100644
index 0000000000..bd9395bdbb
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/opt-in/xhr.https.html
@@ -0,0 +1,232 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/fetch.https.html
new file mode 100644
index 0000000000..8f31ab2d19
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/fetch.https.html
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/fetch.https.html.headers b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/fetch.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/fetch.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/websocket.https.html
new file mode 100644
index 0000000000..5eb627c7cf
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/websocket.https.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/websocket.https.html.headers b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/websocket.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/websocket.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/xhr.https.html
new file mode 100644
index 0000000000..2ebeed08a0
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/xhr.https.html
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "sharedworker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/xhr.https.html.headers b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/xhr.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/sharedworker-module.http-rp/unset/xhr.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/audio-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/audio-tag.https.html
new file mode 100644
index 0000000000..599f8eb9b5
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/audio-tag.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for audio-tag to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for audio-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for audio-tag to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for audio-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for audio-tag to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for audio-tag to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for audio-tag to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for audio-tag to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for audio-tag to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for audio-tag to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/audio-tag.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/audio-tag.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/audio-tag.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/beacon.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/beacon.https.html
new file mode 100644
index 0000000000..b09f6332dd
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/beacon.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for beacon to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for beacon to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for beacon to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for beacon to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for beacon to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for beacon to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for beacon to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for beacon to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for beacon to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for beacon to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/beacon.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/beacon.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/beacon.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/fetch.https.html
new file mode 100644
index 0000000000..508a9d2bd7
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/fetch.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/fetch.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/fetch.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/fetch.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/img-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/img-tag.https.html
new file mode 100644
index 0000000000..eda0043651
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/img-tag.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for img-tag to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for img-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for img-tag to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for img-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for img-tag to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for img-tag to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for img-tag to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for img-tag to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for img-tag to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for img-tag to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/img-tag.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/img-tag.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/img-tag.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/link-css-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/link-css-tag.https.html
new file mode 100644
index 0000000000..237ec0ca78
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/link-css-tag.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for link-css-tag to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for link-css-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-css-tag to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-css-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-css-tag to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-css-tag to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-css-tag to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-css-tag to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-css-tag to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-css-tag to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/link-css-tag.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/link-css-tag.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/link-css-tag.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/link-prefetch-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/link-prefetch-tag.https.html
new file mode 100644
index 0000000000..0efd1429a7
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/link-prefetch-tag.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for link-prefetch-tag to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for link-prefetch-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-prefetch-tag to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-prefetch-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-prefetch-tag to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-prefetch-tag to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-prefetch-tag to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-prefetch-tag to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-prefetch-tag to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-prefetch-tag to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/link-prefetch-tag.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/link-prefetch-tag.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/link-prefetch-tag.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/object-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/object-tag.https.html
new file mode 100644
index 0000000000..6bc8f75f65
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/object-tag.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for object-tag to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for object-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for object-tag to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for object-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for object-tag to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for object-tag to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for object-tag to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for object-tag to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for object-tag to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for object-tag to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/object-tag.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/object-tag.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/object-tag.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/picture-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/picture-tag.https.html
new file mode 100644
index 0000000000..088c6c410a
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/picture-tag.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for picture-tag to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for picture-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for picture-tag to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for picture-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for picture-tag to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for picture-tag to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for picture-tag to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for picture-tag to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for picture-tag to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for picture-tag to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/picture-tag.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/picture-tag.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/picture-tag.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/script-tag-dynamic-import.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/script-tag-dynamic-import.https.html
new file mode 100644
index 0000000000..0ce2794c56
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/script-tag-dynamic-import.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag-dynamic-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for script-tag-dynamic-import to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag-dynamic-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for script-tag-dynamic-import to same-https origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/script-tag-dynamic-import.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/script-tag-dynamic-import.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/script-tag-dynamic-import.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/script-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/script-tag.https.html
new file mode 100644
index 0000000000..d806e9c0bc
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/script-tag.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for script-tag to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for script-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for script-tag to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for script-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for script-tag to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for script-tag to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for script-tag to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for script-tag to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for script-tag to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for script-tag to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/script-tag.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/script-tag.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/script-tag.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-classic.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-classic.https.html
new file mode 100644
index 0000000000..896c0297d5
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-classic.https.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-classic to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-classic to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-classic to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-classic to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-classic.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-classic.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-classic.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-import-data.https.html
new file mode 100644
index 0000000000..2784b2bf13
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-import-data.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-import-data to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import-data to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import-data to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import-data to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import-data to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import-data to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import-data to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import-data to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-import-data.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-import-data.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-import.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-import.https.html
new file mode 100644
index 0000000000..0644d1f03e
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-import.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-import to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-import to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-import.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-import.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-import.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-module.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-module.https.html
new file mode 100644
index 0000000000..1a371ce028
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-module.https.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-module to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-module to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-module to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-module to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-module.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-module.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/sharedworker-module.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/video-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/video-tag.https.html
new file mode 100644
index 0000000000..ff176ab6d1
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/video-tag.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for video-tag to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for video-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for video-tag to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for video-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for video-tag to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for video-tag to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for video-tag to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for video-tag to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for video-tag to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for video-tag to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/video-tag.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/video-tag.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/video-tag.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/websocket.https.html
new file mode 100644
index 0000000000..49b80c448f
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/websocket.https.html
@@ -0,0 +1,52 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/websocket.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/websocket.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/websocket.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-classic.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-classic.https.html
new file mode 100644
index 0000000000..2717be37cc
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-classic.https.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-classic to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-classic to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-classic to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-classic.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-classic.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-classic.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-import-data.https.html
new file mode 100644
index 0000000000..a44eee0468
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-import-data.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-import-data to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import-data to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import-data to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import-data to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import-data to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import-data to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import-data to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import-data to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-import-data.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-import-data.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-import.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-import.https.html
new file mode 100644
index 0000000000..5499322818
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-import.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-import to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-import to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-import.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-import.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-import.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-module.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-module.https.html
new file mode 100644
index 0000000000..6cf33d54f5
