summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/reporting-api
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
commit43a97878ce14b72f0981164f87f2e35e14151312 (patch)
tree620249daf56c0258faa40cbdcf9cfba06de2a846 /testing/web-platform/tests/content-security-policy/reporting-api
parentInitial commit. (diff)
downloadfirefox-43a97878ce14b72f0981164f87f2e35e14151312.tar.xz
firefox-43a97878ce14b72f0981164f87f2e35e14151312.zip
Adding upstream version 110.0.1.upstream/110.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/reporting-api')
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html56
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html20
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html.sub.headers7
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers7
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.sub.headers7
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers7
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.sub.headers7
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html55
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.sub.headers7
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html17
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html.sub.headers5
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html1
-rw-r--r--testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html.sub.headers5
20 files changed, 335 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html
new file mode 100644
index 0000000000..ffdebe0eb3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html
@@ -0,0 +1,56 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Test that reports using the report-api service are sent when there's a violation</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <meta http-equiv="content-security-policy" content="script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group">
+</head>
+<body>
+ <script>
+ var t1 = async_test("Test that image does not load");
+ async_test(function(t2) {
+ window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+ assert_equals(e.violatedDirective, "img-src");
+ t2.done();
+ }));
+ }, "Event is fired");
+
+ async_test(function(t3) {
+ var observer = new ReportingObserver(function(reports, observer) {
+ t3.step(function() {
+ assert_equals(reports.length, 1);
+
+ // Ensure that the contents of the report are valid.
+ var base_url = "{{location[scheme]}}://{{location[host]}}/content-security-policy/"
+ var document_url = base_url + "reporting-api/report-to-directive-allowed-in-meta.https.sub.html";
+ assert_equals(reports[0].type, "csp-violation");
+ assert_equals(reports[0].url, document_url);
+ assert_equals(reports[0].body.documentURL, document_url);
+ assert_equals(reports[0].body.referrer, "");
+ assert_equals(reports[0].body.blockedURL,
+ base_url + "support/fail.png");
+ assert_equals(reports[0].body.effectiveDirective, "img-src");
+ assert_equals(reports[0].body.originalPolicy,
+ "script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group");
+ assert_equals(reports[0].body.sourceFile, document_url);
+ assert_equals(reports[0].body.sample, "");
+ assert_equals(reports[0].body.disposition, "enforce");
+ assert_equals(reports[0].body.statusCode, 200);
+ assert_equals(reports[0].body.lineNumber, 54);
+ assert_equals(reports[0].body.columnNumber, 0);
+ });
+
+ t3.done();
+ });
+ observer.observe();
+ }, "Report is observable to ReportingObserver");
+ </script>
+ <img src='/content-security-policy/support/fail.png'
+ onload='t1.unreached_func("The image should not have loaded");'
+ onerror='t1.done();'>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=img-src%20%27none%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html.sub.headers
new file mode 100644
index 0000000000..6f3ff61a03
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-to-directive-allowed-in-meta={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}"
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html
new file mode 100644
index 0000000000..cb3842854c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Test that reports using the report-api service are not sent when there's not validation</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <script>
+ var t1 = async_test("Test that image loads");
+ window.addEventListener("securitypolicyviolation",
+ t1.unreached_func("Should not have triggered a violation event"));
+ </script>
+ <img src='/content-security-policy/support/pass.png'
+ onload='t1.done();'
+ onerror='t1.unreached_func("The image should have loaded");'>
+
+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html.sub.headers
new file mode 100644
index 0000000000..65b5afc5c8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: reporting-api-doesnt-send-reports-without-violation={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}"
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'self'; report-to csp-group
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html
new file mode 100644
index 0000000000..302025669d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Test that report-only policies still work with report-to</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <script>
+ var t1 = async_test("Test that image does not load");
+ async_test(function(t2) {
+ window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+ assert_equals(e.violatedDirective, "img-src");
+ t2.done();
+ }));
+ }, "Event is fired");
+ </script>
+ <img src='/content-security-policy/support/fail.png'
+ onload='t1.done();'
+ onerror='t1.unreached_func("The image should have loaded");'>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=img-src%20%27none%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers
new file mode 100644
index 0000000000..d1365ac3f7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: reporting-api-report-only-sends-reports-on-violation={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}"
+Content-Security-Policy-Report-Only: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html
new file mode 100644
index 0000000000..82f0e6e7a7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Test that report-to ignores tokens after the first one</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <script>
+ var t1 = async_test("Test that image does not load");
+ async_test(function(t2) {
+ window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+ assert_equals(e.violatedDirective, "img-src");
+ t2.done();
+ }));
+ }, "Event is fired");
+ </script>
+ <img src='/content-security-policy/support/fail.png'
+ onload='t1.unreached_func("The image should not have loaded");'
+ onerror='t1.done();'>
+ <!-- The second token of the report-to directive should be ignored, since the directive only supports one token. So we should not have any reports sent to this endpoint. -->
+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.sub.headers
new file mode 100644
index 0000000000..4de556aeef
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: reporting-api-report-to-only-sends-reports-to-first-endpoint={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group csp-group-2
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{uuid()}}", csp-group-2="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}"
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html
new file mode 100644
