Adding upstream version 1:115.7.0.upstream/1%115.7.0 upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-07 17:32:43 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-07 17:32:43 +0000
commit: 6bf0a5cb5034a7e684dcc3500e841785237ce2dd (patch)
tree: a68f146d7fa01f0134297619fbe7e33db084e0aa /testing/web-platform/tests/content-security-policy
parent: Initial commit. (diff)
download: thunderbird-6bf0a5cb5034a7e684dcc3500e841785237ce2dd.tar.xz
thunderbird-6bf0a5cb5034a7e684dcc3500e841785237ce2dd.zip
1232 files changed, 41859 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/META.yml b/testing/web-platform/tests/content-security-policy/META.yml
new file mode 100644
index 0000000000..ee8f1ea7e0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/META.yml
@@ -0,0 +1,4 @@
+spec: https://w3c.github.io/webappsec-csp/
+suggested_reviewers:
+  - andypaicu
+  - hillbrad
diff --git a/testing/web-platform/tests/content-security-policy/README.css b/testing/web-platform/tests/content-security-policy/README.css
new file mode 100644
index 0000000000..d47a5034ba
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/README.css
@@ -0,0 +1,27 @@
+
+.code {
+    font-family: monospace;
+    color: darkorange;
+}
+
+.codeTitle {
+    font-family: sans-serif;
+    padding: .3em;
+    margin-bottom: -1em;
+    background: #ffe;
+    border-color: #ccc;
+    border-width: 1px;
+    border-style: groove;
+}
+
+.highlight1 {
+    background: yellow;
+}
+
+.highlight2 {
+    background: pink;
+}
+
+body {
+    font-family: sans-serif;
+}
diff --git a/testing/web-platform/tests/content-security-policy/README.html b/testing/web-platform/tests/content-security-policy/README.html
new file mode 100644
index 0000000000..07ddcc7a4d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/README.html
@@ -0,0 +1,118 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>Introduction to Writing Content Security Policy Tests</title>
+    <link rel="stylesheet" type="text/css" href="README.css">
+    <link rel="stylesheet" type="text/css" href="http://cdnjs.cloudflare.com/ajax/libs/highlight.js/8.1/styles/default.min.css">
+    <script src="http://cdnjs.cloudflare.com/ajax/libs/highlight.js/8.1/highlight.min.js"></script>
+    <script>
+        hljs.initHighlightingOnLoad();
+    </script>
+</head>
+
+<body>
+    <h1>Introduction to Writing Content Security Policy Tests</h1>
+    <p>The CSP test suite uses the standard W3C testharness.js framework, but there are a few additional things you'll need to do because of the unique way CSP works, even if you're already an expert at writing W3C tests. These tests require the use of the
+    <a href="https://github.com/w3c/wptserve">wptserve</a> server (included in the <a href="https://github.com/web-platform-tests/wpt">web-platform-tests repository</a>) to operate correctly.</p>
+
+    <h2>What's different about writing CSP tests?</h2>
+
+    <h3>Headers</h3>
+    <p>Content Security Policy is preferentially set through an HTTP header. This means we can't do our tests just as a simple set of HTML+CSS+JS files. Luckily the wptserver framework provides an easy method to add headers to a file.</p>
+    <p>If my file is named <span class=code>example.html</span> then I can create a file
+        <span class=code>example.html.headers</span> to define the headers that will be served with it. If I need to do template substitutions in the headers, I can instead create a file named <span class=code>example.html.sub.headers</span>.</p>
+
+    <h3>Negative Test Cases and Blocked Script Execution</h3>
+    <p>Another interesting feature of CSP is that it <em>prevents</em> things from happening. It even can and prevent script from running. How do we write tests that detect something didn't happen?</p>
+
+    <h3>Checking Reports</h3>
+    <p>CSP also has a feature to send a report. We ideally want to check that whenever a policy is enforced, a report is sent. This also helps us with the previous problem - if it is difficult to observe something not happening, we can still check that a report fired.</p>
+
+    <h2>Putting it Together</h2>
+    <p>Here's an example of a simple test. (ignore the highlights for now...) This file lives in the
+        <span class=code>/content-security-policy/script-src/</span> directory.</p>
+
+    <p class=codeTitle>script-src-1_1.html</p>
+    <pre><code class="html">&lt;!DOCTYPE HTML&gt;
+&lt;html&gt;
+&lt;head&gt;
+    &lt;script src=&#39;/resources/testharness.js&#39;&gt;&lt;/script&gt;
+    &lt;script src=&#39;/resources/testharnessreport.js&#39;&gt;&lt;/script&gt;
+&lt;/head&gt;
+&lt;body&gt;
+    &lt;h1&gt;Inline script should not run without &#39;unsafe-inline&#39; script-src directive.&lt;/h1&gt;
+    &lt;div id=&#39;log&#39;&gt;&lt;/div&gt;
+
+    &lt;script&gt;
+    test(function() {
+        assert_unreached(&#39;Unsafe inline script ran.&#39;)},
+        &#39;Inline script in a script tag should not run without an unsafe-inline directive&#39;
+    );
+    &lt;/script&gt;
+
+    &lt;img src=&#39;doesnotexist.jpg&#39; onerror=&#39;test(function() { assert_false(true, &quot;Unsafe inline event handler ran.&quot;) }, &quot;Inline event handlers should not run without an unsafe-inline directive&quot;);&#39;&gt;
+
+    &lt;script async defer src=&#39;../support/checkReport.sub.js?reportField=violated-directive&amp;reportValue=<span class=highlight1>script-src%20%27self%27</span>&#39;&gt;&lt;/script&gt;
+
+&lt;/body&gt;
+&lt;/html&gt;
+        </code></pre>
+
+
+    <p>This code includes three tests. The first one in the script block will generate a failure if it runs. The second one, in the onerror handler for the img which does not exist should also generate a failure if it runs. But for a successful CSP implementation, neither of these tests does run. The final test is run by the link to <span class=code>../support/checkReport.sub.js</span>. It will load some script in the page (make sure its not blocked by your policy!) which contacts the server asynchronously and sees if the expected report was sent. This should always run an generate a positive or negative result even if the inline tests are blocked as we expect.</p>
+
+    <p>Now, to actually exercise these tests against a policy, we'll need to set headers. In the same directory we'll place this file:</p>
+
+    <p class=codeTitle>script-src-1_1.html.sub.headers</p>
+    <pre><code class="html">
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: <span class=highlight2>script-src-1_1</span>={{$id:uuid()}}; Path=<span class=highlight2>/content-security-policy/script-src/</span>
+Content-Security-Policy: <span class=highlight1>script-src 'self'</span>; report-uri  <span class=highlight2></span>/reporting/resources/report.py?op=put&reportID={{$id}}
+        </code></pre>
+    <p>This sets some headers to prevent caching (just so we are more likely to see our latest changes if we're actively developing this test) sets a cookie (more on that later) and sets the relevant <span class=code>Content-Security-Policy</span> header for our test case.</p>
+
+    <h4>What about those highlights?</h4>
+    <p>In production code we don't like to repeat ourselves. For this test suite, we'll relax that rule a little bit. Why? It's easier to have many people contributing "safe" files using some template substitutions than require every file to be executable content like Python or PHP which would require much more careful code review. The highlights show where you have to be careful as you repeat yourself in more limited static files.
+    </p>
+
+    <p>The <span class=highlight1>YELLOW</span> highlighted text is information that must be the same between both files for report checking to work correctly. In the html file, we're telling
+        <span class=code>checkReport.sub.js</span> to check the value of the <span class=code>
+        violated-directive</span> key in the report JSON. So it needs to match (after URL encoding) the directive we set in the header.</p>
+
+    <p>The <span class=highlight2>PINK</span> highlighted text is information that must be repeated from the path and filename of your test file into the headers file. The name of the cookie must match the name of the test file without its extension, the path for the cookie must be correct, and the relative path component to the report-uri must also be corrected if you nest your tests more than one directory deep.</p>
+
+    <h2>Check Your Effects!</h2>
+    <p>A good test case should also verify the state of the DOM in addition to checking the report - after all, a browser might send a report without actually blocking the banned content. Note that in a browser without CSP support there will be three failures on the example page as the inline script executes.</p>
+    <p>How exactly you check your effects will depend on the directive, but don't hesitate to use script for testing to see if computed styles are as expected, if layouts changed or if certain elements were added to the DOM. Checking that the report also fired is just the final step of verifing correct behavior.</p>
+
+    <p>Note that avoiding inline script is good style and good habits, but not 100% necessary for every test case. Go ahead and specify 'unsafe-inline' if it makes your life easier.</p>
+
+    <h2>Report Existence Only and Double-Negative Tests</h2>
+    <p>If you want to check that a report exists, or verify that a report <em>wasn't</em> sent for a double-negative test case,
+    you can pass <strong>?reportExists=</strong><em>[true|false]</em> to <span class=code>checkReport.sub.js</span> instead of <strong>reportField</strong> and <strong>reportValue</strong>.</p>
+
+    <h2>How does the magic happen?</h2>
+    <p>Behind the scenes, a few things are going on in the framework.</p>
+    <ol>
+        <li>The {{$id:uuid}} templating marker in the headers file tells the wptserve HTTP server to create a new unique id and assign it to a variable, which we can re-use as {{$id}}.</li>
+        <li>We'll use this UUID in two places:
+            <ol>
+                <li>As a GET parameter to our reporting script, to uniquely identify this instance of the test case so our report can be stored and retrieved.
+                </li>
+                <li>As a cookie value associated with the filename, so script in the page context can learn what UUID the report was sent under.</li>
+            </ol>
+        </li>
+        <li>The report listener is a simple python file that stashes the report value under its UUID and allows it to be retrieved again, exactly once.</li>
+        <li><span class=code>checkReport.sub.js</span> then grabs the current path information and uses that to find the cookie holding the report UUID. It deletes that cookie (otherwise the test suite would overrun the maximum size of a cookie header allowed) then makes an XMLHttpRequest to the report listener to retrieve the report, parse it and verify the contents as per the parameters it was loaded with.</li>
+    </ol>
+
+    <p>Why all these gymnastics? CSP reports are delivered by an <em>anonymous fetch</em>. This means that the browser does not process the response headers, body, or allow any state changes as a result. So we can't pull a trick like just echoing the report contents back in a Set-Cookie header or writing them to local storage.</p>
+
+    <p>Luckily, you shouldn't have to worry about this magic much, as long as you get the incantation correct.</p>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/base-uri/base-uri-allow-leading-zero-port.sub.html b/testing/web-platform/tests/content-security-policy/base-uri/base-uri-allow-leading-zero-port.sub.html
new file mode 100644
index 0000000000..614d7dd50e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/base-uri/base-uri-allow-leading-zero-port.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="base-uri {{location[scheme]}}://{{domains[www1]}}:0{{ports[http][0]}}/">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+
+    <script>
+      var t = async_test("Check that base URIs can be set if they do not violate the page's policy because leading 0s are stripped from the port.");
+      window.addEventListener('securitypolicyviolation', t.step_func(function(t) {
+        assert_unreached('No CSP violation report should have been fired.');
+      }));
+    </script>
+
+    <base href="{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/">
+    <script>
+    t.step(function() {
+      assert_equals(document.baseURI, "{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/");
+      t.done();
+    });
+    </script>
+</head>
+<body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/base-uri/base-uri-allow.sub.html b/testing/web-platform/tests/content-security-policy/base-uri/base-uri-allow.sub.html
new file mode 100644
index 0000000000..cda0c2db44
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/base-uri/base-uri-allow.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="base-uri {{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+
+    <script>
+      var t = async_test("Check that base URIs can be set if they do not violate the page's policy.");
+      window.addEventListener('securitypolicyviolation', t.step_func(function(t) {
+        assert_unreached('No CSP violation report should have been fired.');
+      }));
+    </script>
+
+    <base href="{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/">
+    <script>
+    t.step(function() {
+      assert_equals(document.baseURI, "{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/");
+      t.done();
+    });
+    </script>
+</head>
+<body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/base-uri/base-uri-deny-url-encoded-host.sub.html b/testing/web-platform/tests/content-security-policy/base-uri/base-uri-deny-url-encoded-host.sub.html
new file mode 100644
index 0000000000..5e7fad9d9e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/base-uri/base-uri-deny-url-encoded-host.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="base-uri {{location[scheme]}}://www1%2E{{domains[]}}:{{ports[http][0]}}/">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+
+    <script>
+      var t = async_test("Check that baseURI fires a securitypolicyviolation event when it does not match the csp directive due to a url encoded host character.");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/")
+        assert_equals(e.violatedDirective, "base-uri");
+      }));
+    </script>
+
+    <base href="{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/">
+    <script>
+    test(function() {
+      assert_equals(document.baseURI, window.location.href);
+      t.done();
+    }, "Check that the baseURI is not set when it does not match the csp directive");
+    </script>
+</head>
+<body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/base-uri/base-uri-deny.sub.html b/testing/web-platform/tests/content-security-policy/base-uri/base-uri-deny.sub.html
new file mode 100644
index 0000000000..a5a78ae1a3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/base-uri/base-uri-deny.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="base-uri {{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+
+    <script>
+      var t = async_test("Check that baseURI fires a securitypolicyviolation event when it does not match the csp directive");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/")
+        assert_equals(e.violatedDirective, "base-uri");
+      }));
+    </script>
+
+    <base href="{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/">
+    <script>
+    test(function() {
+      assert_equals(document.baseURI, window.location.href);
+      t.done();
+    }, "Check that the baseURI is not set when it does not match the csp directive");
+    </script>
+</head>
+<body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html b/testing/web-platform/tests/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html
new file mode 100644
index 0000000000..299383c469
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html
@@ -0,0 +1,79 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="base-uri {{location[scheme]}}://{{domains[]}}:{{ports[http][0]}}/base/">
+
+    <title>base-uri works correctly inside a sandboxed iframe.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body>
+    <h1>base-uri works correctly inside a sandboxed iframe.</h1>
+    <div id='log'></div>
+
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            assert_unreached('No CSP violation report should have been fired.');
+        });
+
+        async_test(function(t) {
+            var i = document.createElement('iframe');
+            i.sandbox = 'allow-scripts';
+            i.style.display = 'none';
+            i.srcdoc = `
+              <script>
+                window.addEventListener('securitypolicyviolation', function() {
+                  top.postMessage('FAIL', '*');
+                });
+              </sc` + `ript>
+              <base href="{{location[scheme]}}://{{domains[]}}:{{ports[http][0]}}/base/">
+              <script>
+                top.postMessage(document.baseURI, '*');
+              </sc` + `ript>`;
+
+            window.addEventListener('message', t.step_func(function(e) {
+              if (e.source === i.contentWindow) {
+                assert_equals(e.data, location.origin + '/base/');
+                t.done();
+              }
+            }));
+
+            document.body.appendChild(i);
+        }, 'base-uri \'self\' works with same-origin sandboxed iframes.');
+
+        async_test(function(t) {
+            var i = document.createElement('iframe');
+            i.sandbox = 'allow-scripts';
+            i.style.display = 'none';
+            i.srcdoc = `
+            <script>
+              window.addEventListener('securitypolicyviolation',
+                function(violation) {
+                  if (violation.blockedURI !== '{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/base/' || violation.effectiveDirective !== 'base-uri') {
+                      top.postMessage('FAIL');
+                      return;
+                  }
+                  top.postMessage(document.baseURI, '*');
+              });
+            </sc` + `ript>
+            <base href="{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/base/">
+            <script>
+              top.postMessage(document.baseURI, '*');
+            </sc` + `ript>`;
+
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.source === i.contentWindow) {
+                    assert_equals(e.data, location.href);
+                    t.done();
+                }
+            }));
+
+            document.body.appendChild(i);
+        }, 'base-uri \'self\' blocks foreign-origin sandboxed iframes.');
+    </script>
+
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html b/testing/web-platform/tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html
new file mode 100644
index 0000000000..408c0116eb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test that base does not affect report-uri</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <!-- if base is used for resolving the URL to report to then we will not get a report -->
+  <base href="http://nonexistent.{{domains[]}}">
+</head>
+<body>
+  <script>
+    var t1 = async_test("Test that image does not load");
+    async_test(function(t2) {
+    window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+        assert_equals(e.violatedDirective, "img-src");
+        t2.done();
+      }));
+    }, "Event is fired");
+  </script>
+  <img src='{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png'
+       onload='t1.unreached_func("The image should not have loaded");'
+       onerror='t1.done();'>
+
+  <script async defer src='{{location[scheme]}}://{{location[host]}}/content-security-policy/support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.sub.headers
new file mode 100644
index 0000000000..811125d83a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: report-uri-does-not-respect-base-uri={{$id:uuid()}}; Path=/content-security-policy/base-uri
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/blob/blob-urls-do-not-match-self.sub.html b/testing/web-platform/tests/content-security-policy/blob/blob-urls-do-not-match-self.sub.html
new file mode 100644
index 0000000000..cafa1e3660
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blob/blob-urls-do-not-match-self.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; child-src 'self';">
+    <title>blob-urls-do-not-match-self</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <p>
+        blob: URLs are same-origin with the page in which they were created, but explicitly do not match the &apos;self&apos; or '*' source in CSP directives because they are more akin to 'unsafe-inline' content.