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-module.https.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-module to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-module to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-module to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-module.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-module.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worker-module.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-animation-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-animation-import-data.https.html
new file mode 100644
index 0000000000..165cbf6d14
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-animation-import-data.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-animation-import-data to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-animation-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation-import-data to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation-import-data to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation-import-data to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation-import-data to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation-import-data to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation-import-data to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation-import-data to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-animation-import-data.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-animation-import-data.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-animation-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-animation.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-animation.https.html
new file mode 100644
index 0000000000..67926809f2
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-animation.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-animation to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-animation to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-animation.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-animation.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-animation.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-audio-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-audio-import-data.https.html
new file mode 100644
index 0000000000..72ebea2ff2
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-audio-import-data.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-audio-import-data to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-audio-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio-import-data to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio-import-data to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio-import-data to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio-import-data to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio-import-data to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio-import-data to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio-import-data to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-audio-import-data.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-audio-import-data.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-audio-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-audio.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-audio.https.html
new file mode 100644
index 0000000000..3c31d0d998
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-audio.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-audio to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-audio to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-audio.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-audio.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-audio.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-layout-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-layout-import-data.https.html
new file mode 100644
index 0000000000..ae84f3d1ef
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-layout-import-data.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-layout-import-data to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-layout-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout-import-data to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout-import-data to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout-import-data to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout-import-data to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout-import-data to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout-import-data to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout-import-data to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-layout-import-data.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-layout-import-data.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-layout-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-layout.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-layout.https.html
new file mode 100644
index 0000000000..8a39e2d9d3
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-layout.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-layout to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-layout to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-layout.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-layout.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-layout.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-paint-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-paint-import-data.https.html
new file mode 100644
index 0000000000..918051440e
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-paint-import-data.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-paint-import-data to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-paint-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint-import-data to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint-import-data to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint-import-data to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint-import-data to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint-import-data to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint-import-data to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint-import-data to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-paint-import-data.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-paint-import-data.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-paint-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-paint.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-paint.https.html
new file mode 100644
index 0000000000..c270a2b70a
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-paint.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-paint to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-paint to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-paint.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-paint.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/worklet-paint.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/xhr.https.html
new file mode 100644
index 0000000000..22f4aa06b5
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/xhr.https.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/xhr.https.html.headers b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/xhr.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.http-rp/opt-in/xhr.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/audio-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/audio-tag.https.html
new file mode 100644
index 0000000000..9734cef5c5
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/audio-tag.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for audio-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for audio-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for audio-tag to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/beacon.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/beacon.https.html
new file mode 100644
index 0000000000..87442befd3
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/beacon.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for beacon to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for beacon to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for beacon to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/fetch.https.html
new file mode 100644
index 0000000000..45378cae4a
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/fetch.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/img-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/img-tag.https.html
new file mode 100644
index 0000000000..8c2486d9a7
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/img-tag.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for img-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for img-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for img-tag to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/link-css-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/link-css-tag.https.html
new file mode 100644
index 0000000000..2014c10e23
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/link-css-tag.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for link-css-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-css-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-css-tag to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/link-prefetch-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/link-prefetch-tag.https.html
new file mode 100644
index 0000000000..456139afda
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/link-prefetch-tag.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for link-prefetch-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-prefetch-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-prefetch-tag to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/object-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/object-tag.https.html
new file mode 100644
index 0000000000..209927d53f
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/object-tag.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for object-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for object-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for object-tag to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/picture-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/picture-tag.https.html
new file mode 100644
index 0000000000..d28777b8cb
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/picture-tag.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for picture-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for picture-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for picture-tag to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/script-tag-dynamic-import.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/script-tag-dynamic-import.https.html
new file mode 100644
index 0000000000..b2794bd20a
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/script-tag-dynamic-import.https.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag-dynamic-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for script-tag-dynamic-import to same-https origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/script-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/script-tag.https.html
new file mode 100644
index 0000000000..55e2dadb06
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/script-tag.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for script-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for script-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for script-tag to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/sharedworker-classic.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/sharedworker-classic.https.html
new file mode 100644
index 0000000000..02c50e3bcb
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/sharedworker-classic.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-classic to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-classic to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/sharedworker-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/sharedworker-import-data.https.html
new file mode 100644
index 0000000000..d906686d92
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/sharedworker-import-data.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import-data to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/sharedworker-import.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/sharedworker-import.https.html
new file mode 100644
index 0000000000..3b156c6409
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/sharedworker-import.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-import to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/sharedworker-module.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/sharedworker-module.https.html
new file mode 100644
index 0000000000..2ebb231931
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/sharedworker-module.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-module to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-module to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/video-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/video-tag.https.html
new file mode 100644
index 0000000000..6b40dfc2e6
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/video-tag.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for video-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for video-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for video-tag to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/websocket.https.html
new file mode 100644
index 0000000000..b54656dbe7
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/websocket.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worker-classic.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worker-classic.https.html
new file mode 100644
index 0000000000..ca7667ceef
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worker-classic.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-classic to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worker-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worker-import-data.https.html
new file mode 100644
index 0000000000..2ff9aa7cf2
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worker-import-data.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import-data to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worker-import.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worker-import.https.html
new file mode 100644
index 0000000000..50db49acc8
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worker-import.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-import to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worker-module.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worker-module.https.html
new file mode 100644
index 0000000000..2f1c240cae
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worker-module.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-module to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-animation-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-animation-import-data.https.html
new file mode 100644
index 0000000000..0ebc71607f
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-animation-import-data.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-animation-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation-import-data to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-animation.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-animation.https.html
new file mode 100644
index 0000000000..b3b070b60b
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-animation.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-animation to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-audio-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-audio-import-data.https.html
new file mode 100644
index 0000000000..383e08f0d9
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-audio-import-data.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-audio-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio-import-data to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-audio.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-audio.https.html
new file mode 100644
index 0000000000..c4caffa7c5
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-audio.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-audio to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-layout-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-layout-import-data.https.html
new file mode 100644
index 0000000000..b90abff512
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-layout-import-data.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-layout-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout-import-data to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-layout.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-layout.https.html
new file mode 100644
index 0000000000..08f5bcc66e
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-layout.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-layout to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-paint-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-paint-import-data.https.html
new file mode 100644
index 0000000000..04176e561d
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-paint-import-data.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-paint-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint-import-data to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-paint.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-paint.https.html
new file mode 100644
index 0000000000..8c58fc638f
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/worklet-paint.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-paint to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/xhr.https.html
new file mode 100644
index 0000000000..22cbcd7ed0
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/opt-in/xhr.https.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/audio-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/audio-tag.https.html
new file mode 100644
index 0000000000..75c9b75355