index 0000000000..ab62f47fb4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Test that report-to overrides report-uri. This tests report-uri before report-to in the policy</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <script>
+ var t1 = async_test("Test that image does not load");
+ async_test(function(t2) {
+ window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+ assert_equals(e.violatedDirective, "img-src");
+ t2.done();
+ }));
+ }, "Event is fired");
+ </script>
+ <img src='/content-security-policy/support/fail.png'
+ onload='t1.unreached_func("The image should not have loaded");'
+ onerror='t1.done();'>
+ <!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint -->
+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers
new file mode 100644
index 0000000000..dfd3a4ed5a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: reporting-api-report-to-overrides-report-uri-1={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-uri "/reporting/resources/report.py?op=put&reportID={{$id}}"; report-to csp-group
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{uuid()}}"
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html
new file mode 100644
index 0000000000..eadbb54f43
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Test that report-to overrides report-uri. This tests report-uri after report-to in the policy</title> <meta name=timeout content=long>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <script>
+ var t1 = async_test("Test that image does not load");
+ async_test(function(t2) {
+ window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+ assert_equals(e.violatedDirective, "img-src");
+ t2.done();
+ }));
+ }, "Event is fired");
+ </script>
+ <img src='/content-security-policy/support/fail.png'
+ onload='t1.unreached_func("The image should not have loaded");'
+ onerror='t1.done();'>
+ <!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint -->
+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.sub.headers
new file mode 100644
index 0000000000..87dfcf8789
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: reporting-api-report-to-overrides-report-uri-2={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group; report-uri "/reporting/resources/report.py?op=put&reportID={{$id}}"
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{uuid()}}"
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html
new file mode 100644
index 0000000000..94f14d94e4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html
@@ -0,0 +1,55 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Test that reports using the report-api service are sent when there's a violation</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <script>
+ var t1 = async_test("Test that image does not load");
+ async_test(function(t2) {
+ window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+ assert_equals(e.violatedDirective, "img-src");
+ t2.done();
+ }));
+ }, "Event is fired");
+
+ async_test(function(t3) {
+ var observer = new ReportingObserver(function(reports, observer) {
+ t3.step(function() {
+ assert_equals(reports.length, 1);
+
+ // Ensure that the contents of the report are valid.
+ var base_url = "{{location[scheme]}}://{{location[host]}}/content-security-policy/"
+ var document_url = base_url + "reporting-api/reporting-api-sends-reports-on-violation.https.sub.html";
+ assert_equals(reports[0].type, "csp-violation");
+ assert_equals(reports[0].url, document_url);
+ assert_equals(reports[0].body.documentURL, document_url);
+ assert_equals(reports[0].body.referrer, "");
+ assert_equals(reports[0].body.blockedURL,
+ base_url + "support/fail.png");
+ assert_equals(reports[0].body.effectiveDirective, "img-src");
+ assert_equals(reports[0].body.originalPolicy,
+ "script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group");
+ assert_equals(reports[0].body.sourceFile, document_url);
+ assert_equals(reports[0].body.sample, "");
+ assert_equals(reports[0].body.disposition, "enforce");
+ assert_equals(reports[0].body.statusCode, 200);
+ assert_equals(reports[0].body.lineNumber, 53);
+ assert_equals(reports[0].body.columnNumber, 0);
+ });
+
+ t3.done();
+ });
+ observer.observe();
+ }, "Report is observable to ReportingObserver");
+ </script>
+ <img src='/content-security-policy/support/fail.png'
+ onload='t1.unreached_func("The image should not have loaded");'
+ onerror='t1.done();'>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=img-src%20%27none%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.sub.headers
new file mode 100644
index 0000000000..e6e488d4aa
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: reporting-api-sends-reports-on-violation={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}"
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html
new file mode 100644
index 0000000000..672c46e1aa
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html
@@ -0,0 +1,17 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Test that reports using the report-api service are sent when there's a frame-ancestors violation</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <iframe src="https://{{hosts[alt][]}}:{{ports[https][0]}}/content-security-policy/reporting-api/support/non-embeddable-frame.html?id={{$id:uuid()}}"></iframe>
+
+ <!-- Check that a report is sent to the child's reporting endpoint -->
+ <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=frame-ancestors%20%27none%27&reportID={{$id}}'></script>
+
+ <!-- Check that no report is sent to the parent's reporting endpoint -->
+ <script async defer src='../support/checkReport.sub.js?reportExists=false&testName=No%20report%20to%20parent.'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html.sub.headers
new file mode 100644
index 0000000000..bf4e24e77e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: reporting-api-works-on-frame-ancestors={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}"
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html
new file mode 100644
index 0000000000..b83a05ce4b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Test that reports using the report-api service are sent when there's a violation</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <script>
+ async_test(function(t2) {
+ window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.html");
+ assert_equals(e.violatedDirective, "frame-src");
+ t2.done();
+ }));
+ }, "Event is fired");
+ </script>
+ <iframe src="../support/fail.html"></iframe>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=frame-src%20%27none%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html.sub.headers
new file mode 100644
index 0000000000..f85c8d26e4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: reporting-api-works-on-frame-src={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}"
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; frame-src 'none'; report-to csp-group
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html b/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html
new file mode 100644
index 0000000000..94e1707e85
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html
@@ -0,0 +1 @@
+FAIL
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html.sub.headers
new file mode 100644
index 0000000000..26d794e1d3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Report-To: { "group": "csp-group", "max_age": 10886400, "endpoints": [{ "url": "https://{{hosts[alt][]}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{GET[id]}}" }] }
+Content-Security-Policy: frame-ancestors 'none'; report-to csp-group