+    </p>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+        function fail() {
+            alert_assert("FAIL!");
+        }
+        var b = new Blob(['fail();'], {
+            type: 'application/javascript'
+        });
+        var script = document.createElement('script');
+        script.src = URL.createObjectURL(b);
+        document.body.appendChild(script);
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blob/blob-urls-match-blob.sub.html b/testing/web-platform/tests/content-security-policy/blob/blob-urls-match-blob.sub.html
new file mode 100644
index 0000000000..2b8db3a99f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blob/blob-urls-match-blob.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' blob:; connect-src 'self';">
+    <title>blob-urls-match-blob</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS (1/1)"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <p>
+        blob: URLs are same-origin with the page in which they were created, but match only if the blob: scheme is specified.
+    </p>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("FAIL");
+        });
+
+        function pass() {
+            log("PASS (1/1)");
+        }
+        var b = new Blob(['pass();'], {
+            type: 'application/javascript'
+        });
+        var script = document.createElement('script');
+        script.src = URL.createObjectURL(b);
+        document.body.appendChild(script);
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blob/self-doesnt-match-blob.sub.html b/testing/web-platform/tests/content-security-policy/blob/self-doesnt-match-blob.sub.html
new file mode 100644
index 0000000000..c7002aba19
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blob/self-doesnt-match-blob.sub.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src 'self';">
+    <title>worker-connect-src-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=worker-src","TEST COMPLETE"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+<p>This test loads a worker, from a guid.
+    The worker should be blocked from loading with a child-src policy of 'self'
+    as the blob: scheme must be specified explicitly.
+    A report should be sent to the report-uri specified
+    with this resource.</p>
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        try {
+            var blob = new Blob([
+                "postMessage('FAIL');" +
+                "postMessage('TEST COMPLETE');"
+                ],
+                {type : 'application/javascript'});
+            var url = URL.createObjectURL(blob);
+            var worker = new Worker(url);
+            worker.onmessage = function(event) {
+                alert_assert(event.data);
+            };
+            worker.onerror = function(event) {
+                log('TEST COMPLETE');
+                event.preventDefault();
+            }
+        } catch (e) {
+            log('TEST COMPLETE');
+        }
+        function timeout() {
+            log('TEST COMPLETE');
+        }
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/blob/star-doesnt-match-blob.sub.html b/testing/web-platform/tests/content-security-policy/blob/star-doesnt-match-blob.sub.html
new file mode 100644
index 0000000000..f2fd01f827
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/blob/star-doesnt-match-blob.sub.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src *;">
+    <title>worker-connect-src-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=worker-src","TEST COMPLETE"]'></script>
+
+</head>
+<p>This test loads a worker, from a guid.
+    The worker should be blocked from loading with a child-src policy of *
+    as the blob: scheme must be specified explicitly.
+    A report should be sent to the report-uri specified
+    with this resource.</p>
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        try {
+            var blob = new Blob([
+                "postMessage('FAIL');" +
+                "postMessage('TEST COMPLETE');"
+                ],
+                {type : 'application/javascript'});
+            var url = URL.createObjectURL(blob);
+            var worker = new Worker(url);
+            worker.onmessage = function(event) {
+                log(event.data);
+            };
+            worker.onerror = function(event) {
+                event.preventDefault();
+                log('TEST COMPLETE');
+            }
+        } catch (e) {
+            log('TEST COMPLETE');
+        }
+        function timeout() {
+            log('TEST COMPLETE');
+        }
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html
new file mode 100644
index 0000000000..c546a7a27f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="child-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>child-src-about-blank-allowed-by-default</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <p>These frames should not be blocked by Content-Security-Policy.
+        It&apos;s pointless to block about:blank iframes because
+        blocking a frame just results in displaying about:blank anyway!
+    </p>
+    <script>
+        var t = async_test("Check that frames load without throwing any violation events");
+        window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired any events"));
+    </script>
+
+    <iframe src="about:blank"></iframe>
+    <object type="text/html" data="about:blank"></object>
+
+    <div id="log"></div>
+
+    <script>
+        t.done();
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html
new file mode 100644
index 0000000000..2de5484c0f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="child-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>child-src-about-blank-allowed-by-scheme</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <p>This frame should not be blocked by Content-Security-Policy.
+    </p>
+    <script>
+        var t = async_test("Check that frames load without throwing any violation events");
+        window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired any events"));
+    </script>
+
+    <iframe src="about:blank"></iframe>
+    <div id="log"></div>
+
+    <script>
+        t.done();
+    </script>
+</body>
+
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html
new file mode 100644
index 0000000000..3d4964e24b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html
@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>child-src-allowed</title>
+    <meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script>
+    <script>
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+
+        window.addEventListener("securitypolicyviolation", function(e) {
+            alert_assert("Fail");
+        });
+
+        var t_alert = async_test('Expecting alerts: ["PASS"]');
+        var expected_alerts = ["PASS"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_equals(expected_alerts[i], msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_alert.done();
+            });
+        }
+
+    </script>
+    <p>
+        This iframe should be allowed.
+    </p>
+    <script>
+        window.wasPostTestScriptParsed = true;
+        var loads = 0;
+
+        function loadEvent() {
+            loads++;
+            log("PASS " + "IFrame #" + loads + " generated a load event.");
+        }
+
+    </script>
+</head>
+
+<body>
+    <iframe src="/content-security-policy/support/postmessage-pass.html" onload="loadEvent()"></iframe>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html
new file mode 100644
index 0000000000..9141aeba46
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="child-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>child-src-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.", "violated-directive=frame-src"]'></script>
+    <script>
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+
+        window.addEventListener("securitypolicyviolation", function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        function alert_assert(msg) {
+            t_log.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_log.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_equals(expected_alerts[i], msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_log.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <p>
+        IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
+    </p>
+    <script>
+        window.wasPostTestScriptParsed = true;
+        var loads = 0;
+
+        function loadEvent() {
+            loads++;
+            log("PASS " + "IFrame #" + loads + " generated a load event.");
+        }
+
+    </script>
+</head>
+
+<body>
+    <iframe src="/content-security-policy/support/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html
new file mode 100644
index 0000000000..7f6f9294fa
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>child-src-blocked</title>
+    <meta http-equiv="Content-Security-Policy" content="frame-src 'none'; child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.", "violated-directive=frame-src"]'></script>
+    <script>
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+
+        window.addEventListener("securitypolicyviolation", function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        function alert_assert(msg) {
+            t_log.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_log.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_equals(expected_alerts[i], msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_log.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+frame-src 'none'; child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+    <p>
+        A more permissive child-src should not relax restrictions from a less-
+        permissive frame-src.  Directives still combine for least privilege, even when
+        one obsoletes another.
+    </p>
+    <script>
+        window.wasPostTestScriptParsed = true;
+        var loads = 0;
+
+        function loadEvent() {
+            loads++;
+            log("PASS " + "IFrame #" + loads + " generated a load event.");
+        }
+
+    </script>
+</head>
+
+<body>
+    <iframe src="/content-security-policy/support/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html
new file mode 100644
index 0000000000..192f69b854
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html
@@ -0,0 +1,42 @@
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="child-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self';"> </head>
+<body></body>
+
+<script>
+async_test(test => {
+  let count = 0;
+  window.addEventListener("message", test.step_func((event) => {
+    assert_equals(event.data, "PASS");
+    count++;
+    assert_less_than_equal(count, 2);
+    if (count == 2) {
+      // Use a timeout, to let some time for additional messages to show up
+      // before declaring this test as completed.
+      test.step_timeout(() => test.done(), 1000);
+    }
+  }));
+}, "Two of the three iframe are expected to load.");
+
+// IFrames blocked by CSP should generate a 'load', not 'error' event,
+// regardless of blocked state. This means they appear to be normal
+// cross-origin loads, thereby not leaking URL information directly to JS.
+const runTest = (description, src) => {
+  async_test(test => {
+    const iframe = document.createElement("iframe");
+    iframe.src = src;
+    iframe.onload = () => test.done();
+    iframe.onerror = () => test.assert_unreached('unexpected onerror')
+    document.body.appendChild(iframe);
+  }, description);
+};
+
+runTest("Navigation in iframe allowed by child-src 'self'",
+  "/content-security-policy/support/postmessage-pass.html");
+
+runTest("Navigation in iframe allowed by child-src explicit CSP source",
+  "http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-pass.html");
+
+runTest("Navigation in iframe not allowed by child-src",
+  "http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-redirect-blocked.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-redirect-blocked.sub.html
new file mode 100644
index 0000000000..d73284e20a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-redirect-blocked.sub.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>child-src-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.", "violated-directive=frame-src"]'></script>
+    <script>
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+
+        window.addEventListener("securitypolicyviolation", function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        function alert_assert(msg) {
+            t_log.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_log.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_equals(expected_alerts[i], msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_log.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+child-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+    <p>
+        IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
+    </p>
+    <script>
+        window.wasPostTestScriptParsed = true;
+        var loads = 0;
+
+        function loadEvent() {
+            loads++;
+            log("PASS " + "IFrame #" + loads + " generated a load event.");
+        }
+
+    </script>
+</head>
+
+<body>
+    <iframe src="/common/redirect.py?location=http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html
new file mode 100644
index 0000000000..d02abaef19
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>child-src-worker-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'unsafe-inline'; connect-src 'self';">
+</head>
+
+<body>
+    <p> This test used to check the child-src csp controlling worker creation. This behaviour has been deprecated but it's still supported
+        until the transition is done. This still tests that behaviour but we need to go through extra hoops to make sure 'script-src'
+        does not affect the result in any way (for instance by allowing 'self').
+    </p>
+    <script>
+      async_test(function(t) {
+        document.addEventListener("securitypolicyviolation", t.step_func(function(e) {
+          if (e.blockedURI != "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/post-message.js")
+            return;
+
+          assert_unreached("Should not throw a securitypolicyviolation");
+        }));
+
+        try {
+            var foo = new Worker('{{location[scheme]}}://{{location[host]}}/content-security-policy/support/post-message.js');
+            foo.onmessage = function(event) {
+              t.done();
+            };
+        } catch (e) {
+          assert_unreached("Should not throw exception");
+        }
+      }, "Worker is allowed because of deprecated 'child-src' directive");
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html
new file mode 100644
index 0000000000..675cd95ea4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>child-src-worker-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta http-equiv="Content-Security-Policy" content="child-src 'none'; script-src 'unsafe-inline'; connect-src 'self';">
+</head>
+
+<body>
+    <p> This test used to check the child-src csp controlling worker creation. This behaviour has been deprecated but it's still supported
+        until the transition is done. This still tests that behaviour but we need to go through extra hoops to make sure 'script-src'
+        does not affect the result in any way (for instance by allowing 'self').
+    </p>
+    <script>
+      async_test(function(t) {
+        document.addEventListener("securitypolicyviolation", t.step_func(function(e) {
+          if (e.blockedURI != "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/post-message.js")
+            return;
+
+          assert_equals(e.violatedDirective, "worker-src");
+          t.done();
+        }));
+      }, "Should throw a securitypolicyviolation event");
+
+      async_test(function(t) {
+        try {
+          var foo = new Worker('{{location[scheme]}}://{{location[host]}}/content-security-policy/support/post-message.js');
+          foo.onerror = function(event) {
+            event.preventDefault();
+            t.done();
+          }
+          foo.onmessage = function(event) {
+            assert_unreached("Should not be able to start worker");
+          };
+        } catch (e) {
+          t.done();
+        }
+      }, "Should block worker because it does not match any directive including the deprecated 'child-src'");
+    </script>
+    <div id="log"></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-beacon-allowed.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-beacon-allowed.sub.html
new file mode 100644
index 0000000000..de032a9f47
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-beacon-allowed.sub.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';">
+    <title>connect-src-beacon-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("FAIL");
+        });
+
+        if (typeof navigator.sendBeacon != 'function') {
+            t_log.set_status(t_log.NOTRUN, "No navigator.sendBeacon, cannot run test.");
+            t_log.phase = t_log.phases.HAS_RESULT;
+            t_log.done();
+        } else {
+            try {
+                var es = navigator.sendBeacon("http://{{host}}:{{ports[http][0]}}/cors/resources/status.py");
+                log("Pass");
+            } catch (e) {
+                log("Fail");
+            }
+        }
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-beacon-blocked.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-beacon-blocked.sub.html
new file mode 100644
index 0000000000..025a720184
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-beacon-blocked.sub.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';">
+    <title>connect-src-beacon-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["Pass", "violated-directive=connect-src"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        if (typeof navigator.sendBeacon != 'function') {
+            t_log.set_status(t_log.NOTRUN, "No navigator.sendBeacon, cannot run test.");
+            t_log.phase = t_log.phases.HAS_RESULT;
+            t_log.done();
+        } else {
+            try {
+                var es = navigator.sendBeacon("http://www1.{{host}}:{{ports[http][0]}}/security/contentSecurityPolicy/echo-report.php");
+                log("Pass");
+            } catch (e) {
+                log("Fail");
+            }
+        }
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub.html
new file mode 100644
index 0000000000..b0cbea51f5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';">
+    <title>connect-src-beacon-redirect-to-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=connect-src"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script></script>
+</head>
+
+<body>
+    <p>The beacon should not follow the redirect to http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png and send a CSP violation report.</p>
+    <p>Verify that a CSP connect-src directive blocks redirects.</p>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        if (typeof navigator.sendBeacon != 'function') {
+            t_log.set_status(t_log.NOTRUN, "No navigator.sendBeacon, cannot run test.");
+            t_log.phase = t_log.phases.HAS_RESULT;
+            t_log.done();
+        } else {
+            navigator.sendBeacon(
+                "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png",
+                "ping");
+        }
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-eventsource-allowed.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-eventsource-allowed.sub.html
new file mode 100644
index 0000000000..1edaf319dc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-eventsource-allowed.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';">
+    <title>connect-src-eventsource-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["allowed"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("blocked");
+        });
+
+        try {
+            var es = new EventSource("http://{{host}}:{{ports[http][0]}}/content-security-policy/connect-src/resources/simple-event-stream");
+            // Firefox and Chrome don't throw an exception.