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/audio-tag.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for audio-tag to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for audio-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for audio-tag to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for audio-tag to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for audio-tag to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for audio-tag to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for audio-tag to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "audio-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for audio-tag to same-https origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/beacon.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/beacon.https.html
new file mode 100644
index 0000000000..ae29a64f41
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/beacon.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for beacon to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for beacon to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for beacon to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for beacon to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for beacon to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for beacon to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for beacon to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "beacon",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for beacon to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/fetch.https.html
new file mode 100644
index 0000000000..1250aec2a8
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/fetch.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/img-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/img-tag.https.html
new file mode 100644
index 0000000000..c02bf8b69c
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/img-tag.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for img-tag to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for img-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for img-tag to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for img-tag to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for img-tag to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for img-tag to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for img-tag to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "img-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for img-tag to same-https origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/link-css-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/link-css-tag.https.html
new file mode 100644
index 0000000000..559e0223c0
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/link-css-tag.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for link-css-tag to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for link-css-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-css-tag to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-css-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-css-tag to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-css-tag to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-css-tag to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-css-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-css-tag to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/link-prefetch-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/link-prefetch-tag.https.html
new file mode 100644
index 0000000000..5a0364121e
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/link-prefetch-tag.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for link-prefetch-tag to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for link-prefetch-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-prefetch-tag to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-prefetch-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-prefetch-tag to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-prefetch-tag to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-prefetch-tag to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "link-prefetch-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for link-prefetch-tag to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/object-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/object-tag.https.html
new file mode 100644
index 0000000000..e22e783950
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/object-tag.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for object-tag to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for object-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for object-tag to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for object-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for object-tag to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for object-tag to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for object-tag to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "object-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for object-tag to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/picture-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/picture-tag.https.html
new file mode 100644
index 0000000000..432ab7eaa3
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/picture-tag.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for picture-tag to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for picture-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for picture-tag to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for picture-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for picture-tag to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for picture-tag to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for picture-tag to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "picture-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for picture-tag to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/script-tag-dynamic-import.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/script-tag-dynamic-import.https.html
new file mode 100644
index 0000000000..0ce2794c56
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/script-tag-dynamic-import.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag-dynamic-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for script-tag-dynamic-import to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag-dynamic-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for script-tag-dynamic-import to same-https origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/script-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/script-tag.https.html
new file mode 100644
index 0000000000..3cd5eb3a34
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/script-tag.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for script-tag to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for script-tag to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for script-tag to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for script-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for script-tag to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for script-tag to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for script-tag to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "script-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for script-tag to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/sharedworker-classic.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/sharedworker-classic.https.html
new file mode 100644
index 0000000000..896c0297d5
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/sharedworker-classic.https.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-classic to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-classic to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-classic to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-classic to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/sharedworker-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/sharedworker-import-data.https.html
new file mode 100644
index 0000000000..afc248529b
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/sharedworker-import-data.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-import-data to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import-data to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import-data to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import-data to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import-data to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import-data to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/sharedworker-import.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/sharedworker-import.https.html
new file mode 100644
index 0000000000..71679b658a
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/sharedworker-import.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-import to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-import to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-import to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/sharedworker-module.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/sharedworker-module.https.html
new file mode 100644
index 0000000000..1a371ce028
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/sharedworker-module.https.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-module to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for sharedworker-module to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-module to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "sharedworker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for sharedworker-module to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/video-tag.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/video-tag.https.html
new file mode 100644
index 0000000000..56c9a4cf5a
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/video-tag.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for video-tag to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for video-tag to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for video-tag to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for video-tag to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for video-tag to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for video-tag to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for video-tag to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "video-tag",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for video-tag to same-https origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/websocket.https.html
new file mode 100644
index 0000000000..49b80c448f
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/websocket.https.html
@@ -0,0 +1,52 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worker-classic.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worker-classic.https.html
new file mode 100644
index 0000000000..2717be37cc
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worker-classic.https.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-classic to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-classic to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-classic to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worker-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worker-import-data.https.html
new file mode 100644
index 0000000000..ae559b90e9
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worker-import-data.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-import-data to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import-data to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import-data to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import-data to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import-data to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import-data to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worker-import.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worker-import.https.html
new file mode 100644
index 0000000000..208ae14bfa
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worker-import.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-import to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-import to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-import",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-import to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worker-module.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worker-module.https.html
new file mode 100644
index 0000000000..6cf33d54f5
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worker-module.https.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-module to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-module to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-module to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-animation-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-animation-import-data.https.html
new file mode 100644
index 0000000000..77fdf272d1
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-animation-import-data.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-animation-import-data to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-animation-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation-import-data to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation-import-data to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation-import-data to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation-import-data to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation-import-data to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-animation.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-animation.https.html
new file mode 100644
index 0000000000..64d00ddd5b
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-animation.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-animation to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-animation to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-animation",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-animation to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-audio-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-audio-import-data.https.html
new file mode 100644
index 0000000000..faa0c457fa
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-audio-import-data.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-audio-import-data to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-audio-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio-import-data to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio-import-data to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio-import-data to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio-import-data to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio-import-data to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-audio.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-audio.https.html
new file mode 100644
index 0000000000..7151f534de
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-audio.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-audio to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-audio to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-audio",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-audio to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-layout-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-layout-import-data.https.html
new file mode 100644
index 0000000000..da7c9a797e
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-layout-import-data.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-layout-import-data to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-layout-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout-import-data to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout-import-data to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout-import-data to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout-import-data to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout-import-data to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-layout.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-layout.https.html
new file mode 100644
index 0000000000..f2335d35ae
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-layout.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-layout to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-layout to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-layout",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-layout to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-paint-import-data.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-paint-import-data.https.html
new file mode 100644
index 0000000000..5c1970599d
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-paint-import-data.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-paint-import-data to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-paint-import-data to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint-import-data to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint-import-data to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint-import-data to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint-import-data to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint-import-data to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint-import-data",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint-import-data to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-paint.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-paint.https.html
new file mode 100644
index 0000000000..77cf29176c
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/worklet-paint.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-paint to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worklet-paint to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "worklet-paint",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worklet-paint to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/top.meta/unset/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/xhr.https.html
new file mode 100644
index 0000000000..0f164b4077