+            es.onopen = function () {
+                log("allowed");
+            };
+            es.onerror = function () {
+                log("blocked");
+            };
+        } catch (e) {
+            log("blocked");
+        }
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-eventsource-blocked.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-eventsource-blocked.sub.html
new file mode 100644
index 0000000000..df8a9a1e3d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-eventsource-blocked.sub.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';">
+    <title>connect-src-eventsource-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["blocked","violated-directive=connect-src"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        try {
+            var es = new EventSource("http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/connect-src/resources/simple-event-stream");
+            // Firefox and Chrome don't throw an exception and takes some time to close async
+            if (es.readyState == EventSource.CONNECTING) {
+                setTimeout( function() {
+                    es.readyState != EventSource.CLOSED ? log("allowed") : log("blocked");
+                }, 1000);
+            } else if (es.readyState == EventSource.CLOSED) {
+                log("blocked");
+            } else {
+                log("allowed");
+            }
+        } catch (e) {
+            log("blocked");
+        }
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-eventsource-redirect-to-blocked.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-eventsource-redirect-to-blocked.sub.html
new file mode 100644
index 0000000000..32709cd2d4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-eventsource-redirect-to-blocked.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self' http://{{host}}:{{ports[http][0]}}/security/contentSecurityPolicy/resources/redir.php; script-src 'self' 'unsafe-inline';">
+    <title>connect-src-eventsource-redirect-to-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS EventSource() did not follow the disallowed redirect.","TEST COMPLETE", "violated-directive=connect-src"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        var es;
+        try {
+            es = new EventSource("/common/redirect.py?location= http://www.{{host}}:{{ports[http][0]}}/content-security-policy/connect-src/resources/simple-event-stream");
+        } catch (e) {
+            log("FAIL " + "EventSource() should not throw an exception.");
+        }
+        es.onload = function() {
+            log("FAIL " + "EventSource() should fail to follow the disallowed redirect.");
+            log("TEST COMPLETE");
+        };
+        es.onerror = function() {
+            log("PASS " + "EventSource() did not follow the disallowed redirect.");
+            log("TEST COMPLETE");
+        };
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-websocket-allowed.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-websocket-allowed.sub.html
new file mode 100644
index 0000000000..4263d97fe2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-websocket-allowed.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncraciws.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self' ws://{{domains[www1]}}:{{ports[http][0]}}/echo; script-src 'self' 'unsafe-inline';">
+    <title>connect-src-websocket-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["allowed"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        try {
+            var ws = new WebSocket("ws://{{domains[www1]}}:{{ports[http][0]}}/echo");
+
+            if (ws.readyState == WebSocket.CLOSING || ws.readyState == WebSocket.CLOSED) {
+                log("blocked");
+            } else {
+                log("allowed");
+            }
+        } catch (e) {
+            log("blocked");
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-websocket-blocked.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-websocket-blocked.sub.html
new file mode 100644
index 0000000000..02c52837bb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-websocket-blocked.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncraciws.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';">
+    <title>connect-src-websocket-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["blocked","violated-directive=connect-src"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        try {
+            var ws = new WebSocket("ws://{{domains[www1]}}:{{ports[http][0]}}/echo");
+
+            if (ws.readyState == WebSocket.CLOSING || ws.readyState == WebSocket.CLOSED) {
+                log("blocked");
+            } else {
+                log("allowed");
+            }
+        } catch (e) {
+            log("blocked");
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-websocket-self.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-websocket-self.sub.html
new file mode 100644
index 0000000000..6db324ea0e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-websocket-self.sub.html
@@ -0,0 +1,47 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';">
+    <title>connect-src-websocket-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["allowed", "allowed"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        try {
+            var ws = new WebSocket("ws://{{host}}:{{location[port]}}/echo");
+
+            if (ws.readyState == WebSocket.CLOSING || ws.readyState == WebSocket.CLOSED) {
+                log("blocked");
+            } else {
+                log("allowed");
+            }
+        } catch (e) {
+            log("blocked");
+        }
+
+        try {
+            var wss = new WebSocket("wss://{{host}}:{{location[port]}}/echo");
+
+            if (wss.readyState == WebSocket.CLOSING || wss.readyState == WebSocket.CLOSED) {
+                log("blocked");
+            } else {
+                log("allowed");
+            }
+        } catch (e) {
+            log("blocked");
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-xmlhttprequest-allowed.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-xmlhttprequest-allowed.sub.html
new file mode 100644
index 0000000000..bde5eeea10
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-xmlhttprequest-allowed.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';">
+    <title>connect-src-xmlhttprequest-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+        });
+
+        try {
+            var xhr = new XMLHttpRequest;
+            xhr.open("GET", "http://{{host}}:{{ports[http][0]}}/xmlhttprequest/resources/get.txt", true);
+            log("Pass");
+        } catch (e) {
+            log("Fail");
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html
new file mode 100644
index 0000000000..f4215909d9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';">
+    <title>connect-src-xmlhttprequest-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["Pass","violated-directive=connect-src"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        try {
+            var xhr = new XMLHttpRequest;
+            xhr.open("GET", "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png", true);
+            xhr.send();
+            xhr.onload = function() {
+                log("Fail");
+            }
+            xhr.onerror = function() {
+                log("Pass");
+            }
+        } catch (e) {
+            log("Pass");
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-xmlhttprequest-redirect-to-blocked.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-xmlhttprequest-redirect-to-blocked.sub.html
new file mode 100644
index 0000000000..429e463c53
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-xmlhttprequest-redirect-to-blocked.sub.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';">
+    <title>connect-src-xmlhttprequest-redirect-to-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS XMLHttpRequest.send() did not follow the disallowed redirect.","TEST COMPLETE","violated-directive=connect-src"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script id="inject_here"></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        var xhr = new XMLHttpRequest;
+        try {
+            xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+        } catch (e) {
+            log("FAIL " + "XMLHttpRequest.open() should not throw an exception.");
+        }
+        xhr.onload = function() {
+            //cons/**/ole.log(xhr.responseText);
+            if(xhr.responseText == "FAIL") {
+                log("FAIL " + "XMLHttpRequest.send() should fail to follow the disallowed redirect.");
+            } else {
+                log("PASS " + "XMLHttpRequest.send() did not follow the disallowed redirect.");
+            }
+            log("TEST COMPLETE");
+        };
+        xhr.onerror = function() {
+            log("PASS " + "XMLHttpRequest.send() did not follow the disallowed redirect.");
+            log("TEST COMPLETE");
+        };
+        xhr.send();
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/resources/simple-event-stream b/testing/web-platform/tests/content-security-policy/connect-src/resources/simple-event-stream
new file mode 100644
index 0000000000..bdd2d486c2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/resources/simple-event-stream
@@ -0,0 +1 @@
+data: hello
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/resources/simple-event-stream.headers b/testing/web-platform/tests/content-security-policy/connect-src/resources/simple-event-stream.headers
new file mode 100644
index 0000000000..450c9f2d23
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/resources/simple-event-stream.headers
@@ -0,0 +1 @@
+Content-Type: text/event-stream
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/shared-worker-connect-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/shared-worker-connect-src-allowed.sub.html
new file mode 100644
index 0000000000..f772b2402a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/shared-worker-connect-src-allowed.sub.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self' http://{{domains[www1]}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';">
+    <title>shared-worker-connect-src-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["xhr allowed","TEST COMPLETE"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+  <script>
+    window.addEventListener('securitypolicyviolation', function(e) {
+        log("violated-directive=" + e.violatedDirective);
+    });
+
+    if(typeof SharedWorker != 'function') {
+        t_log.set_status(t_alert.NOTRUN, "No SharedWorker, cannot run test.");
+        t_log.phase = t_alert.phases.HAS_RESULT;
+      	t_log.done();
+    } else {
+        try {
+            var worker = new SharedWorker('/content-security-policy/connect-src/support/shared-worker-make-xhr-allowed.sub.js');
+            worker.port.onmessage = function(event) {
+                log(event.data);
+            };
+        } catch (e) {
+            log(e);
+        }
+    }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/shared-worker-connect-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/shared-worker-connect-src-blocked.sub.html
new file mode 100644
index 0000000000..f229d561dc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/shared-worker-connect-src-blocked.sub.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src *; script-src 'self' 'unsafe-inline';">
+    <title>shared-worker-connect-src-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["xhr blocked","TEST COMPLETE"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <p>This test loads a shared worker, delivered with its own
+    policy.  The worker should be blocked from making an XHR
+    as that policy specifies a connect-src 'none', though
+    this resource's policy is connect-src *.  No report
+    should be sent since the worker's policy doesn't specify
+    a report-uri.</p>
+    <script>
+       window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+       });
+
+      if(typeof SharedWorker != 'function') {
+          t_log.set_status(t_log.NOTRUN, "No SharedWorker, cannot run test.");
+          t_log.phase = t_log.phases.HAS_RESULT;
+          t_log.done();
+      } else {
+          try {
+              var worker = new SharedWorker('/content-security-policy/connect-src/support/shared-worker-make-xhr-blocked.sub.js');
+              worker.port.onmessage = function(event) {
+                  log(event.data);
+              };
+          } catch (e) {
+              log(e);
+          }
+      }
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/support/shared-worker-make-xhr-allowed.sub.js b/testing/web-platform/tests/content-security-policy/connect-src/support/shared-worker-make-xhr-allowed.sub.js
new file mode 100644
index 0000000000..1e9700832d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/support/shared-worker-make-xhr-allowed.sub.js
@@ -0,0 +1,23 @@
+onconnect = function (event) {
+    var port = event.ports[0];
+    var xhr = new XMLHttpRequest;
+    xhr.onerror = function () {
+        port.postMessage("xhr blocked");
+        port.postMessage("TEST COMPLETE");
+    };
+    xhr.onload = function () {
+        if (xhr.responseText == "FAIL") {
+            port.postMessage("xhr allowed");
+        } else {
+            port.postMessage("xhr blocked");
+        }
+        port.postMessage("TEST COMPLETE");
+    };
+    try {
+        xhr.open("GET", "http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+        xhr.send();
+    } catch (e) {
+        port.postMessage("xhr blocked");
+        port.postMessage("TEST COMPLETE");
+    }
+}
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/support/shared-worker-make-xhr-blocked.sub.js b/testing/web-platform/tests/content-security-policy/connect-src/support/shared-worker-make-xhr-blocked.sub.js
new file mode 100644
index 0000000000..1e9700832d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/support/shared-worker-make-xhr-blocked.sub.js
@@ -0,0 +1,23 @@
+onconnect = function (event) {
+    var port = event.ports[0];
+    var xhr = new XMLHttpRequest;
+    xhr.onerror = function () {
+        port.postMessage("xhr blocked");
+        port.postMessage("TEST COMPLETE");
+    };
+    xhr.onload = function () {
+        if (xhr.responseText == "FAIL") {
+            port.postMessage("xhr allowed");
+        } else {
+            port.postMessage("xhr blocked");
+        }
+        port.postMessage("TEST COMPLETE");
+    };
+    try {
+        xhr.open("GET", "http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+        xhr.send();
+    } catch (e) {
+        port.postMessage("xhr blocked");
+        port.postMessage("TEST COMPLETE");
+    }
+}
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/support/shared-worker-make-xhr-blocked.sub.js.sub.headers b/testing/web-platform/tests/content-security-policy/connect-src/support/shared-worker-make-xhr-blocked.sub.js.sub.headers
new file mode 100644
index 0000000000..ac7368c32e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/support/shared-worker-make-xhr-blocked.sub.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: connect-src 'none'
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js b/testing/web-platform/tests/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js
new file mode 100644
index 0000000000..22819d57a2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js
@@ -0,0 +1,21 @@
+var xhr = new XMLHttpRequest;
+xhr.onerror = function () {
+    postMessage("xhr blocked");
+    postMessage("TEST COMPLETE");
+};
+xhr.onload = function () {
+    //cons/**/ole.log(xhr.responseText);
+    if (xhr.responseText == "FAIL") {
+        postMessage("xhr allowed");
+    } else {
+        postMessage("xhr blocked");
+    }
+    postMessage("TEST COMPLETE");
+};
+try {
+    xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+    xhr.send();
+} catch (e) {
+    postMessage("xhr blocked");
+    postMessage("TEST COMPLETE");
+}
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js.sub.headers b/testing/web-platform/tests/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js.sub.headers
new file mode 100644
index 0000000000..ac7368c32e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: connect-src 'none'
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/support/worker-make-xhr.sub.js b/testing/web-platform/tests/content-security-policy/connect-src/support/worker-make-xhr.sub.js
new file mode 100644
index 0000000000..73359a39ea
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/support/worker-make-xhr.sub.js
@@ -0,0 +1,21 @@
+var xhr = new XMLHttpRequest;
+xhr.onerror = function () {
+    postMessage("xhr blocked");
+    postMessage("TEST COMPLETE");
+};
+xhr.onload = function () {
+    //cons/**/ole.log(xhr.responseText);
+    if (xhr.responseText == "FAIL") {
+        postMessage("xhr allowed");
+    } else {
+        postMessage("xhr blocked");
+    }
+    postMessage("TEST COMPLETE");
+};
+try {
+    xhr.open("GET", "/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+    xhr.send();
+} catch (e) {
+    postMessage("xhr blocked");
+    postMessage("TEST COMPLETE");
+}
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/worker-connect-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/worker-connect-src-allowed.sub.html
new file mode 100644
index 0000000000..4ce5c99573
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/worker-connect-src-allowed.sub.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';">
+    <title>worker-connect-src-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["xhr allowed"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('Fail');
+        });
+
+        try {
+            var worker = new Worker('/content-security-policy/connect-src/support/worker-make-xhr.sub.js');
+            worker.onmessage = function(event) {
+                log(event.data);
+            };
+        } catch (e) {
+            log(e);
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/worker-connect-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/worker-connect-src-blocked.sub.html
new file mode 100644
index 0000000000..d375771542
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/worker-connect-src-blocked.sub.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src *; script-src 'self' 'unsafe-inline';">
+    <title>worker-connect-src-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["xhr blocked","TEST COMPLETE"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+<p>This test loads a worker, which is delivered with its own
+    policy.  The worker should be blocked from making an XHR
+    as that policy specifies a connect-src 'none', though
+    this resource's policy is connect-src *.  No report
+    should be sent since the worker's policy doesn't specify
+    a report-uri.</p>
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('Fail');
+        });
+
+        try {
+            var worker = new Worker('/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js');
+            worker.onmessage = function(event) {
+                log(event.data);
+            };
+        } catch (e) {
+            log(e);
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/connect-src/worker-from-guid.sub.html b/testing/web-platform/tests/content-security-policy/connect-src/worker-from-guid.sub.html
new file mode 100644
index 0000000000..045afb8082
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/connect-src/worker-from-guid.sub.html
@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline' blob:;">
+    <title>worker-connect-src-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=connect-src","xhr blocked","TEST COMPLETE"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+<p>This test loads a worker, from a guid.
+    The worker should be blocked from making an XHR
+    to www1 as this resource's policy is connect-src 'self
+    and a guid Worker should inherit is parent's policy.
+    A report should be sent to the report-uri specified
+    with this resource.</p>
+<body>
+    <script>
+        try {
+            var blob = new Blob([
+                "self.addEventListener('securitypolicyviolation', e => {" +
+                "  postMessage('violated-directive=' + e.violatedDirective);" +
+                "});" +
+                "var xhr = new XMLHttpRequest;" +
+                "xhr.onerror = function () {" +
+                "  postMessage('xhr blocked');" +
+                "  postMessage('TEST COMPLETE');" +
+                "};" +
+                "xhr.onload = function () {" +
+                "  if (xhr.responseText == 'FAIL') {" +
+                "    postMessage('xhr allowed');" +
+                "  } else {" +
+                "    postMessage('xhr blocked');" +
+                "  }" +
+                "  postMessage('TEST COMPLETE');" +
+                "};" +
+                "try { " +
+                "  xhr.open(" +
+                "   'GET'," +
+                "   'http:///content-security-policy/support/fail.asis'," +
+                "    true" +
+                "  );" +
+                "  xhr.send();" +
+                "} catch (e) {" +
+                "  postMessage('xhr blocked');" +
+                "  postMessage('TEST COMPLETE');" +
+                "}"],
+                {type : 'application/javascript'});
+            var url = URL.createObjectURL(blob);
+            var worker = new Worker(url);
+            worker.onmessage = function(event) {
+                log(event.data);
+            };
+        } catch (e) {
+            log(e);
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/default-src/default-src-inline-allowed.sub.html b/testing/web-platform/tests/content-security-policy/default-src/default-src-inline-allowed.sub.html
new file mode 100644
index 0000000000..8f9bd81d39
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/default-src/default-src-inline-allowed.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("FAIL");
+        });
+    </script>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' about: 'unsafe-inline'; connect-src 'self';">
+    <title>default-src-inline-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script>
+</head>
+
+<body onload="alert_assert(&apos;PASS 2 of 2&apos;)">
+    <script>
+        alert_assert('PASS 1 of 2');
+
+    </script>
+    <!--iframe src="javascript:alert_assert(&apos;Fail&apos;)"></iframe-->
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/default-src/default-src-inline-blocked.sub.html b/testing/web-platform/tests/content-security-policy/default-src/default-src-inline-blocked.sub.html
new file mode 100644
index 0000000000..0cb4ca5538
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/default-src/default-src-inline-blocked.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+    </script>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; connect-src 'self';">
+    <title>default-src-inline-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem","violated-directive=script-src-elem"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <p>This test passes if the inline scripts don't create failing tests and a CSP report is sent.</p>
+    <script>
+        test(function() {
+            assert_unreached('FAIL inline script ran')
+        });
+
+    </script>
+    <script src="../support/document-write-alert-fail.js"></script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/default-src/default-src-strict_dynamic_and_unsafe_inline.html b/testing/web-platform/tests/content-security-policy/default-src/default-src-strict_dynamic_and_unsafe_inline.html
new file mode 100644
index 0000000000..bf45820ade
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/default-src/default-src-strict_dynamic_and_unsafe_inline.html
@@ -0,0 +1,23 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>`strict-dynamic` policy should discard `unsafe-inline` policy.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script>
+      var t = async_test("Should fire a security policy violation for the inline block");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.blockedURI, 'inline');
+      }));
+    </script>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline' 'strict-dynamic'">
+</head>
+
+<body>
+  <script>
+      assert_unreached('Inline script shouldn\'t be run because of the `strict-dynamic` source expression.');
+  </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/META.yml b/testing/web-platform/tests/content-security-policy/embedded-enforcement/META.yml
new file mode 100644
index 0000000000..1cdc709f21
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/META.yml
@@ -0,0 +1 @@
+spec: https://w3c.github.io/webappsec-cspee/
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/allow_csp_from-header.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/allow_csp_from-header.html
new file mode 100644
index 0000000000..b2abcbece0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/allow_csp_from-header.html
@@ -0,0 +1,96 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Allow-CSP-From header.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      { "name": "Same origin iframes are always allowed.",
+        "origin": Host.SAME_ORIGIN,
+        "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
+        "allow_csp_from": "¢¥§",
+        "expected": IframeLoad.EXPECT_LOAD,
+        "blockedURI": null},
+      { "name": "Same origin iframes are allowed even if the Allow-CSP-From is empty.",
+        "origin": Host.SAME_ORIGIN,
+        "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
+        "allow_csp_from": "",
+        "expected": IframeLoad.EXPECT_LOAD,
+        "blockedURI": null},
+      { "name": "Same origin iframes are allowed even if the Allow-CSP-From is not present.",
+        "origin": Host.SAME_ORIGIN,
+        "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
+        "allow_csp_from": null,
+        "expected": IframeLoad.EXPECT_LOAD,
+        "blockedURI": null},
+      { "name": "Same origin iframes are allowed even if Allow-CSP-From does not match origin.",
+        "origin": Host.SAME_ORIGIN,
+        "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
+        "allow_csp_from": "http://example.com:888",
+        "expected": IframeLoad.EXPECT_LOAD,
+        "blockedURI": null},
+      { "name": "Cross origin iframe with an empty Allow-CSP-From header gets blocked.",
+        "origin": Host.CROSS_ORIGIN,
+        "csp": "script-src 'unsafe-inline'",
+        "allow_csp_from": "",
+        "expected": IframeLoad.EXPECT_BLOCK,
+        "blockedURI": null},
+      { "name": "Cross origin iframe without Allow-CSP-From header gets blocked.",
+        "origin": Host.CROSS_ORIGIN,
+        "csp": "script-src 'unsafe-inline'",
+        "allow_csp_from": null,
+        "expected": IframeLoad.EXPECT_BLOCK,
+        "blockedURI": null},
+      { "name": "Cross origin iframe with correct Allow-CSP-From header is allowed.",
+        "origin": Host.CROSS_ORIGIN,
+        "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
+        "allow_csp_from": getOrigin(),
+        "expected": IframeLoad.EXPECT_LOAD,
+        "blockedURI": null},
+      { "name": "Iframe with improper Allow-CSP-From header gets blocked.",
+        "origin": Host.CROSS_ORIGIN,
+        "csp": "script-src 'unsafe-inline'",
+        "allow_csp_from": "* ¢¥§",
+        "expected": IframeLoad.EXPECT_BLOCK,
+        "blockedURI": null},
+      { "name": "Allow-CSP-From header with a star value allows cross origin frame.",
+        "origin": Host.CROSS_ORIGIN,
+        "csp": "script-src 'unsafe-inline'",
+        "allow_csp_from": "*",
+        "expected": IframeLoad.EXPECT_LOAD,
+        "blockedURI": null},
+      { "name": "Star Allow-CSP-From header enforces EmbeddingCSP.",
+        "origin": Host.CROSS_ORIGIN,
+        "csp": "script-src 'nonce-123'",
+        "allow_csp_from": "*",
+        "expected": IframeLoad.EXPECT_LOAD,
+        "blockedURI": "inline"},
+      { "name": "Allow-CSP-From header enforces EmbeddingCSP.",
+        "origin": Host.CROSS_ORIGIN,
+        "csp": "style-src 'none'; script-src 'nonce-123'",
+        "allow_csp_from": getOrigin(),
+        "expected": IframeLoad.EXPECT_LOAD,
+        "blockedURI": "inline"},
+      { "name": "'self' in blanket enforced EmbeddingCSP matches the target response origin.",
+        "origin": Host.CROSS_ORIGIN,
+        "csp": "img-src 'self'",
+        "allow_csp_from": "*",
+        "expected": IframeLoad.EXPECT_LOAD,
+        "blockedURI": null},
+    ];
+
+    tests.forEach(test => {
+      async_test(t =>  {
+        const url = generateUrlWithAllowCSPFrom(
+            test.origin, test.allow_csp_from);
+        assert_iframe_with_csp(t, url, test.csp, test.expected, test.name,
+                               test.blockedURI, /*checkImageLoaded=*/true);
+      }, test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html
new file mode 100644
index 0000000000..0095fa3624
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Embedded Enforcement: blocked iframes are cross-origin.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+<script>
+
+let SecurityError = 18;
+
+promise_test(async () => {
+  let iframe = document.createElement("iframe");
+  let loaded = new Promise(r => iframe.onload = r);
+  iframe.csp = "script-src 'none'";
+  iframe.src = getCrossOrigin() +  "common/blank.html";
+  document.body.appendChild(iframe);
+  await loaded;
+  assert_throws_dom(SecurityError, () => iframe.contentWindow.document);
+}, "Document blocked by embedded enforcement and its parent are cross-origin");
+
+promise_test(async () => {
+  // Create an iframe that would have been same-origin with the blocked iframe
+  // if it wasn't blocked.
+  let helper_frame = document.createElement("iframe");
+  let loaded_helper = new Promise(r => helper_frame.onload = r);
+  helper_frame.src = getCrossOrigin() +
+    "content-security-policy/embedded-enforcement/support/executor.html"
+  document.body.appendChild(helper_frame);
+  await loaded_helper;
+
+  let reply = new Promise(r => window.onmessage = r);
+  helper_frame.contentWindow.postMessage(`
+    let test = function() {
+      if (parent.frames.length != 2)
+        return "Error: Wrong number of iframes";
+
+      if (parent.frames[1] != window)
+        return "Error: Wrong frame index for the second iframe";
+
+      // Try to access frames[0] from frames[1]. This must fail.
+      try {
+        parent.frames[0].contentWindow;
+        return "Error: The error page appears same-origin";
+      } catch(dom_exception) {
+        return dom_exception.code;
+      }
+    };
+    parent.postMessage(test(), '*');
+  `, '*');
+
+  assert_equals((await reply).data, SecurityError);
+}, "Two same-origin iframes must appear as cross-origin when one is blocked");
+
+</script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/change-csp-attribute-and-history-navigation.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/change-csp-attribute-and-history-navigation.html
new file mode 100644
index 0000000000..64b5206177
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/change-csp-attribute-and-history-navigation.html
@@ -0,0 +1,93 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+  let message_from = (w, starts_with) => {
+    return new Promise(resolve => {
+      window.addEventListener('message', msg => {
+        if (msg.source == w) {
+          if (!starts_with ||
+                  (msg.data.startsWith && msg.data.startsWith(starts_with)))
+            resolve(msg.data);
+        }
+      });
+    });
+  };
+
+  const img_url = window.origin + "/content-security-policy/support/pass.png";
+
+  const function_addImage_string = `
+    function addImage() {
+      let img = document.createElement('img');
+      img.onload = () => top.postMessage('img loaded', '*');
+      img.onerror = () => top.postMessage('img blocked', '*');
+      img.src = '${img_url}';
+      document.body.appendChild(img);
+    }
+  `;
+
+  const html_test_payload = `
+    <!doctype html>
+    <script>${function_addImage_string}</scr`+`ipt>
+    <body onpageshow="addImage();"></body>
+  `;
+  let blob_url = URL.createObjectURL(
+    new Blob([html_test_payload], { type: 'text/html' }));
+
+  // A local-scheme document is loaded in an iframe with CSPEE. Then the csp
+  // attribute is changed and the iframe is navigated away and back. Since the
+  // policies are reloaded from history, the fact that the csp attribute changed
+  // is irrelevant.
+  promise_test(async t => {
+    // Create an iframe.
+    let iframe = document.createElement('iframe');
+    iframe.csp = "img-src 'none'; style-src 'none'";
+    document.body.appendChild(iframe);
+
+    let message_1 = message_from(iframe.contentWindow, "img");
+    iframe.src = blob_url;
+    assert_equals(await message_1, "img blocked",
+                  "Img should be blocked by CSP enforced via CSPEE.");
+
+    iframe.csp = "style-src 'none'";
+    let message_2 = message_from(iframe.contentWindow, "img");
+    iframe.src = "../inheritance/support/message-top-and-navigate-back.html";
+    assert_equals(await message_2, "img blocked",
+                  "Img should be blocked by CSP reloaded from history.");
+
+    let message_3 = message_from(iframe.contentWindow, "img");
+    iframe.src = "about:blank";
+    iframe.src = blob_url;
+    assert_equals(await message_3, "img loaded",
+                  "Img should be allowed by CSP enforced by new csp attribute.");
+
+  }, "Iframe csp attribute changed before history navigation of local scheme.");
+
+  // A network-scheme document is loaded in an iframe with CSPEE. Then the csp
+  // attribute is changed and the iframe is navigated away and back. Since the
+  // policies are calculated again, the new csp attribute should be enforced
+  // after the history navigation.
+  promise_test(async t => {
+    // Create an iframe.