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/top.meta/unset/xhr.https.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/fetch.https.html
new file mode 100644
index 0000000000..d2b13b2734
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/fetch.https.html
@@ -0,0 +1,172 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/fetch.https.html.headers b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/fetch.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/fetch.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/websocket.https.html
new file mode 100644
index 0000000000..01263c9ee6
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/websocket.https.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/websocket.https.html.headers b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/websocket.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/websocket.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/xhr.https.html
new file mode 100644
index 0000000000..71ee538072
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/xhr.https.html
@@ -0,0 +1,172 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/xhr.https.html.headers b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/xhr.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.http-rp/opt-in/xhr.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/opt-in/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/opt-in/fetch.https.html
new file mode 100644
index 0000000000..e8693e4fef
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/opt-in/fetch.https.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/opt-in/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/opt-in/websocket.https.html
new file mode 100644
index 0000000000..af1d836250
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/opt-in/websocket.https.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/opt-in/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/opt-in/xhr.https.html
new file mode 100644
index 0000000000..e8a86f79e7
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/opt-in/xhr.https.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/unset/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/unset/fetch.https.html
new file mode 100644
index 0000000000..da5a674c54
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/unset/fetch.https.html
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/unset/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/unset/websocket.https.html
new file mode 100644
index 0000000000..01263c9ee6
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/unset/websocket.https.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/unset/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/unset/xhr.https.html
new file mode 100644
index 0000000000..431e05aa50
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic-data.meta/unset/xhr.https.html
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/fetch.https.html
new file mode 100644
index 0000000000..f24dc7a2ac
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/fetch.https.html
@@ -0,0 +1,232 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/websocket.https.html
new file mode 100644
index 0000000000..4357a44457
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/websocket.https.html
@@ -0,0 +1,85 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/worker-classic.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/worker-classic.https.html
new file mode 100644
index 0000000000..5dde9baae5
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/worker-classic.https.html
@@ -0,0 +1,106 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-classic to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-classic to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-classic to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/worker-module.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/worker-module.https.html
new file mode 100644
index 0000000000..6672e464a3
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/worker-module.https.html
@@ -0,0 +1,106 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-module to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-module to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-module to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/xhr.https.html
new file mode 100644
index 0000000000..ac5f5d5dbf
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/opt-in/xhr.https.html
@@ -0,0 +1,232 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/fetch.https.html
new file mode 100644
index 0000000000..87e7771606
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/fetch.https.html
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/fetch.https.html.headers b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/fetch.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/fetch.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/websocket.https.html
new file mode 100644
index 0000000000..ebfb71e2f8
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/websocket.https.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/websocket.https.html.headers b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/websocket.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/websocket.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/worker-classic.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/worker-classic.https.html
new file mode 100644
index 0000000000..e5f825d577
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/worker-classic.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-classic to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-classic to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-classic to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/worker-classic.https.html.headers b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/worker-classic.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/worker-classic.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/worker-module.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/worker-module.https.html
new file mode 100644
index 0000000000..f10998e3f0
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/worker-module.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-module to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-module to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-module to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/worker-module.https.html.headers b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/worker-module.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/worker-module.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/xhr.https.html
new file mode 100644
index 0000000000..39216ef098
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/xhr.https.html
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-classic"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/xhr.https.html.headers b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/xhr.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-classic.http-rp/unset/xhr.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/fetch.https.html
new file mode 100644
index 0000000000..90cfde3618
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/fetch.https.html
@@ -0,0 +1,172 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/fetch.https.html.headers b/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/fetch.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/fetch.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/websocket.https.html
new file mode 100644
index 0000000000..a202f1af21
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/websocket.https.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/websocket.https.html.headers b/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/websocket.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/websocket.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/xhr.https.html
new file mode 100644
index 0000000000..1e26f150a6
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/xhr.https.html
@@ -0,0 +1,172 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/xhr.https.html.headers b/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/xhr.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module-data.http-rp/opt-in/xhr.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/opt-in/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/opt-in/fetch.https.html
new file mode 100644
index 0000000000..8ed388b1e7
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/opt-in/fetch.https.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/opt-in/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/opt-in/websocket.https.html
new file mode 100644
index 0000000000..ba6c014439
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/opt-in/websocket.https.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/opt-in/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/opt-in/xhr.https.html
new file mode 100644
index 0000000000..808e6b6f5a
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/opt-in/xhr.https.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/unset/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/unset/fetch.https.html
new file mode 100644
index 0000000000..1a04af8678
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/unset/fetch.https.html
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/unset/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/unset/websocket.https.html
new file mode 100644
index 0000000000..a202f1af21
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/unset/websocket.https.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/unset/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/unset/xhr.https.html
new file mode 100644
index 0000000000..da80502084
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module-data.meta/unset/xhr.https.html
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module-data"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/fetch.https.html
new file mode 100644
index 0000000000..0328c5ec55
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/fetch.https.html
@@ -0,0 +1,232 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/websocket.https.html
new file mode 100644
index 0000000000..0e7c357ae2
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/websocket.https.html
@@ -0,0 +1,85 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/worker-classic.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/worker-classic.https.html
new file mode 100644
index 0000000000..e8eba008f9
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/worker-classic.https.html
@@ -0,0 +1,106 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-classic to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-classic to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-classic to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/worker-module.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/worker-module.https.html
new file mode 100644
index 0000000000..f4348836ad
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/worker-module.https.html
@@ -0,0 +1,106 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-module to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-module to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-module to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/xhr.https.html
new file mode 100644
index 0000000000..9ede710e54
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/opt-in/xhr.https.html
@@ -0,0 +1,232 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-https origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-https",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [
+ {
+ "deliveryType": "http-rp",
+ "key": "mixedContent",
+ "value": "opt-in"
+ }
+ ],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-https origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/fetch.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/fetch.https.html
new file mode 100644
index 0000000000..f2f3dafcfb
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/fetch.https.html
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "fetch",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/fetch.https.html.headers b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/fetch.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/fetch.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/websocket.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/websocket.https.html
new file mode 100644
index 0000000000..220c21c411
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/websocket.https.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-wss",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to cross-ws origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-ws",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "websocket",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for websocket to same-ws origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/websocket.https.html.headers b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/websocket.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/websocket.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/worker-classic.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/worker-classic.https.html
new file mode 100644
index 0000000000..9619ce4cd7
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/worker-classic.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-classic to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-classic to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-classic",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-classic to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/worker-classic.https.html.headers b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/worker-classic.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/worker-classic.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/worker-module.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/worker-module.https.html
new file mode 100644
index 0000000000..d6e28445e0
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/worker-module.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-module to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-module to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "worker-module",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for worker-module to same-http origin and no-redirect redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/worker-module.https.html.headers b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/worker-module.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/worker-module.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/xhr.https.html b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/xhr.https.html
new file mode 100644
index 0000000000..176f5aecd4
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/xhr.https.html
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec mixed-content/` -->
+<html>
+ <head>
+ <meta charset="utf-8">
+ <meta name="timeout" content="long">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/security-features/resources/common.sub.js"></script>
+ <script src="../../../generic/test-case.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ TestCase(
+ [
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "allowed",
+ "origin": "same-https",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "cross-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "keep-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "no-redirect",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context."
+ },
+ {
+ "expectation": "blocked",
+ "origin": "same-http",
+ "redirection": "swap-scheme",
+ "source_context_list": [
+ {
+ "policyDeliveries": [],
+ "sourceContextType": "worker-module"
+ }
+ ],
+ "source_scheme": "https",
+ "subresource": "xhr",
+ "subresource_policy_deliveries": [],
+ "test_description": "Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context."
+ }
+ ],
+ new SanityChecker()
+ ).start();
+ </script>
+ <div id="log"></div>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/xhr.https.html.headers b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/xhr.https.html.headers
new file mode 100644
index 0000000000..46e2255e38
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/gen/worker-module.http-rp/unset/xhr.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: block-all-mixed-content
diff --git a/testing/web-platform/tests/mixed-content/generic/sanity-checker.js b/testing/web-platform/tests/mixed-content/generic/sanity-checker.js
new file mode 100644
index 0000000000..55a103adf0
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/generic/sanity-checker.js
@@ -0,0 +1,53 @@
+// The SanityChecker is used in debug mode to identify problems with the
+// structure of the testsuite and to force early test failures.
+// In release mode it is mocked out to do nothing.
+function SanityChecker() {}
+
+SanityChecker.prototype.checkScenario = function(scenario, resourceInvoker) {
+ // Check if scenario is valid.
+ test(function() {
+ var expectedFields = SPEC_JSON["test_expansion_schema"];
+
+ for (var field in expectedFields) {
+ if (field == "expansion")
+ continue
+
+ assert_own_property(scenario, field,
+ "The scenario should contain field '" + field + "'.")
+
+ var expectedFieldList = expectedFields[field];
+ if (!expectedFieldList.hasOwnProperty('length')) {
+ var expectedFieldList = [];
+ for (var key in expectedFields[field]) {
+ expectedFieldList = expectedFieldList.concat(expectedFields[field][key])
+ }
+ }
+ assert_in_array(scenario[field], expectedFieldList,
+ "Scenario's " + field + " is one of: " +
+ expectedFieldList.join(", ")) + "."
+ }
+
+ // Check if the protocol is matched.
+ assert_equals(scenario["source_scheme"] + ":", location.protocol,
+ "Protocol of the test page should match the scenario.")
+
+ assert_own_property(resourceInvoker, scenario.subresource,
+ "Subresource should be supported");
+
+ }, "[MixedContentTestCase] The test scenario should be valid.");
+}
+
+// For easier debugging runs, we can fail a test earlier.
+SanityChecker.prototype.setFailTimeout = function(test, timeout) {
+ // Due to missing implementations, tests time out, so we fail them early.