+    let iframe = document.createElement('iframe');
+    iframe.csp = "img-src 'none'; style-src 'none'";
+    document.body.appendChild(iframe);
+
+    let message_1 = message_from(iframe.contentWindow, "img");
+    iframe.src = "./support/embed-img-and-message-top.html";
+    assert_equals(await message_1, "img blocked",
+                  "Img should be blocked by CSP enforced via CSPEE.");
+
+    iframe.csp = "style-src 'none'";
+    let message_2 = message_from(iframe.contentWindow, "img");
+    iframe.src = "../inheritance/support/message-top-and-navigate-back.html";
+    assert_equals(await message_2, "img loaded",
+                  "Img should be allowed by CSP enforced by new csp attribute.");
+
+  }, "Iframe csp attribute changed before history navigation of network scheme.");
+
+</script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/idlharness.window.js b/testing/web-platform/tests/content-security-policy/embedded-enforcement/idlharness.window.js
new file mode 100644
index 0000000000..2845f82c95
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/idlharness.window.js
@@ -0,0 +1,16 @@
+// META: script=/resources/WebIDLParser.js
+// META: script=/resources/idlharness.js
+
+// https://w3c.github.io/webappsec-csp/embedded/
+
+'use strict';
+
+idl_test(
+  ['csp-embedded-enforcement'],
+  ['html', 'dom'],
+  idl_array => {
+    idl_array.add_objects({
+      HTMLIFrameElement: ['document.createElement("iframe")'],
+    });
+  }
+);
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/iframe-csp-attribute.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/iframe-csp-attribute.html
new file mode 100644
index 0000000000..f23be1d0e9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/iframe-csp-attribute.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+    <script>
+      test(t => {
+        var i = document.createElement('iframe');
+        assert_equals('', i.csp);
+        assert_true('csp' in i);
+        assert_equals('string', typeof i.csp);
+      }, "<iframe> has a 'csp' attibute which is an empty string if undefined.");
+
+      test(t => {
+        var i = document.createElement('iframe');
+        i.setAttribute('csp', 123456);
+        assert_equals('123456', i.csp);
+      }, "<iframe>'s csp attribute is always a string.");
+
+      test(t => {
+        var i = document.createElement('iframe');
+        i.csp = 'value';
+        assert_equals('value', i.getAttribute('csp'));
+      }, "<iframe>'s 'csp content attribute reflects the IDL attribute.");
+
+      test(t => {
+        var i = document.createElement('iframe');
+        i.setAttribute('csp', 'value');
+        assert_equals('value', i.csp);
+      }, "<iframe>'s IDL attribute reflects the DOM attribute.");
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/required-csp-header-cascade.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/required-csp-header-cascade.html
new file mode 100644
index 0000000000..92fe2dd431
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/required-csp-header-cascade.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Sec-Required-CSP header.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      { "name": "Test same policy for both iframes",
+        "csp1": "script-src 'unsafe-inline';",
+        "csp2": "script-src 'unsafe-inline';",
+        "expected1": "script-src 'unsafe-inline';",
+        "expected2": "script-src 'unsafe-inline';"},
+      { "name": "Test more restrictive policy on second iframe",
+        "csp1": "script-src 'unsafe-inline';",
+        "csp2": "script-src 'unsafe-inline'; style-src 'self';",
+        "expected1": "script-src 'unsafe-inline';",
+        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
+      { "name": "Test less restrictive policy on second iframe",
+        "csp1": "script-src 'unsafe-inline'; style-src 'self';",
+        "csp2": "script-src 'unsafe-inline';",
+        "expected1": "script-src 'unsafe-inline'; style-src 'self';",
+        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
+      { "name": "Test no policy on second iframe",
+        "csp1": "script-src 'unsafe-inline'; style-src 'self';",
+        "csp2": "",
+        "expected1": "script-src 'unsafe-inline'; style-src 'self';",
+        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
+      { "name": "Test no policy on first iframe",
+        "csp1": "",
+        "csp2": "script-src 'unsafe-inline'; style-src 'self';",
+        "expected1": null,
+        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
+      { "name": "Test invalid policy on first iframe (bad directive name)",
+        "csp1": "default-src http://example.com; i//nvalid-policy-name http://example.com",
+        "csp2": "script-src 'unsafe-inline'; style-src 'self';",
+        "expected1": null,
+        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
+      { "name": "Test invalid policy on first iframe (report directive)",
+        "csp1": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php",
+        "csp2": "script-src 'unsafe-inline'; style-src 'self';",
+        "expected1": null,
+        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
+      { "name": "Test invalid policy on second iframe (bad directive name)",
+        "csp1": "script-src 'unsafe-inline'; style-src 'self';",
+        "csp2": "default-src http://example.com; i//nvalid-policy-name http://example.com",
+        "expected1": "script-src 'unsafe-inline'; style-src 'self';",
+        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
+      { "name": "Test invalid policy on second iframe (report directive)",
+        "csp1": "script-src 'unsafe-inline'; style-src 'self';",
+        "csp2": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php",
+        "expected1": "script-src 'unsafe-inline'; style-src 'self';",
+        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
+    ];
+
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateURLStringWithSecondIframeParams(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP, test.csp2);
+        assert_required_csp(t, url, test.csp1, [test.expected1, test.expected2]);
+      }, "Test same origin: " + test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/required_csp-header-crlf.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/required_csp-header-crlf.html
new file mode 100644
index 0000000000..414f9b73f5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/required_csp-header-crlf.html
@@ -0,0 +1,87 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Embedded Enforcement: Sec-Required-CSP header.</title>
+  <!--
+    This test is creating and navigating several iframes. This can exceed the
+    "short" timeout". See https://crbug.com/1091896
+  -->
+  <meta name="timeout" content="long">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      // CRLF characters
+      { "name": "\\r\\n character after directive name",
+        "csp": "style-src\r\n'unsafe-inline'",
+        "expected": null },
+      { "name": "\\r\\n character in directive value",
+        "csp": "style-src 'unsafe-inline'\r\n'unsafe-eval'",
+        "expected": null },
+      { "name": "\\n character after directive name",
+        "csp": "style-src\n'unsafe-inline'",
+        "expected": null },
+      { "name": "\\n character in directive value",
+        "csp": "style-src 'unsafe-inline'\n'unsafe-eval'",
+        "expected": null },
+      { "name": "\\r character after directive name",
+        "csp": "style-src\r'unsafe-inline'",
+        "expected": null },
+      { "name": "\\r character in directive value",
+        "csp": "style-src 'unsafe-inline'\r'unsafe-eval'",
+        "expected": null },
+
+      // Attempt HTTP Header injection
+      { "name": "Attempt injecting after directive name using \\r\\n",
+        "csp": "style-src\r\nTest-Header-Injection: dummy",
+        "expected": null },
+      { "name": "Attempt injecting after directive name using \\r",
+        "csp": "style-src\rTest-Header-Injection: dummy",
+        "expected": null },
+      { "name": "Attempt injecting after directive name using \\n",
+        "csp": "style-src\nTest-Header-Injection: dummy",
+        "expected": null },
+
+      { "name": "Attempt injecting after directive value using \\r\\n",
+        "csp": "style-src example.com\r\nTest-Header-Injection: dummy",
+        "expected": null },
+      { "name": "Attempt injecting after directive value using \\r",
+        "csp": "style-src example.com\rTest-Header-Injection: dummy",
+        "expected": null },
+      { "name": "Attempt injecting after directive value using \\n",
+        "csp": "style-src example.com\nTest-Header-Injection: dummy",
+        "expected": null },
+
+      { "name": "Attempt injecting after semicolon using \\r\\n",
+        "csp": "style-src example.com;\r\nTest-Header-Injection: dummy",
+        "expected": null },
+      { "name": "Attempt injecting after semicolon using \\r",
+        "csp": "style-src example.com;\rTest-Header-Injection: dummy",
+        "expected": null },
+      { "name": "Attempt injecting after semicolon using \\n",
+        "csp": "style-src example.com;\nTest-Header-Injection: dummy",
+        "expected": null },
+
+      { "name": "Attempt injecting after space between name and value using \\r\\n",
+        "csp": "style-src \r\nTest-Header-Injection: dummy",
+        "expected": null },
+      { "name": "Attempt injecting after space between name and value using \\r",
+        "csp": "style-src \rTest-Header-Injection: dummy",
+        "expected": null },
+      { "name": "Attempt injecting after space between name and value using \\n",
+        "csp": "style-src \nTest-Header-Injection: dummy",
+        "expected": null },
+    ];
+
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP);
+        assert_required_csp(t, url, test.csp, [test.expected]);
+      }, "Test CRLF: " + test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/required_csp-header.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/required_csp-header.html
new file mode 100644
index 0000000000..e0a31db8e2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/required_csp-header.html
@@ -0,0 +1,119 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Embedded Enforcement: Sec-Required-CSP header.</title>
+  <!--
+    This test is creating and navigating >=70 iframes. This can exceed the
+    "short" timeout". See https://crbug.com/818324
+  -->
+  <meta name="timeout" content="long">
+
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      { "name": "Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.",
+        "csp": null,
+        "expected":  null },
+      { "name": "Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.",
+        "csp": "script-src 'unsafe-inline'",
+        "expected":  "script-src 'unsafe-inline'" },
+      { "name": "Send Sec-Required-CSP Header on change of `src` attribute on iframe.",
+        "csp": "script-src 'unsafe-inline'",
+        "expected":  "script-src 'unsafe-inline'" },
+      { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp",
+        "csp": "completely wrong csp",
+        "expected": "completely wrong csp" },
+      { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name",
+        "csp": "invalid-policy-name http://example.com",
+        "expected": "invalid-policy-name http://example.com" },
+      { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives",
+        "csp": "media-src http://example.com; invalid-policy-name http://example.com",
+        "expected": "media-src http://example.com; invalid-policy-name http://example.com" },
+      { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none'",
+        "csp": "media-src 'non'",
+        "expected": "media-src 'non'" },
+      { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path",
+        "csp": "script-src 'unsafe-inline' 127.0.0.1:8000/path?query=string",
+        "expected": "script-src 'unsafe-inline' 127.0.0.1:8000/path?query=string" },
+      { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon",
+        "csp": "script-src 'unsafe-inline' 'self' object-src 'self' style-src *",
+        "expected": "script-src 'unsafe-inline' 'self' object-src 'self' style-src *" },
+      { "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated",
+        "csp": "script-src 'unsafe-inline' 'self', object-src 'none'",
+        "expected": null },
+      { "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - invalid characters in directive names",
+        // script-src 127.0.0.1:8000
+        "csp": "script-src 'unsafe-inline' &#x31;&#x32;&#x37;&#x2E;&#x30;&#x2E;&#x30;&#x2E;&#x31;&#x3A;&#x38;&#x30;&#x30;&#x30;",
+        "expected": null },
+      { "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - invalid character in directive name",
+        // script-src 127.0.0.1:8000
+        "csp": "media-src%20127.0.0.1%3A8000",
+        "expected": null },
+      { "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present",
+        "csp": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php",
+        "expected": null },
+      { "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present",
+        "csp": "script-src 'unsafe-inline'; report-to resources/dummy-report.php",
+        "expected": null },
+      { "name": "Sec-Required-CSP is not sent if `csp` attribute is longer than 4096 bytes",
+        "csp": "style-src " + Array.from(Array(2044).keys()).map(i => 'a').join(' '),
+        "expected":  null },
+    ];
+
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP);
+        assert_required_csp(t, url, test.csp, [test.expected]);
+      }, "Test same origin: " + test.name);
+
+      async_test(t => {
+        var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP);
+        var redirect_url = generateRedirect(Host.SAME_ORIGIN, url);
+        assert_required_csp(t, redirect_url, test.csp, [test.expected]);
+      }, "Test same origin redirect: " + test.name);
+
+      async_test(t => {
+        var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP);
+        var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url);
+        assert_required_csp(t, redirect_url, test.csp, [test.expected]);
+      }, "Test cross origin redirect: " + test.name);
+
+      async_test(t => {
+        var url = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.REQUIRED_CSP);
+        var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url);
+        assert_required_csp(t, redirect_url, test.csp, [test.expected]);
+      }, "Test cross origin redirect of cross origin iframe: " + test.name);
+
+      async_test(t => {
+        var i = document.createElement('iframe');
+        if (test.csp)
+          i.csp = test.csp;
+        i.src = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP);
+        var loaded = false;
+
+        window.addEventListener('message', t.step_func(e => {
+          if (e.source != i.contentWindow || !('required_csp' in e.data))
+              return;
+          if (!loaded) {
+            assert_equals(e.data['required_csp'], test.expected);
+            loaded = true;
+            i.csp = "default-src 'unsafe-inline'";
+            i.src = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.REQUIRED_CSP);
+          } else {
+            // Once iframe has loaded, check that on change of `src` attribute
+            // Required-CSP value is based on latest `csp` attribute value.
+            assert_equals(e.data['required_csp'], "default-src 'unsafe-inline'");
+            t.done();
+          }
+        }));
+
+        document.body.appendChild(i);
+      }, "Test Required-CSP value on `csp` change: " + test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html
new file mode 100644
index 0000000000..8df4945000
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html
@@ -0,0 +1,96 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Subsumption Algorithm - Basic implementation.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    // Note that the returned csp should always allow execution of an
+    // inline script with nonce "abc" (as returned by
+    // support/echo-policy-multiple.py), otherwise the test might
+    // return false negatives.
+    var tests = [
+      { "name": "If there is no required csp, iframe should load.",
+        "required_csp": null,
+        "returned_csp": null,
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Iframe with empty returned CSP should be blocked.",
+        "required_csp": "style-src 'none';",
+        "returned_csp": null,
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Iframe with matching CSP should load.",
+        "required_csp": "style-src 'none'; script-src 'unsafe-inline'",
+        "returned_csp": "style-src 'none'; script-src 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Iframe with more restricting CSP should load.",
+        "required_csp": "script-src 'nonce-abc' 'nonce-123'",
+        "returned_csp": "script-src 'nonce-abc'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Iframe with less restricting CSP should be blocked.",
+        "required_csp": "style-src 'none'; script-src 'none'",
+        "returned_csp": "style-src 'none'; script-src 'self' 'nonce-abc'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Iframe with a different CSP should be blocked.",
+        "required_csp": "script-src 'nonce-abc' 'nonce-123'",
+        "returned_csp": "style-src 'none'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Iframe with a matching and more restrictive ports should load.",
+        "required_csp": "frame-src http://c.com:443 http://b.com",
+        "returned_csp": "frame-src http://b.com:80 http://c.com:443",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Host wildcard *.a.com does not match a.com",
+        "required_csp": "frame-src http://*.a.com",
+        "returned_csp": "frame-src http://a.com",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Host intersection with wildcards is computed correctly.",
+        "required_csp": "frame-sr 'none'",
+        "returned_csp": "frame-src http://a.com",
+        "returned_csp_2": "frame-src http://*.a.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Iframe should load even if the ports are different but are default for the protocols.",
+        "required_csp": "frame-src http://b.com:80",
+        "returned_csp": "child-src https://b.com:443",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Iframe should block if intersection allows sources which are not in required_csp.",
+        "required_csp": "style-src http://*.example.com:*",
+        "returned_csp": "style-src http://*.com:*",
+        "returned_csp_2": "style-src http://*.com http://*.example.com:*",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Iframe should block if intersection allows sources which are not in required_csp (other ordering).",
+        "required_csp": "style-src http://*.example.com:*",
+        "returned_csp": "style-src http://*.com:*",
+        "returned_csp_2": "style-src http://*.example.com:* http://*.com",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Iframe should load if intersection allows only sources which are in required_csp.",
+        "required_csp": "style-src http://*.example.com",
+        "returned_csp": "style-src http://*.example.com:*",
+        "returned_csp_2": "style-src http://*.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Removed plugin-types directive should be ignored.",
+        "required_csp": "plugin-types application/pdf",
+        "returned_csp": null,
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Removed plugin-types directive should be ignored 2.",
+        "required_csp": "plugin-types application/pdf application/x-java-applet",
+        "returned_csp": "plugin-types application/pdf",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Removed plugin-types directive should be ignored 3.",
+        "required_csp": "style-src 'none'; plugin-types application/pdf",
+        "returned_csp": null,
+        "expected": IframeLoad.EXPECT_BLOCK },
+    ];
+
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp);
+        if (test.returned_csp_2)
+          url.searchParams.append("policy2", test.returned_csp_2);
+        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
+      }, test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html
new file mode 100644
index 0000000000..0d8b0bc8f4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html
@@ -0,0 +1,80 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Subsumption Algorithm - Hashes.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      { "name": "'sha256-abc123' is properly subsumed.",
+        "required_csp": "style-src 'sha256-abc123'",
+        "returned_csp_1": "style-src 'sha256-abc123'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Returned should not include hashes not present in required csp.",
+        "required_csp": "style-src http://example.com",
+        "returned_csp_1": "style-src 'sha256-abc123'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "'sha256-abc123' is properly subsumed with other sources.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashed-attributes' 'strict-dynamic' 'sha256-abc123'",
+        "returned_csp_1": "style-src http://example1.com/foo/bar.html 'sha256-abc123'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Hashes do not have to be present in returned csp.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'",
+        "returned_csp_1": "style-src http://example1.com/foo/",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Hashes do not have to be present in returned csp but must not allow all inline behavior.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Other expressions have to be subsumed.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-eval' 'sha256-abc123'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Other expressions have to be subsumed but 'unsafe-inline' gets ignored.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 'sha256-abc123'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Effective policy is properly found.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'  'sha256-abc123'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-hashed-attributes' 'sha256-abc123'",
+        "returned_csp_2": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Required csp must allow 'sha256-abc123'.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'self'  'sha256-abc123'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Effective policy is properly found where 'sha256-abc123' is not subsumed.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'sha256-abc123'",
+        "returned_csp_2": "style-src 'sha256-abc123' 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "'sha256-abc123' is not subsumed by 'sha256-abc456'.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc456'",
+        "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'sha256-abc123'",
+        "returned_csp_2": "style-src 'sha256-abc123' 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Effective policy now does not allow 'sha256-abc123'.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc456'",
+        "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'sha256-abc123' 'sha256-abc456'",
+        "returned_csp_2": "style-src 'sha256-abc456' 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Effective policy is properly found where 'sha256-abc123' is not part of it.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'self'",
+        "returned_csp_2": "style-src 'sha256-abc123' 'self'",
+        "expected": IframeLoad.EXPECT_LOAD },
+    ];
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1);
+        if (test.returned_csp_2)
+          url.searchParams.append("policy2", test.returned_csp_2);
+        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
+      }, test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html
new file mode 100644
index 0000000000..db3d443b83
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Subsumption Algorithm - Host parts in host source expressions.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      { "name": "Host must match.",
+        "required_csp": "img-src http://c.com",
+        "returned_csp": "img-src http://b.com",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Hosts without wildcards must match.",
+        "required_csp": "img-src http://c.com:* http://inner.b.com",
+        "returned_csp": "img-src http://b.com",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "More specific subdomain should not match.",
+        "required_csp": "img-src http://c.com:* http://b.com",
+        "returned_csp": "img-src http://inner.b.com",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Specified host should not match a wildcard host.",
+        "required_csp": "img-src http://c.com:* http://inner.b.com",
+        "returned_csp": "img-src http://*.b.com",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "A wildcard host should match a more specific host.",
+        "required_csp": "img-src http://c.com:* http://*.b.com",
+        "returned_csp": "img-src https://inner.b.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+    ];
+
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp);
+        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
+      }, test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html
new file mode 100644
index 0000000000..c40b572de0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html
@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Subsumption Algorithm - Path parts in host source expressions.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      { "name": "Returned CSP must specify a path.",
+        "required_csp": "img-src http://c.com:* http://b.com/example.html",
+        "returned_csp": "img-src http://b.com",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Returned CSP has a more specific path.",
+        "required_csp": "img-src http://c.com:* http://b.com",
+        "returned_csp": "img-src http://b.com/example.html",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Matching paths.",
+        "required_csp": "img-src http://c.com:* http://b.com/example.html",
+        "returned_csp": "img-src http://b.com/example.html",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Empty path is not subsumed by specified paths.",
+        "required_csp": "img-src http://b.com/page1.html http://b.com/page2.html http://b.com/page3.html",
+        "returned_csp": "img-src http://b.com/",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "All specific paths match except the order.",
+        "required_csp": "img-src http://b.com/page1.html http://b.com/page2.html http://b.com/page3.html",
+        "returned_csp": "img-src http://b.com/page2.html http://b.com/page3.html http://b.com/page1.html",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Returned CSP allows only one path.",
+        "required_csp": "img-src http://b.com/page1.html http://b.com/page2.html http://b.com/page3.html",
+        "returned_csp": "img-src http://b.com/page2.html",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "`/` path should be subsumed by an empty path.",
+        "required_csp": "img-src http://b.com",
+        "returned_csp": "img-src http://b.com/",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Unspecified path should be subsumed by `/`.",
+        "required_csp": "img-src http://b.com/",
+        "returned_csp": "img-src http://b.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "That should not be true when required csp specifies a specific page.",
+        "required_csp": "img-src http://b.com/path.html",
+        "returned_csp": "img-src http://b.com",
+        "expected": IframeLoad.EXPECT_BLOCK },
+    ];
+
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp);
+        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
+      }, test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html
new file mode 100644
index 0000000000..bf7ad94f6e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Subsumption Algorithm - Port parts in host source expressions.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      { "name": "Specified ports must match.",
+        "required_csp": "img-src http://c.com:* http://b.com:80",
+        "returned_csp": "img-src http://b.com:36",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Returned CSP should be subsumed even if the port is not specified but is a default port for a scheme.",
+        "required_csp": "img-src http://c.com:* http://b.com:80",
+        "returned_csp": "img-src http://b.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Returned CSP should be subsumed even if the port is not specified but is a default port for a more secure scheme.",
+        "required_csp": "img-src http://c.com:* http://b.com:80",
+        "returned_csp": "img-src https://b.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "The same should hold for `ws` case.",
+        "required_csp": "img-src http://c.com:* ws://b.com:80",
+        "returned_csp": "img-src wss://b.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Unspecified ports must match if schemes match.",
+        "required_csp": "img-src http://c.com:* http://b.com",
+        "returned_csp": "img-src https://b.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Returned CSP should be subsumed if the port is specified.",
+        "required_csp": "img-src http://c.com:* http://b.com",
+        "returned_csp": "img-src http://b.com:80",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Returned CSP should be subsumed if the port is specified but the scheme is more secure.",
+        "required_csp": "img-src http://c.com:* http://b.com",
+        "returned_csp": "img-src https://b.com:443",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Returned CSP should be subsumed if the port is specified but is not default for a more secure scheme.",
+        "required_csp": "img-src http://c.com:* http://b.com",
+        "returned_csp": "img-src https://b.com:36",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Returned CSP should be subsumed if the ports match but schemes are not identical.",
+        "required_csp": "img-src http://c.com:* http://b.com:36",
+        "returned_csp": "img-src https://b.com:36",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Returned CSP should be subsumed if the ports match but schemes are not identical for `ws`.",
+        "required_csp": "img-src http://c.com:* ws://b.com:36",
+        "returned_csp": "img-src wss://b.com:36",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Wildcard port should match unspecified port.",
+        "required_csp": "img-src http://c.com:* ws://b.com:*",
+        "returned_csp": "img-src wss://b.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Wildcard port should match any specific port.",
+        "required_csp": "img-src http://c.com:* ws://b.com:*",
+        "returned_csp": "img-src wss://b.com:36",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Wildcard port should match a wildcard.",
+        "required_csp": "img-src http://c.com:* ws://b.com:*",
+        "returned_csp": "img-src wss://b.com:*",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Wildcard port should not be subsumed by a default port.",
+        "required_csp": "img-src http://c.com:* ws://b.com",
+        "returned_csp": "img-src ws://b.com:*",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Wildcard port should not be subsumed by a spcified port.",
+        "required_csp": "img-src http://c.com:* ws://b.com:80",
+        "returned_csp": "img-src ws://b.com:*",
+        "expected": IframeLoad.EXPECT_BLOCK },
+    ];
+
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp);
+        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
+      }, test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html
new file mode 100644
index 0000000000..9949b8cc1a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html
@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Subsumption Algorithm - Scheme parts in host source expressions.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      { "name": "`https` is more restrictive than `http`.",
+        "required_csp": "img-src http://c.com:* https://b.com",
+        "returned_csp": "img-src http://b.com",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "The reverse allows iframe be to be loaded.",
+        "required_csp": "img-src http://c.com:* http://b.com",
+        "returned_csp": "img-src https://b.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Matching `https` protocols.",
+        "required_csp": "img-src http://c.com:* https://b.com",
+        "returned_csp": "img-src https://b.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "`http:` should subsume all host source expressions with this protocol.",
+        "required_csp": "img-src http:",
+        "returned_csp": "img-src http://c.com:* https://b.com http://c.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "`http:` should subsume all host source expressions with `https:`.",
+        "required_csp": "img-src http:",
+        "returned_csp": "img-src https://c.com:* https://b.com http://c.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "`http:` does not subsume other protocols.",
+        "required_csp": "img-src http:",
+        "returned_csp": "img-src https://c.com:* wss://b.com http://c.com",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "If scheme source is present in returned csp, it must be specified in required csp too.",
+        "required_csp": "img-src https://c.com:* wss://b.com http://c.com",
+        "returned_csp": "img-src http:",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "`http:` subsumes other `http:` source expression.",
+        "required_csp": "img-src http:",
+        "returned_csp": "img-src http: https://c.com:* https://b.com http://c.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "`http:` subsumes other `https:` source expression and expressions with `http:`.",
+        "required_csp": "img-src http:",
+        "returned_csp": "img-src https: https://c.com:* http://b.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "All scheme sources must be subsumed.",
+        "required_csp": "img-src http: wss:",
+        "returned_csp": "img-src https: ws:",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "All scheme sources are subsumed by their stronger variants.",
+        "required_csp": "img-src http: wss:",
+        "returned_csp": "img-src https: wss:",
+        "expected": IframeLoad.EXPECT_LOAD },
+    ];
+
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp);
+        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
+      }, test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html
new file mode 100644
index 0000000000..33551be57d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Subsumption Algorithm - Nonces.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      { "name": "Exact nonce subsumes.",
+        "required_csp": "style-src 'nonce-abc'",
+        "returned_csp_1": "style-src 'nonce-abc'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Any nonce subsumes.",
+        "required_csp": "style-src 'nonce-abc'",
+        "returned_csp_1": "style-src 'nonce-xyz'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "A nonce has to be returned if required by the embedder.",
+        "required_csp": "style-src 'nonce-abc'",
+        "returned_csp_1": "style-src http://example1.com/foo",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Multiples nonces returned subsume.",
+        "required_csp": "style-src 'nonce-abc'",
+        "returned_csp_1": "style-src 'nonce-xyz' 'nonce-abc'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      // nonce intersection
+      { "name": "Nonce intersection is still done on exact match - non-matching nonces.",
+        "required_csp": "style-src 'none'",
+        "returned_csp_1": "style-src 'nonce-def'",
+        "returned_csp_2": "style-src 'nonce-xyz'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Nonce intersection is still done on exact match - matching nonces.",
+        "required_csp": "style-src 'none'",
+        "returned_csp_1": "style-src 'nonce-def'",
+        "returned_csp_2": "style-src 'nonce-def' 'nonce-xyz'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      // other expressions still have to work
+      { "name": "Other expressions still have to be subsumed - positive test.",
+        "required_csp": "style-src http://example1.com/foo/ 'nonce-abc'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'nonce-xyz'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Other expressions still have to be subsumed - negative test",
+        "required_csp": "style-src http://example1.com/foo/ 'nonce-abc'",
+        "returned_csp_1": "style-src http://not-example1.com/foo/ 'nonce-xyz'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+    ];
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1);
+        if (test.returned_csp_2)
+          url.searchParams.append("policy2", test.returned_csp_2);
+        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
+      }, test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html
new file mode 100644
index 0000000000..0338e067b3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html
@@ -0,0 +1,113 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Subsumption Algorithm - 'none' keyword.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      { "name": "Empty required csp subsumes empty list of returned policies.",
+        "required_csp": "",
+        "returned_csp_1": "",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Empty required csp subsumes any list of policies.",
+        "required_csp": "",
+        "returned_csp_1": "img-src http://example.com",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Empty required csp subsumes a policy with `none`.",
+        "required_csp": "",
+        "returned_csp_1": "img-src 'none'",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Required policy that allows `none` does not subsume empty list of policies.",
+        "required_csp": "img-src ",
+        "returned_csp_1": "",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Required csp with effective `none` does not subsume a host source expression.",
+        "required_csp": "img-src ",
+        "returned_csp_1": "img-src http://example.com",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Required csp with `none` does not subsume a host source expression.",
+        "required_csp": "img-src 'none'",
+        "returned_csp_1": "img-src http://example.com",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Required csp with effective `none` does not subsume `none` of another directive.",
+        "required_csp": "img-src ",
+        "returned_csp_1": "frame-src 'none'",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Required csp with `none` does not subsume `none` of another directive.",
+        "required_csp": "img-src 'none'",
+        "returned_csp_1": "frame-src 'none'",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Required csp with `none` does not subsume `none` of different directives.",
+        "required_csp": "img-src ",
+        "returned_csp_1": "img-src http://*.one.com",
+        "returned_csp_2": "frame-src https://two.com",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Required csp with `none` subsumes effective list of `none`.",
+        "required_csp": "img-src ",
+        "returned_csp_1": "img-src http://*.one.com",
+        "returned_csp_2": "img-src https://two.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Required csp with `none` subsumes effective list of `none` despite other keywords.",
+        "required_csp": "img-src 'none'",
+        "returned_csp_1": "img-src http://*.one.com",
+        "returned_csp_2": "img-src 'self'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Source list with exprssions other than `none` make `none` ineffective.",
+        "required_csp": "img-src http://example.com 'none'",
+        "returned_csp_1": "img-src http://example.com",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Returned csp with `none` is subsumed by any required csp.",
+        "required_csp": "img-src http://example.com",
+        "returned_csp_1": "img-src 'none'",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Returned csp with effective `none` is subsumed by any required csp.",
+        "required_csp": "img-src http://example.com",
+        "returned_csp_1": "img-src http://example.com",
+        "returned_csp_2": "img-src http://non-example.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Both required and returned csp are `none`.",
+        "required_csp": "img-src 'none'",
+        "returned_csp_1": "img-src 'none'",
+        "returned_csp_2": "img-src http://non-example.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Both required and returned csp are `none` for only one directive.",
+        "required_csp": "default-src 'none'",
+        "returned_csp_1": "img-src 'none'",
+        "returned_csp_2": "script-src 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Both required and returned csp are empty.",
+        "required_csp": "img-src ",
+        "returned_csp_1": "img-src ",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Both required and returned csp are effectively 'none'.",
+        "required_csp": "img-src ",
+        "returned_csp_1": "img-src http://a.com",
+        "returned_csp_2": "img-src http://b.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+    ];
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1);
+        if (test.returned_csp_2)
+          url.searchParams.append("policy2", test.returned_csp_2);
+        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
+      }, test.name);
+    });
+  </script>
+</body>
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html
new file mode 100644
index 0000000000..bac21cefe8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Subsumption Algorithm - 'self' keyword.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      { "name": "'self' keywords should match.",
+        "required_csp": "img-src 'self' http://b.com:*",
+        "returned_csp": "img-src 'self' http://b.com:*",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Returned CSP does not have to specify 'self'.",
+        "required_csp": "img-src 'self' http://b.com:*",
+        "returned_csp": "img-src http://b.com:*",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Returned CSP must not allow 'self' if required CSP does not.",
+        "required_csp": "img-src http://b.com:*",
+        "returned_csp": "img-src 'self' http://b.com:*",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Returned 'self' should match to an origin's url.",
+        "required_csp": "img-src 'self' http://b.com:*",
+        "returned_csp": "img-src " + getCrossOrigin(),
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Required 'self' should match to a origin's url.",
+        "required_csp": "img-src " +  getCrossOrigin() + " http://b.com:*",