+ // TODO(kristijanburnik): Once WPT rolled in:
+ // https://github.com/w3c/testharness.js/pull/127
+ // Refactor to make use of step_timeout.
+ setTimeout(function() {
+ test.step(function() {
+ assert_equals(test.phase, test.phases.COMPLETE,
+ "Expected test to complete.");
+ test.done();
+ })
+ }, timeout || 1000);
+}
diff --git a/testing/web-platform/tests/mixed-content/generic/test-case.sub.js b/testing/web-platform/tests/mixed-content/generic/test-case.sub.js
new file mode 100644
index 0000000000..bfb02a0e61
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/generic/test-case.sub.js
@@ -0,0 +1,61 @@
+/**
+ * @fileoverview Test case for mixed-content in web-platform-tests.
+ * @author burnik@google.com (Kristijan Burnik)
+ */
+
+/**
+ * MixedContentTestCase exercises all the tests for checking browser behavior
+ * when resources regarded as mixed-content are requested. A single run covers
+ * only a single scenario.
+ * @param {object} scenario A JSON describing the test arrangement and
+ * expectation(s). Refer to /mixed-content/spec.src.json for details.
+ * @param {string} description The test scenario verbose description.
+ * @param {SanityChecker} sanityChecker Instance of an object used to check the
+ * running scenario. Useful in debug mode. See ./sanity-checker.js.
+ * Run {@code ./tools/generate.py -h} for info on test generating modes.
+ * @return {object} Object wrapping the start method used to run the test.
+ */
+function TestCase(scenarios, sanityChecker) {
+ function runTest(scenario) {
+ sanityChecker.checkScenario(scenario, subresourceMap);
+
+ const urls = getRequestURLs(scenario.subresource,
+ scenario.origin,
+ scenario.redirection);
+ const checkResult = _ => {
+ // Send request to check if the key has been torn down.
+ return xhrRequest(urls.assertUrl)
+ .then(assertResult => {
+ // Now check if the value has been torn down. If it's still there,
+ // we have blocked the request to mixed-content.
+ assert_equals(assertResult.status, scenario.expectation,
+ "The resource request should be '" + scenario.expectation + "'.");
+ });
+ };
+
+ /** @type {Subresource} */
+ const subresource = {
+ subresourceType: scenario.subresource,
+ url: urls.testUrl,
+ policyDeliveries: scenario.subresource_policy_deliveries,
+ };
+
+ promise_test(() => {
+ return xhrRequest(urls.announceUrl)
+ // Send out the real resource request.
+ // This should tear down the key if it's not blocked.
+ .then(_ => invokeRequest(subresource, scenario.source_context_list))
+ // We check the key state, regardless of whether the main request
+ // succeeded or failed.
+ .then(checkResult, checkResult);
+ }, scenario.test_description);
+ } // runTest
+
+ function runTests() {
+ for (const scenario of scenarios) {
+ runTest(scenario);
+ }
+ }
+
+ return {start: runTests};
+}
diff --git a/testing/web-platform/tests/mixed-content/imageset.https.sub.html b/testing/web-platform/tests/mixed-content/imageset.https.sub.html
new file mode 100644
index 0000000000..1f3d0471fb
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/imageset.https.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Mixed-Content: imageset tests</title>
+ <meta charset='utf-8'>
+ <meta name="description" content="Test behavior of imageset resources, making sure that resources are not downloaded.">
+ <link rel="author" title="Yoav Weiss" href="yoav@yoav.ws">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/preload/resources/preload_helper.js"></script>
+ <script>
+ var t = async_test('Makes sure imageset blockable resources are not downloaded');
+ </script>
+ </head>
+ <body>
+ <img src="http://{{domains[]}}:{{ports[http][0]}}/images/smiley.png?img_src">
+ <picture>
+ <source srcset="http://{{domains[]}}:{{ports[http][0]}}/images/smiley.png?picture">
+ <img>
+ </picture>
+ <img srcset="http://{{domains[]}}:{{ports[http][0]}}/images/smiley.png?img_srcset">
+ <script>
+ window.addEventListener("load", t.step_func(function() {
+ verifyNumberOfResourceTimingEntries("http://{{domains[]}}:{{ports[http][0]}}/images/smiley.png?img_src", 1);
+ verifyNumberOfResourceTimingEntries("http://{{domains[]}}:{{ports[http][0]}}/images/smiley.png?picture", 0);
+ verifyNumberOfResourceTimingEntries("http://{{domains[]}}:{{ports[http][0]}}/images/smiley.png?img_srcset", 0);
+ t.done();
+ }));
+ </script>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/nested-iframes.window.js b/testing/web-platform/tests/mixed-content/nested-iframes.window.js
new file mode 100644
index 0000000000..daa0110471
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/nested-iframes.window.js
@@ -0,0 +1,25 @@
+// META: script=/common/get-host-info.sub.js
+
+const t1 = async_test("HTTP fetch");
+const t2 = async_test("HTTPS fetch");
+
+onmessage = function(e) {
+ const {protocol, success} = e.data;
+ if (protocol == "http:") {
+ t1.step(() => assert_false(success, "success"));
+ t1.done();
+ } else if (protocol == "https:") {
+ t2.step(() => assert_true(success, "success"));
+ t2.done();
+ } else {
+ [t1, t2].forEach(t => {
+ t.step(() => assert_unreached("Unknown message"));
+ t.done();
+ });
+ }
+};
+
+const httpsFrame = document.createElement("iframe");
+httpsFrame.src = get_host_info().HTTPS_ORIGIN + "/mixed-content/resources/middle-frame.html";
+
+document.body.appendChild(httpsFrame);
diff --git a/testing/web-platform/tests/mixed-content/resources/blob-popup.html b/testing/web-platform/tests/mixed-content/resources/blob-popup.html
new file mode 100644
index 0000000000..bc3c97ef8d
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/resources/blob-popup.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<script>
+ opener.postMessage({
+ potentially_trustworthy: location.protocol === "https:",
+ js_blob_url: URL.createObjectURL(
+ new Blob([`const message = "Hello World!"`],
+ {type: 'application/javascript'})),
+ }, "*");
+</script>
diff --git a/testing/web-platform/tests/mixed-content/resources/middle-frame.html b/testing/web-platform/tests/mixed-content/resources/middle-frame.html
new file mode 100644
index 0000000000..58d14d61ef
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/resources/middle-frame.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <script src="/common/get-host-info.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ onmessage = e => parent.postMessage(e.data, "*");
+
+ const path = "/fetch/api/resources/cors-top.txt";
+ const http_url = get_host_info().HTTP_ORIGIN + path;
+ const https_url = get_host_info().HTTPS_ORIGIN + path;
+
+ const ifr = document.createElement("iframe");
+ ifr.src = `data:text/html,
+ <!DOCTYPE html>
+ <script>
+ async function try_fetch(url) {
+ try {
+ const response = await fetch(url);
+ return response.ok;
+ } catch(e) {
+ return false;
+ }
+ }
+ async function try_fetch_and_report(url) {
+ parent.postMessage({
+ protocol: new URL(url).protocol,
+ success: await try_fetch(url),
+ }, "*");
+ }
+ try_fetch_and_report("${http_url}");
+ try_fetch_and_report("${https_url}");
+ <\/script>
+ `;
+ document.body.appendChild(ifr);
+ </script>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/spec.src.json b/testing/web-platform/tests/mixed-content/spec.src.json
new file mode 100644
index 0000000000..1eb6f44540
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/spec.src.json
@@ -0,0 +1,437 @@
+{
+ "test_description_template": "Mixed-Content: Expects %(expectation)s for %(subresource)s to %(origin)s origin and %(redirection)s redirection from %(source_scheme)s context.",
+ "test_page_title_template": "Mixed-Content: %(title)s",
+ "specification": [
+ {
+ // optionally-blockable
+ "title": "Optionally-blockable content",
+ "description": "Test behavior of optionally-blockable content",
+ "specification_url": "http://www.w3.org/TR/mixed-content/#category-optionally-blockable",
+ "test_expansion": [
+ {
+ // opt-in-blocks
+ "expansion": "default",
+ "source_scheme": "https",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "opt-in",
+ "redirection": "*",
+ "subresource": [
+ "audio-tag",
+ "img-tag",
+ "video-tag"
+ ],
+ "origin": [
+ "cross-http",
+ "same-http"
+ ],
+ "expectation": "blocked"
+ },
+ {
+ // opt-in-blocks-redirects
+ "expansion": "default",
+ "source_scheme": "https",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "opt-in",
+ "redirection": "swap-scheme",
+ "subresource": [
+ "audio-tag",
+ "img-tag",
+ "video-tag"
+ ],
+ "origin": [
+ "same-https",
+ "cross-https"
+ ],
+ "expectation": "blocked"
+ },
+ {
+ // no-opt-in-allows
+ "expansion": "default",
+ "source_scheme": "https",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": null,
+ "redirection": "*",
+ "subresource": [
+ "audio-tag",
+ "img-tag",
+ "video-tag"
+ ],
+ "origin": [
+ "cross-http",
+ "same-http"
+ ],
+ "expectation": "allowed"
+ }
+ ]
+ },
+ {
+ // blockable
+ "title": "Blockable content",
+ "description": "Test behavior of blockable content.",
+ "specification_url": "http://www.w3.org/TR/mixed-content/#category-blockable",
+ "test_expansion": [
+ {
+ // opt-in-blocks
+ "expansion": "default",
+ "source_scheme": "https",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "opt-in",
+ "redirection": "*",
+ "subresource": [
+ "a-tag",
+ "beacon",
+ "fetch",
+ "link-css-tag",
+ "link-prefetch-tag",
+ "object-tag",
+ "picture-tag",
+ "script-tag",
+ "sharedworker-classic",
+ "sharedworker-import",
+ "sharedworker-import-data",
+ "sharedworker-module",
+ "websocket",
+ "worker-classic",
+ "worker-import",
+ "worker-import-data",
+ "worker-module",
+ "worklet-animation",
+ "worklet-animation-import-data",
+ "worklet-audio",
+ "worklet-audio-import-data",
+ "worklet-layout",
+ "worklet-layout-import-data",
+ "worklet-paint",
+ "worklet-paint-import-data",
+ "xhr"
+ ],
+ "origin": [
+ "cross-http",
+ "same-http"
+ ],
+ "expectation": "blocked"
+ },
+ {
+ // opt-in-blocks-redirects
+ "expansion": "default",
+ "source_scheme": "https",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "opt-in",
+ "redirection": "swap-scheme",
+ "subresource": [
+ "a-tag",
+ "beacon",
+ "fetch",
+ "link-css-tag",
+ "link-prefetch-tag",
+ "object-tag",
+ "picture-tag",
+ "script-tag",
+ "sharedworker-classic",
+ "sharedworker-import",
+ "sharedworker-import-data",
+ "sharedworker-module",
+ "websocket",
+ "worker-classic",
+ "worker-import",
+ "worker-import-data",
+ "worker-module",
+ "worklet-animation",
+ "worklet-animation-import-data",
+ "worklet-audio",
+ "worklet-audio-import-data",
+ "worklet-layout",
+ "worklet-layout-import-data",
+ "worklet-paint",
+ "worklet-paint-import-data",
+ "xhr"
+ ],
+ "origin": [
+ "same-https",
+ "cross-https"
+ ],
+ "expectation": "blocked"
+ },
+ {
+ // no-opt-in-blocks
+ "expansion": "default",
+ "source_scheme": "https",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": null,
+ "redirection": "*",
+ "subresource": [
+ "a-tag",
+ "beacon",
+ "fetch",
+ "link-css-tag",
+ "link-prefetch-tag",
+ "object-tag",
+ "picture-tag",
+ "script-tag",
+ "sharedworker-classic",
+ "sharedworker-import",
+ "sharedworker-import-data",
+ "sharedworker-module",
+ "websocket",
+ "worker-classic",
+ "worker-import",
+ "worker-import-data",
+ "worker-module",
+ "worklet-animation",
+ "worklet-animation-import-data",
+ "worklet-audio",
+ "worklet-audio-import-data",
+ "worklet-layout",
+ "worklet-layout-import-data",
+ "worklet-paint",
+ "worklet-paint-import-data",
+ "xhr"
+ ],
+ "origin": [
+ "cross-http",
+ "same-http"
+ ],
+ "expectation": "blocked"
+ },
+ {
+ // ws-downgrade-blocks
+ "expansion": "default",
+ "source_scheme": "https",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "*",
+ "redirection": "*",
+ "subresource": "websocket",
+ "origin": [
+ "cross-ws",
+ "same-ws"
+ ],
+ "expectation": "blocked"
+ }
+ ]
+ },
+ {
+ // allowed
+ "title": "Allowed content",
+ "description": "Test behavior of allowed content.",
+ "specification_url": "http://www.w3.org/TR/mixed-content/",
+ "test_expansion": [
+ {
+ // allowed
+ "expansion": "default",
+ "source_scheme": "https",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "*",
+ "redirection": [
+ "no-redirect",
+ "keep-scheme"
+ ],
+ "subresource": "*",
+ "origin": [
+ "same-https"
+ ],
+ "expectation": "allowed"
+ },
+ {
+ // websocket-allowed
+ "expansion": "default",
+ "source_scheme": "https",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "*",
+ "redirection": [
+ "no-redirect",
+ "keep-scheme"
+ ],
+ "subresource": "websocket",
+ "origin": [
+ "same-wss"
+ ],
+ "expectation": "allowed"
+ }
+ ]
+ }
+ ],
+ "delivery_key": "mixedContent",
+ "excluded_tests": [
+ {
+ // Skip-redundant-no-opt-in
+ "expansion": "*",
+ "source_scheme": "*",
+ "source_context_list": [
+ // In certain source_context_lists (workers),
+ // this is not redundant because <meta> is not supported.