+        "returned_csp": "img-src 'self'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Required 'self' should subsume a more secure version of origin's url.",
+        "required_csp": "img-src 'self' http://b.com:*",
+        "returned_csp": "img-src " + getSecureCrossOrigin(),
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Returned 'self' should not be subsumed by a more secure version of origin's url.",
+        "required_csp": "img-src " + getSecureCrossOrigin() + " http://b.com:*",
+        "returned_csp": "img-src 'self'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+    ];
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp);
+        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
+      }, test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-source_list-wildcards.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-source_list-wildcards.html
new file mode 100644
index 0000000000..a2baef1d42
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-source_list-wildcards.html
@@ -0,0 +1,125 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Subsumption Algorithm - Wildcard lists.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      { "name" : "Wildcard list subsumes an empty source list.",
+        "required_csp": "img-src *",
+        "returned_csp_1": "img-src ",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name" : "Wildcard list subsumes a source list with `none`.",
+        "required_csp": "img-src *",
+        "returned_csp_1": "img-src 'none'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name" : "Wildcard list subsumes another wildcard list.",
+        "required_csp": "img-src *",
+        "returned_csp_1": "img-src *",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name" : "Wildcard list subsumes a list of policies with wildcards in source lists.",
+        "required_csp": "img-src *",
+        "returned_csp_1": "img-src *",
+        "returned_csp_2": "img-src *",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name" : "Wildcard list is equivalent to a specific list of scheme expressions and their secure variants.",
+        "required_csp": "https: http: ftp: ws: wss:",
+        "returned_csp_1": "img-src *",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name" : "Wildcard list is equivalent to a specific list of scheme expressions.",
+        "required_csp": "img-src http: ftp: ws:",
+        "returned_csp_1": "img-src *",
+        "returned_csp_2": "img-src https: http: ftp: ws: wss:",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name" : "Wildcard list subsumption logic should not affect other keyword expressions.",
+        "required_csp": "img-src http: ftp: ws: 'self'",
+        "returned_csp_1": "img-src *",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name" : "Wildcard list might include other scheme source expressions.",
+        "required_csp": "img-src data: blob: *",
+        "returned_csp_1": "img-src data://a.com ws://b.com ftp://c.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name" : "Effective wildcard list should be properly found.",
+        "required_csp": "img-src http://a.com ws://b.com ftp://c.com",
+        "returned_csp_1": "img-src *",
+        "returned_csp_2": "img-src http://a.com ws://b.com ftp://c.com",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name" : "Wildcard does not subsume empty list.",
+        "required_csp": "img-src *",
+        "returned_csp_1": null,
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name" : "Empty source list does not subsume a wildcard source list.",
+        "required_csp": "img-src ",
+        "returned_csp_1": "img-src *",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name" : "'none' does not subsume a wildcard source list.",
+        "required_csp": "img-src 'none'",
+        "returned_csp_1": "img-src *",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name" : "Wildcard source list does not subsume `data:` scheme source expression.",
+        "required_csp": "img-src *",
+        "returned_csp_1": "img-src data:",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name" : "Wildcard source list does not subsume `blob:` scheme source expression.",
+        "required_csp": "img-src *",
+        "returned_csp_1": "img-src blob:",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name" : "Source expressions do not subsume effective nonce expressions.",
+        "required_csp": "script-src http: ftp: ws:",
+        "returned_csp_1": "script-src * 'nonce-abc'",
+        "returned_csp_2": "script-src https: 'nonce-abc'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name" : "Wildcard source list is not subsumed by a host expression.",
+        "required_csp": "img-src https://another.test",
+        "returned_csp_1": "img-src *",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name" : "Wildcard list with keywords is not subsumed by a wildcard list.",
+        "required_csp": "style-src *",
+        "returned_csp_1": "style-src * 'unsafe-eval'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name" : "Wildcard list with 'unsafe-hashes' is not subsumed by a wildcard list.",
+        "required_csp": "style-src *",
+        "returned_csp_1": "style-src * 'unsafe-hashes'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name" : "Wildcard list with 'unsafe-inline' is not subsumed by a wildcard list.",
+        "required_csp": "style-src *",
+        "returned_csp_1": "style-src * 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name" : "Wildcard list with 'unsafe-eval' is not subsumed by a wildcard list.",
+        "required_csp": "img-src 'unsafe-eval'",
+        "returned_csp_1": "img-src * 'unsafe-eval'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name" : "Wildcard list with 'unsafe-eval' is not subsumed by list with a single expression.",
+        "required_csp": "img-src 'unsafe-hashed-attributes'",
+        "returned_csp_1": "img-src * 'unsafe-hashed-attributes'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name" : "The same as above but for 'unsafe-inline'.",
+        "required_csp": "img-src 'unsafe-inline'",
+        "returned_csp_1": "img-src * 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name" : "`data:` is not subsumed by a wildcard list.",
+        "required_csp": "img-src *",
+        "returned_csp_1": "img-src data: blob:",
+        "returned_csp_2": "img-src data://a.com ws://b.com ftp://c.com",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name" : "`blob:` is not subsumed by a wildcard list.",
+        "required_csp": "img-src * data:",
+        "returned_csp_1": "img-src data: blob:",
+        "returned_csp_2": "img-src blob://a.com ws://b.com ftp://c.com",
+        "expected": IframeLoad.EXPECT_BLOCK },
+    ];
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1);
+        if (test.returned_csp_2)
+          url.searchParams.append("policy2", test.returned_csp_2);
+        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
+      }, test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html
new file mode 100644
index 0000000000..1c35d29b71
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Subsumption Algorithm - 'strict-dynamic' keyword.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      // Note that the returned csp should always allow execution of an
+      // inline script with nonce "abc" (as returned by
+      // support/echo-policy-multiple.py), otherwise the test might
+      // return false negatives.
+      { "name": "'strict-dynamic' is ineffective for `style-src`.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "style-src 'strict-dynamic' http://example1.com/foo/bar.html",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "'strict-dynamic' is ineffective for `img-src`.",
+        "required_csp": "img-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "img-src 'strict-dynamic' http://example1.com/foo/bar.html",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "'strict-dynamic' is ineffective for `frame-src`.",
+        "required_csp": "frame-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "frame-src 'strict-dynamic' http://example1.com/foo/bar.html",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "'strict-dynamic' is ineffective for `child-src`.",
+        "required_csp": "child-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "child-src 'strict-dynamic' http://example1.com/foo/bar.html",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "'strict-dynamic' is effective only for `script-src`.",
+        "required_csp": "script-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "script-src 'strict-dynamic' http://example1.com/foo/bar.html 'nonce-abc'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "'strict-dynamic' is properly handled for finding effective policy.",
+        "required_csp": "script-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "script-src 'strict-dynamic' http://example1.com/foo/bar.html 'nonce-abc'",
+        "returned_csp_2": "script-src 'strict-dynamic' 'nonce-abc'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "'strict-dynamic' makes host source expressions ineffective.",
+        "required_csp": "script-src 'strict-dynamic' 'nonce-abc'",
+        "returned_csp_1": "script-src http://example.com 'strict-dynamic' 'nonce-abc'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "'strict-dynamic' makes scheme source expressions ineffective.",
+        "required_csp": "script-src 'strict-dynamic' 'nonce-abc'",
+        "returned_csp_1": "script-src http: 'strict-dynamic' 'nonce-abc'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "'strict-dynamic' makes 'self' ineffective.",
+        "required_csp": "script-src 'strict-dynamic' 'nonce-abc'",
+        "returned_csp_1": "script-src 'self' 'strict-dynamic' 'nonce-abc'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "'strict-dynamic' makes 'unsafe-inline' ineffective.",
+        "required_csp": "script-src 'strict-dynamic' 'nonce-abc'",
+        "returned_csp_1": "script-src 'unsafe-inline' 'strict-dynamic' 'nonce-abc'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "'strict-dynamic' has to be allowed by required csp if it is present in returned csp.",
+        "required_csp": "script-src 'nonce-abc'",
+        "returned_csp_1": "script-src 'strict-dynamic' 'nonce-abc'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+    ];
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1);
+        if (test.returned_csp_2)
+          url.searchParams.append("policy2", test.returned_csp_2);
+        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
+      }, test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html
new file mode 100644
index 0000000000..f39fbd77c2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html
@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Subsumption Algorithm - 'unsafe-eval' keyword.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      { "name": "'unsafe-eval' is properly subsumed.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashed-attributes' 'strict-dynamic' 'unsafe-eval'",
+        "returned_csp_1": "style-src http://example1.com/foo/bar.html 'unsafe-eval'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "No other keyword has the same effect as 'unsafe-eval'.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-eval'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Other expressions have to be subsumed.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-eval'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 'unsafe-eval'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Effective policy is properly found.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'  'unsafe-eval'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-hashed-attributes' 'unsafe-eval'",
+        "returned_csp_2": "style-src http://example1.com/foo/ 'self' 'unsafe-eval'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Required csp must allow 'unsafe-eval'.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'self'  'unsafe-eval'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Effective policy is properly found where 'unsafe-eval' is not subsumed.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'unsafe-eval'",
+        "returned_csp_2": "style-src 'unsafe-eval' 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Effective policy is properly found where 'unsafe-eval' is not part of it.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'self'",
+        "returned_csp_2": "style-src 'unsafe-eval' 'self'",
+        "expected": IframeLoad.EXPECT_LOAD },
+    ];
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1);
+        if (test.returned_csp_2)
+          url.searchParams.append("policy2", test.returned_csp_2);
+        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
+      }, test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html
new file mode 100644
index 0000000000..2d5fa1574a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html
@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Subsumption Algorithm - 'unsafe-hashes' keyword.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      { "name": "'unsafe-hashes' is properly subsumed.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-eval' 'strict-dynamic' 'unsafe-hashes'",
+        "returned_csp_1": "style-src http://example1.com/foo/bar.html 'unsafe-hashes'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "No other keyword has the same effect as 'unsafe-hashes'.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashes'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Other expressions have to be subsumed.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashes'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashes'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Effective policy is properly found.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'  'unsafe-hashes'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashes'",
+        "returned_csp_2": "style-src http://example1.com/foo/ 'self' 'unsafe-hashes'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Required csp must allow 'unsafe-hashes'.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'self'  'unsafe-hashes'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Effective policy is properly found where 'unsafe-hashes' is not subsumed.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "style-src 'unsafe-eval' 'unsafe-hashes'",
+        "returned_csp_2": "style-src 'unsafe-hashes' 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Effective policy is properly found where 'unsafe-hashes' is not part of it.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "style-src 'unsafe-eval' 'self'",
+        "returned_csp_2": "style-src 'unsafe-hashes' 'self'",
+        "expected": IframeLoad.EXPECT_LOAD },
+    ];
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1);
+        if (test.returned_csp_2)
+          url.searchParams.append("policy2", test.returned_csp_2);
+        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
+      }, test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html
new file mode 100644
index 0000000000..4b839209c6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html
@@ -0,0 +1,103 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Subsumption Algorithm - 'unsafe-inline' keyword.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      { "name": "'strict-dynamic' is ineffective for `style-src`.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic'",
+        "returned_csp_1": "style-src 'unsafe-inline' http://example1.com/foo/bar.html",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "'unsafe-inline' is properly subsumed in `style-src`.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline'",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "'unsafe-inline' is only ineffective if the effective returned csp has nonces in `style-src`.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'",
+        "returned_csp_1": "style-src 'unsafe-inline' 'nonce-yay'",
+        "returned_csp_2": "style-src 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "'unsafe-inline' is only ineffective if the effective returned csp has hashes in `style-src`.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'",
+        "returned_csp_1": "style-src 'unsafe-inline' 'sha256-abc123'",
+        "returned_csp_2": "style-src 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Returned csp does not have to allow 'unsafe-inline' in `style-src` to be subsumed.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'",
+        "returned_csp_1": "style-src 'self'",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "'unsafe-inline' does not matter if returned csp is effectively `none`.",
+        "required_csp": "style-src 'unsafe-inline'",
+        "returned_csp_1": "style-src ",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "'unsafe-inline' is properly subsumed in `script-src`.",
+        "required_csp": "script-src http://example1.com/foo/ 'self' 'unsafe-inline'",
+        "returned_csp_1": "script-src http://example1.com/foo/ 'unsafe-inline'",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Returned csp only loads 'unsafe-inline' scripts with 'nonce-abc'.",
+        "required_csp": "script-src http://example1.com/foo/ 'self' 'unsafe-inline'",
+        "returned_csp_1": "script-src 'nonce-abc'",
+        "returned_csp_2": "script-src 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "'unsafe-inline' is ineffective when nonces are present.",
+        "required_csp": "script-src http://example1.com/foo/ 'self' 'unsafe-inline'",
+        "returned_csp_1": "script-src 'unsafe-inline' 'nonce-abc'",
+        "returned_csp_2": "script-src 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "'unsafe-inline' is only ineffective if the effective returned csp has hashes in `script-src`.",
+        "required_csp": "script-src http://example1.com/foo/ 'self' 'unsafe-inline'",
+        "returned_csp_1": "script-src 'unsafe-inline' 'sha256-abc123' 'nonce-abc'",
+        "returned_csp_2": "script-src 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Required csp allows `strict-dynamic`, but retuned csp does.",
+        "required_csp": "script-src http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'",
+        "returned_csp_1": "script-src 'unsafe-inline' http://example1.com/foo/bar.html",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Required csp does not allow `unsafe-inline`, but retuned csp does.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "style-src 'unsafe-inline'",
+        "returned_csp_2": null,
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Returned csp allows a nonce.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'",
+        "returned_csp_1": "style-src 'unsafe-inline' 'nonce-abc'",
+        "returned_csp_2": "style-src 'nonce-abc'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Returned csp allows a hash.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'",
+        "returned_csp_1": "style-src 'unsafe-inline' 'sha256-abc123'",
+        "returned_csp_2": "style-src 'sha256-abc123'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Effective returned csp allows 'unsafe-inline'",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "style-src 'unsafe-inline' https://example.test/",
+        "returned_csp_2": "style-src 'unsafe-inline'",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Effective returned csp does not allow 'sha512-321cba' hash.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 'nonce-yay'",
+        "returned_csp_2": "style-src http://example1.com/foo/ 'unsafe-inline' 'sha512-321cba'",
+        "expected": IframeLoad.EXPECT_LOAD },
+    ];
+    tests.forEach(test => {
+      async_test(t =>  {
+        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1);
+        if (test.returned_csp_2)
+          url.searchParams.append("policy2", test.returned_csp_2);
+        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
+      }, test.name);
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/echo-allow-csp-from.py b/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/echo-allow-csp-from.py
new file mode 100644
index 0000000000..3a91437967
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/echo-allow-csp-from.py
@@ -0,0 +1,43 @@
+import json
+def main(request, response):
+    headers = [(b"Content-Type", b"text/html")]
+    if b"allow_csp_from" in request.GET:
+        headers.append((b"Allow-CSP-From", request.GET[b"allow_csp_from"]))
+    message = request.GET[b"id"]
+    return headers, b'''
+<!DOCTYPE html>
+<html>
+<head>
+    <title>This page enforces embedder's policies</title>
+    <script nonce="123">
+        document.addEventListener("securitypolicyviolation", function(e) {
+            var response = {};
+            response["id"] = "%s";
+            response["securitypolicyviolation"] = true;
+            response["blockedURI"] = e.blockedURI;
+            response["lineNumber"] = e.lineNumber;
+            window.top.postMessage(response, '*');
+        });
+    </script>
+</head>
+<body>
+    <script nonce="123">
+        let img = document.createElement('img');
+        img.src = "../../support/pass.png";
+        img.onload = function() { window.top.postMessage("img loaded", '*'); }
+        document.body.appendChild(img);
+    </script>
+    <style>
+        body {
+            background-color: maroon;
+        }
+    </style>
+    <script nonce="abc">
+        var response = {};
+        response["id"] = "%s";
+        response["loaded"] = true;
+        window.top.postMessage(response, '*');
+    </script>
+</body>
+</html>
+''' % (message, message)
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/echo-policy-multiple.py b/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/echo-policy-multiple.py
new file mode 100644
index 0000000000..b91bf0d5ea
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/echo-policy-multiple.py
@@ -0,0 +1,25 @@
+def main(request, response):
+    headers = [(b"Content-Type", b"text/html")]
+    if b"policy" in request.GET:
+        headers.append((b"Content-Security-Policy", request.GET[b"policy"]))
+    if b"policy2" in request.GET:
+        headers.append((b"Content-Security-Policy", request.GET[b"policy2"]))
+    if b"policy3" in request.GET:
+        headers.append((b"Content-Security-Policy", request.GET[b"policy3"]))
+    message = request.GET[b"id"]
+    return headers, b'''
+<!DOCTYPE html>
+<html>
+<head>
+    <title>This page sets given CSP upon itself.</title>
+</head>
+<body>
+    <script nonce="abc">
+        var response = {};
+        response["id"] = "%s";
+        response["loaded"] = true;
+        window.top.postMessage(response, '*');
+    </script>
+</body>
+</html>
+''' % (message)
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/echo-required-csp.py b/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/echo-required-csp.py
new file mode 100644
index 0000000000..b704dfe92f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/echo-required-csp.py
@@ -0,0 +1,47 @@
+import json
+
+from wptserve.utils import isomorphic_decode
+
+def main(request, response):
+    message = {}
+
+    header = request.headers.get(b"Test-Header-Injection");
+    message[u'test_header_injection'] = isomorphic_decode(header) if header else None
+
+    header = request.headers.get(b"Sec-Required-CSP");
+    message[u'required_csp'] = isomorphic_decode(header) if header else None
+
+    second_level_iframe_code = u""
+    if b"include_second_level_iframe" in request.GET:
+       if b"second_level_iframe_csp" in request.GET and request.GET[b"second_level_iframe_csp"] != b"":
+         second_level_iframe_code = u'''<script>
+            var i2 = document.createElement('iframe');
+            i2.src = 'echo-required-csp.py';
+            i2.csp = "{0}";
+            document.body.appendChild(i2);
+            </script>'''.format(isomorphic_decode(request.GET[b"second_level_iframe_csp"]))
+       else:
+         second_level_iframe_code = u'''<script>
+            var i2 = document.createElement('iframe');
+            i2.src = 'echo-required-csp.py';
+            document.body.appendChild(i2);
+            </script>'''
+
+    return [(b"Content-Type", b"text/html"), (b"Allow-CSP-From", b"*")], u'''
+<!DOCTYPE html>
+<html>
+<head>
+    <!--{2}-->
+    <script>
+      window.addEventListener('message', function(e) {{
+        window.parent.postMessage(e.data, '*');
+      }});
+
+      window.parent.postMessage({0}, '*');
+    </script>
+</head>
+<body>
+{1}
+</body>
+</html>
+'''.format(json.dumps(message), second_level_iframe_code, str(request.headers))
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/embed-img-and-message-top.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/embed-img-and-message-top.html
new file mode 100644
index 0000000000..ab0e22d82f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/embed-img-and-message-top.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+  <script>
+    function addImage() {
+      let img = document.createElement('img');
+      img.onload = () => top.postMessage('img loaded', '*');
+      img.onerror = () => top.postMessage('img blocked', '*');
+      img.src = '/content-security-policy/support/pass.png';
+      document.body.appendChild(img);
+    }
+  </script>
+  <body onpageshow="addImage();">
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/executor.html b/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/executor.html
new file mode 100644
index 0000000000..dc277a6ef0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/executor.html
@@ -0,0 +1,3 @@
+<script>
+  window.onmessage = event => eval(event.data);
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/testharness-helper.sub.js b/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/testharness-helper.sub.js
new file mode 100644
index 0000000000..7d2307ebbc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/testharness-helper.sub.js
@@ -0,0 +1,170 @@
+const Host = {
+  SAME_ORIGIN: "same-origin",
+  CROSS_ORIGIN: "cross-origin",
+};
+
+const PolicyHeader = {
+  CSP: "echo-policy.py?policy=",
+  CSP_MULTIPLE: "echo-policy-multiple.py",
+  REQUIRED_CSP: "echo-required-csp.py",
+  ALLOW_CSP_FROM: "echo-allow-csp-from.py",
+};
+
+const IframeLoad = {
+  EXPECT_BLOCK: true,
+  EXPECT_LOAD: false,
+};
+
+function getOrigin() {
+  var url = new URL("http://{{host}}:{{ports[http][0]}}/");
+  return url.origin;
+}
+
+function getCrossOrigin() {
+  var url = new URL("http://{{domains[天気の良い日]}}:{{ports[http][0]}}/");
+  return url.toString();
+}
+
+function getSecureCrossOrigin() {
+  // Since wptserve spins up servers on non-default port, 'self' matches
+  // http://[host]:[specified-port] and https://[host]:[specified-port], but not
+  // https://[host]:[https-port]. So, we use the http port for this https origin
+  // in order to verify that a secure variant of a non-secure URL matches 'self'.