+ "top",
+ "srcdoc-inherit",
+ "iframe",
+ "iframe-blank-inherit",
+ "worker-classic-data",
+ "worker-module-data",
+ "sharedworker-classic-data",
+ "sharedworker-module-data"
+ ],
+ "delivery_type": "http-rp",
+ "delivery_value": null,
+ "redirection": "*",
+ "subresource": "*",
+ "origin": "*",
+ "expectation": "*"
+ },
+ {
+ // Skip-redundant-for-opt-in-method
+ "expansion": "*",
+ "source_scheme": "*",
+ "source_context_list": "*",
+ "delivery_type": "meta",
+ "delivery_value": "opt-in",
+ "redirection": [
+ "keep-scheme",
+ "swap-scheme"
+ ],
+ "subresource": "*",
+ "origin": "*",
+ "expectation": "*"
+ },
+ {
+ // source_context_list values not yet tested
+ "expansion": "*",
+ "source_scheme": "*",
+ "source_context_list": [
+ "req",
+ "srcdoc-inherit",
+ "srcdoc",
+ "iframe",
+ "iframe-blank-inherit"
+ ],
+ "delivery_type": "*",
+ "delivery_value": "*",
+ "redirection": "*",
+ "subresource": "*",
+ "origin": "*",
+ "expectation": "*"
+ },
+ {
+ // subresource values not yet tested
+ "expansion": "*",
+ "source_scheme": "*",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "*",
+ "redirection": "*",
+ "subresource": [
+ "a-tag",
+ "area-tag",
+ "iframe-tag",
+ ],
+ "origin": "*",
+ "expectation": "*"
+ },
+ {
+ // redirections that mixed-content tests don't care
+ "expansion": "*",
+ "source_scheme": "*",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "*",
+ "redirection": [
+ "keep-origin",
+ "swap-origin",
+ "downgrade"
+ ],
+ "origin": "*",
+ "subresource": "*",
+ "expectation": "*"
+ },
+ ],
+ "source_context_schema": {
+ "supported_delivery_type": {
+ "top": [
+ "http-rp",
+ "meta"
+ ],
+ "iframe": [
+ "http-rp",
+ "meta"
+ ],
+ "iframe-blank": [
+ "meta"
+ ],
+ "srcdoc": [
+ "meta"
+ ],
+ "worker-classic": [
+ "http-rp"
+ ],
+ "worker-module": [
+ "http-rp"
+ ],
+ "worker-classic-data": [],
+ "worker-module-data": [],
+ "sharedworker-classic": [
+ "http-rp"
+ ],
+ "sharedworker-module": [
+ "http-rp"
+ ],
+ "sharedworker-classic-data": [],
+ "sharedworker-module-data": []
+ }
+ },
+ "subresource_schema": {
+ "supported_delivery_type": {
+ "a-tag": [],
+ "area-tag": [],
+ "audio-tag": [],
+ "beacon": [],
+ "fetch": [],
+ "iframe-tag": [],
+ "img-tag": [],
+ "link-css-tag": [],
+ "link-prefetch-tag": [],
+ "object-tag": [],
+ "picture-tag": [],
+ "script-tag": [],
+ "script-tag-dynamic-import": [],
+ "sharedworker-classic": [],
+ "sharedworker-import": [],
+ "sharedworker-import-data": [],
+ "sharedworker-module": [],
+ "video-tag": [],
+ "websocket": [],
+ "worker-classic": [],
+ "worker-import": [],
+ "worker-import-data": [],
+ "worker-module": [],
+ "worklet-animation": [],
+ "worklet-animation-import-data": [],
+ "worklet-audio": [],
+ "worklet-audio-import-data": [],
+ "worklet-layout": [],
+ "worklet-layout-import-data": [],
+ "worklet-paint": [],
+ "worklet-paint-import-data": [],
+ "xhr": []
+ }
+ },
+ "test_expansion_schema": {
+ "delivery_type": [
+ "http-rp",
+ "meta"
+ ],
+ "delivery_value": [
+ null,
+ "opt-in"
+ ],
+ "expectation": [
+ "allowed",
+ "blocked"
+ ]
+ }
+}
diff --git a/testing/web-platform/tests/mixed-content/tentative/autoupgrades/audio-upgrade.https.sub.html b/testing/web-platform/tests/mixed-content/tentative/autoupgrades/audio-upgrade.https.sub.html
new file mode 100644
index 0000000000..4aeb183e3d
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/tentative/autoupgrades/audio-upgrade.https.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Autoupgrade mixed content: Audio.</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+
+</head>
+<body>
+ <script>
+ async_test(t => assert_audio_loads(t), "Audio autoupgraded");
+
+ function assert_audio_loads(test) {
+ // Since autoupgrades don't upgrade custom ports, we use the https port with an HTTP scheme. A successful autoupgrade will result in the right URL loading (and no autoupgrade will result in failure).
+ var url = new URL("http://{{host}}:{{ports[https][0]}}/mixed-content/tentative/resources/test.wav")
+ var i = document.createElement('audio');
+ i.oncanplaythrough = test.step_func_done(_ => {
+ assert_equals(i.duration, 1, "Length");
+ });
+ i.onerror = test.unreached_func("Audio should load successfully from " + url);
+ i.src = url;
+ }
+ // Test the same just with another host
+ async_test(t => assert_other_host_audio_loads(t), "Audio of other host autoupgraded");
+
+ function assert_other_host_audio_loads(test) {
+ // Since autoupgrades don't upgrade custom ports, we use the https port with an HTTP scheme. A successful autoupgrade will result in the right URL loading (and no autoupgrade will result in failure).
+ var otherHost = get_host_info().HTTP_NOTSAMESITE_ORIGIN.slice(0,-4); // cut of http port
+ var url = new URL( otherHost + "{{ports[https][0]}}/mixed-content/tentative/resources/test.wav")
+ var i = document.createElement('audio');
+ i.oncanplaythrough = test.step_func_done(_ => {
+ assert_equals(i.duration, 1, "Length of other host audio is correct");
+ });
+ i.onerror = test.unreached_func("Audio of other host should load successfully from " + url);
+ i.src = url;
+ }
+</script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/tentative/autoupgrades/image-upgrade.https.sub.html b/testing/web-platform/tests/mixed-content/tentative/autoupgrades/image-upgrade.https.sub.html
new file mode 100644
index 0000000000..d63a71026a
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/tentative/autoupgrades/image-upgrade.https.sub.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Autoupgrade mixed content: Optionally Blockable.</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+
+</head>
+<body>
+ <script>
+ async_test(t => assert_image_loads(t), "Image autoupgraded");
+
+ function assert_image_loads(test) {
+ // Since autoupgrades don't upgrade custom ports, we use the https port with an HTTP scheme. A successful autoupgrade will result in the right URL loading (and no autoupgrade will result in failure).
+ var url = new URL("http://{{host}}:{{ports[https][0]}}/mixed-content/tentative/resources/pass.png")
+ var i = document.createElement('img');
+ i.onload = test.step_func_done(_ => {
+ assert_equals(i.naturalHeight, 64, "Height.");
+ assert_equals(i.naturalWidth, 168, "Width.");
+ });
+ i.onerror = test.unreached_func("Image should load successfully from " + url);
+ i.src = url;
+ }
+
+ // Test the same just with another host
+ async_test(t => assert_other_host_image_loads(t), "Image of other host autoupgraded");
+
+ function assert_other_host_image_loads(test) {
+ // Since autoupgrades don't upgrade custom ports, we use the https port with an HTTP scheme. A successful autoupgrade will result in the right URL loading (and no autoupgrade will result in failure).
+ var otherHost = get_host_info().HTTP_NOTSAMESITE_ORIGIN.slice(0,-4); // cut of http port
+ var url = new URL( otherHost + "{{ports[https][0]}}/mixed-content/tentative/resources/pass.png")
+ var i = document.createElement('img');
+ i.onload = test.step_func_done(_ => {
+ assert_equals(i.naturalHeight, 64, "Height.");
+ assert_equals(i.naturalWidth, 168, "Width.");
+ });
+ i.onerror = test.unreached_func("image of other host should load successfully from " + url);
+ i.src = url;
+ }
+</script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/tentative/autoupgrades/mixed-content-cors.https.sub.html b/testing/web-platform/tests/mixed-content/tentative/autoupgrades/mixed-content-cors.https.sub.html
new file mode 100644
index 0000000000..eb7b443df3
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/tentative/autoupgrades/mixed-content-cors.https.sub.html
@@ -0,0 +1,84 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Test mixed content autoupgrade behavior for CORS request</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/get-host-info.sub.js"></script>
+ </head>
+ <body>
+ <script>
+ // Test that request with CORS get upgraded for audio elements
+ async_test(
+ (t) => assert_other_host_audio_loads(t),
+ "Cross-Origin audio should get upgraded even if CORS is set"
+ );
+
+ function assert_other_host_audio_loads(test) {
+ // Since autoupgrades don't upgrade custom ports, we use the https port with an HTTP scheme. A successful autoupgrade will result in the right URL loading (and no autoupgrade will result in failure).
+ var otherHost = get_host_info().HTTP_NOTSAMESITE_ORIGIN.slice(0, -4); // cut of http port
+ var url =
+ otherHost +
+ "{{ports[https][0]}}/mixed-content/tentative/resources/test.wav?pipe=header(Access-Control-Allow-Origin,*)";
+ var i = document.createElement("audio");
+ i.oncanplaythrough = test.step_func_done((_) => {
+ assert_equals(i.duration, 1, "Length of other host audio is correct");
+ });
+ i.onerror = test.unreached_func(
+ "Audio of other host should load successfully from " + url
+ );
+ i.crossOrigin = "anonymous";
+ i.src = url;
+ }
+
+ // Test that request with CORS get upgraded for image elements
+ async_test(
+ (t) => assert_other_host_image_loads(t),
+ "Cross-Origin image should get upgraded even if CORS is set"
+ );
+
+ function assert_other_host_image_loads(test) {
+ // Since autoupgrades don't upgrade custom ports, we use the https port with an HTTP scheme. A successful autoupgrade will result in the right URL loading (and no autoupgrade will result in failure).
+ var otherHost = get_host_info().HTTP_NOTSAMESITE_ORIGIN.slice(0, -4); // cut of http port
+ var url = new URL(
+ otherHost +
+ "{{ports[https][0]}}/mixed-content/tentative/resources/pass.png?pipe=header(Access-Control-Allow-Origin,*)"
+ );
+ var i = document.createElement("img");
+ i.onload = test.step_func_done((_) => {
+ assert_equals(i.naturalHeight, 64, "Height.");
+ assert_equals(i.naturalWidth, 168, "Width.");
+ });
+ i.crossOrigin = "anonymous";
+ i.onerror = test.unreached_func(
+ "image of other host should load successfully from " + url
+ );
+ i.src = url;
+ }
+
+ // Test that request with CORS get upgraded for video elements
+ async_test(
+ (t) => assert_other_host_video_loads(t),
+ "Cross-Origin video should get upgraded even if CORS is set"
+ );
+
+ function assert_other_host_video_loads(test) {
+ // Since autoupgrades don't upgrade custom ports, we use the https port with an HTTP scheme. A successful autoupgrade will result in the right URL loading (and no autoupgrade will result in failure).
+ var otherHost = get_host_info().HTTP_NOTSAMESITE_ORIGIN.slice(0, -4); // cut of http port
+ var url = new URL(
+ otherHost +
+ "{{ports[https][0]}}/mixed-content/tentative/resources/test.ogv?pipe=header(Access-Control-Allow-Origin,*)"
+ );
+ var i = document.createElement("video");
+ i.oncanplaythrough = test.step_func_done((_) => {
+ assert_equals(Math.floor(i.duration), 300, "Length. Other host");
+ });
+ i.crossOrigin = "anonymous";
+ i.onerror = test.unreached_func(
+ "Video of other host should load successfully from " + url
+ );
+ i.src = url;
+ }
+ </script>
+ </body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/tentative/autoupgrades/video-upgrade.https.sub.html b/testing/web-platform/tests/mixed-content/tentative/autoupgrades/video-upgrade.https.sub.html
new file mode 100644
index 0000000000..ea2d07309c
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/tentative/autoupgrades/video-upgrade.https.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Autoupgrade mixed content: Video.</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+
+</head>
+<body>
+ <script>
+ async_test(t => assert_video_loads(t), "Video autoupgraded");
+
+ function assert_video_loads(test) {
+ // Since autoupgrades don't upgrade custom ports, we use the https port with an HTTP scheme. A successful autoupgrade will result in the right URL loading (and no autoupgrade will result in failure).
+ var url = new URL("http://{{host}}:{{ports[https][0]}}/mixed-content/tentative/resources/test.ogv")
+ var i = document.createElement('video');
+ i.oncanplaythrough = test.step_func_done(_ => {
+ assert_equals(Math.floor(i.duration), 300, "Length.");
+ });
+ i.onerror = test.unreached_func("Video should load successfully from " + url);
+ i.src = url;
+ }
+
+ // Test the same just with another host
+ async_test(t => assert_other_host_video_loads(t), "Video of other host autoupgraded");
+
+ function assert_other_host_video_loads(test) {
+ // Since autoupgrades don't upgrade custom ports, we use the https port with an HTTP scheme. A successful autoupgrade will result in the right URL loading (and no autoupgrade will result in failure).
+ var otherHost = get_host_info().HTTP_NOTSAMESITE_ORIGIN.slice(0,-4); // cut of http port
+ var url = new URL( otherHost + "{{ports[https][0]}}/mixed-content/tentative/resources/test.ogv")
+ var i = document.createElement('video');
+ i.oncanplaythrough = test.step_func_done(_ => {
+ assert_equals(Math.floor(i.duration), 300, "Length. Other host");
+ });
+ i.onerror = test.unreached_func("Video of other host should load successfully from " + url);
+ i.src = url;
+ }
+</script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/mixed-content/tentative/resources/pass.png b/testing/web-platform/tests/mixed-content/tentative/resources/pass.png
new file mode 100644
index 0000000000..2fa1e0ac06
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/tentative/resources/pass.png
Binary files differ
diff --git a/testing/web-platform/tests/mixed-content/tentative/resources/test.ogv b/testing/web-platform/tests/mixed-content/tentative/resources/test.ogv
new file mode 100644
index 0000000000..0f83996e5d
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/tentative/resources/test.ogv
Binary files differ
diff --git a/testing/web-platform/tests/mixed-content/tentative/resources/test.wav b/testing/web-platform/tests/mixed-content/tentative/resources/test.wav
new file mode 100644
index 0000000000..85dc1ea904
--- /dev/null
+++ b/testing/web-platform/tests/mixed-content/tentative/resources/test.wav
Binary files differ