+  var url = new URL("https://{{domains[天気の良い日]}}:{{ports[http][0]}}");
+  return url.toString();
+}
+
+function generateURL(host, path, include_second_level_iframe, second_level_iframe_csp) {
+  var url = new URL("http://{{host}}:{{ports[http][0]}}/content-security-policy/embedded-enforcement/support/");
+  url.hostname = host == Host.SAME_ORIGIN ? "{{host}}" : "{{domains[天気の良い日]}}";
+  url.pathname += path;
+  if (include_second_level_iframe) {
+    url.searchParams.append("include_second_level_iframe", "");
+    if (second_level_iframe_csp)
+      url.searchParams.append("second_level_iframe_csp", second_level_iframe_csp);
+  }
+
+  return url;
+}
+
+function generateURLString(host, path) {
+  return generateURL(host, path, false, "").toString();
+}
+
+function generateURLStringWithSecondIframeParams(host, path, second_level_iframe_csp) {
+  return generateURL(host, path, true, second_level_iframe_csp).toString();
+}
+
+function generateRedirect(host, target) {
+  var url = new URL("http://{{host}}:{{ports[http][0]}}/common/redirect.py?location=" +
+   encodeURIComponent(target));
+  url.hostname = host == Host.SAME_ORIGIN ? "{{host}}" : "{{domains[天気の良い日]}}";
+
+  return url.toString();
+}
+
+function generateUrlWithPolicies(host, policy) {
+  var url = generateURL(host, PolicyHeader.CSP_MULTIPLE);
+  if (policy != null)
+    url.searchParams.append("policy", policy);
+  return url;
+}
+
+function generateUrlWithAllowCSPFrom(host, allowCspFrom) {
+  var url = generateURL(host, PolicyHeader.ALLOW_CSP_FROM);
+  if (allowCspFrom != null)
+    url.searchParams.append("allow_csp_from", allowCspFrom);
+  return url;
+}
+
+function assert_required_csp(t, url, csp, expected) {
+  var i = document.createElement('iframe');
+  if(csp)
+    i.csp = csp;
+  i.src = url;
+
+  window.addEventListener('message', t.step_func(e => {
+    if (e.source != i.contentWindow || !('required_csp' in e.data))
+      return;
+
+    if (expected.indexOf(e.data['required_csp']) == -1)
+      assert_unreached('Child iframes have unexpected csp:"' + e.data['required_csp'] + '"');
+
+    expected.splice(expected.indexOf(e.data['required_csp']), 1);
+
+    if (e.data['test_header_injection'] != null)
+      assert_unreached('HTTP header injection was successful');
+
+    if (expected.length == 0)
+      t.done();
+  }));
+
+  document.body.appendChild(i);
+}
+
+function assert_iframe_with_csp(t, url, csp, shouldBlock, urlId, blockedURI,
+                                checkImageLoaded) {
+  const i = document.createElement('iframe');
+  url.searchParams.append("id", urlId);
+  i.src = url.toString();
+  if (csp != null)
+    i.csp = csp;
+
+  var loaded = {};
+  var onLoadReceived = {};
+  window.addEventListener("message", function (e) {
+    if (e.source != i.contentWindow)
+        return;
+    if (e.data["loaded"])
+        loaded[e.data["id"]] = true;
+  });
+
+  if (shouldBlock) {
+    // Assert iframe does not load and is inaccessible.
+    window.onmessage = t.step_func(function(e) {
+      if (e.source != i.contentWindow)
+          return;
+      assert_unreached('No message should be sent from the frame.');
+    });
+    i.onload = t.step_func(function () {
+      // Delay the check until after the postMessage has a chance to execute.
+      setTimeout(t.step_func_done(function () {
+        assert_equals(loaded[urlId], undefined);
+      }), 500);
+      assert_throws_dom("SecurityError", () => {
+        var x = i.contentWindow.location.href;
+      });
+    });
+  } else if (blockedURI) {
+    // Assert iframe loads with an expected violation.
+    window.addEventListener('message', t.step_func(e => {
+      if (e.source != i.contentWindow)
+        return;
+      if (!e.data.securitypolicyviolation)
+        return;
+      assert_equals(e.data["blockedURI"], blockedURI);
+      t.done();
+    }));
+  } else {
+    // Assert iframe loads.  Wait for the load event, the postMessage from the
+    // script and the img load event.
+    let img_loaded = !checkImageLoaded;
+    window.addEventListener('message', t.step_func(e => {
+      if (e.source != i.contentWindow)
+        return;
+      if (e.data === "img loaded")
+        img_loaded = true;
+
+      if (loaded[urlId] && onLoadReceived[urlId] && img_loaded) {
+        t.done();
+      }
+    }));
+    i.onload = t.step_func(function () {
+      onLoadReceived[urlId] = true;
+      if (loaded[urlId] && onLoadReceived[urlId] && img_loaded) {
+        t.done();
+      }
+    });
+  }
+  document.body.appendChild(i);
+}
diff --git a/testing/web-platform/tests/content-security-policy/font-src/font-match-allowed.sub.html b/testing/web-platform/tests/content-security-policy/font-src/font-match-allowed.sub.html
new file mode 100644
index 0000000000..ebba1e0096
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/font-src/font-match-allowed.sub.html
@@ -0,0 +1,23 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta http-equiv="Content-Security-Policy" content="font-src {{domains[www1]}}:{{ports[http][0]}}">
+<head>
+  <title>Test font loads if it matches font-src.</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <div id="log"/>
+  <script>
+    async_test(function(t) {
+      document.addEventListener("securitypolicyviolation", t.unreached_func("Loading allowed fonts should not trigger a violation."));
+      var link = document.createElement('link');
+      link.rel="preload";
+      link.as="font";
+      link.href="http://{{domains[www1]}}:{{ports[http][0]}}/fonts/Ahem.ttf?font-match-allowed";
+      link.onload = t.step_func_done();
+      link.onerror = t.unreached_func("Should have loaded the font.");
+      document.getElementsByTagName('head')[0].appendChild(link);
+    }, "Test font loads if it matches font-src.");
+  </script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/font-src/font-mismatch-blocked.sub.html b/testing/web-platform/tests/content-security-policy/font-src/font-mismatch-blocked.sub.html
new file mode 100644
index 0000000000..b164cf0f17
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/font-src/font-mismatch-blocked.sub.html
@@ -0,0 +1,22 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta http-equiv="Content-Security-Policy" content="font-src {{domains[www1]}}:{{ports[http][0]}}">
+<head>
+  <title>Test font does not load if it does not match font-src.</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <div id="log"/>
+  <script>
+    async_test(function(t) {
+      var link = document.createElement('link');
+      link.rel="preload";
+      link.as="font";
+      link.href="http://{{domains[www2]}}:{{ports[http][0]}}/fonts/Ahem.ttf?font-mismatch-blocked";
+      link.onload = t.unreached_func("Should not have loaded the font.");
+      link.onerror = t.step_func_done();
+      document.getElementsByTagName('head')[0].appendChild(link);
+    }, "Test font does not load if it does not match font-src.");
+  </script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/font-src/font-none-blocked.sub.html b/testing/web-platform/tests/content-security-policy/font-src/font-none-blocked.sub.html
new file mode 100644
index 0000000000..eae1b4986d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/font-src/font-none-blocked.sub.html
@@ -0,0 +1,22 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta http-equiv="Content-Security-Policy" content="font-src 'none'">
+<head>
+  <title>Test font does not load if it does not match font-src.</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <div id="log"/>
+  <script>
+    async_test(function(t) {
+      var link = document.createElement('link');
+      link.rel="preload";
+      link.as="font";
+      link.href="http://{{domains[www]}}:{{ports[http][0]}}/fonts/Ahem.ttf?font-none-blocked";
+      link.onload = t.unreached_func("Should not have loaded the font.");
+      link.onerror = t.step_func_done();
+      document.getElementsByTagName('head')[0].appendChild(link);
+    }, "Test font does not load if it does not match font-src.");
+  </script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/font-src/font-self-allowed.html b/testing/web-platform/tests/content-security-policy/font-src/font-self-allowed.html
new file mode 100644
index 0000000000..b8d46e5c98
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/font-src/font-self-allowed.html
@@ -0,0 +1,23 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta http-equiv="Content-Security-Policy" content="font-src 'self'">
+<head>
+  <title>Test font loads if it matches font-src.</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <div id="log"/>
+  <script>
+    async_test(function(t) {
+      document.addEventListener("securitypolicyviolation", t.unreached_func("Loading allowed fonts should not trigger a violation."));
+      var link = document.createElement('link');
+      link.rel="preload";
+      link.as="font";
+      link.href="/fonts/Ahem.ttf?font-self-allowed";
+      link.onload = t.step_func_done();
+      link.onerror = t.unreached_func("Should have loaded the font.");
+      document.getElementsByTagName('head')[0].appendChild(link);
+    }, "Test font loads if it matches font-src.");
+  </script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/font-src/font-stylesheet-font-blocked.sub.html b/testing/web-platform/tests/content-security-policy/font-src/font-stylesheet-font-blocked.sub.html
new file mode 100644
index 0000000000..3b47d0b2e2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/font-src/font-stylesheet-font-blocked.sub.html
@@ -0,0 +1,25 @@
+<!doctype html>
+<meta charset=utf-8>
+<meta http-equiv="Content-Security-Policy" content="font-src 'none'">
+<head>
+  <title>Test font does not load if it does not match font-src.</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <div id="log"/>
+  <script>
+    async_test(function(t) {
+      var link = document.createElement('link');
+      link.rel="stylesheet";
+      link.type="text/css";
+      link.href="/content-security-policy/support/fonts.css";
+      // The stylesheet should stil load, even though the font contained does not
+      link.onerror = t.unreached_func("Should have loaded the stylesheet.");
+      document.addEventListener("securitypolicyviolation", t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, "font-src");
+      }));
+      document.getElementsByTagName('head')[0].appendChild(link);
+    }, "Test font does not load if it does not match font-src.");
+  </script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-self-allowed-target-blank.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-self-allowed-target-blank.html
new file mode 100644
index 0000000000..bc81a63b62
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-self-allowed-target-blank.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="form-action 'self'">
+</head>
+
+<body>
+  <form action='/content-security-policy/support/postmessage-pass-to-opener.html'
+        id='form_id'
+        target="_blank"
+        rel="opener">
+  </form>
+
+  <p>
+    Test that "form-action 'self'" works correctly when the form uses
+    target="_blank". If this test passes, a new window must open after pressing
+    "submit".
+  </p>
+</body>
+
+<script>
+  async_test(t => {
+    document.addEventListener('securitypolicyviolation', function(e) {
+      t.unreached_func("Form submission was blocked.");
+    });
+
+    window.addEventListener('message', function(event) {
+      t.done();
+    })
+
+    window.addEventListener("load", function() {
+      document.getElementById("form_id").submit();
+    });
+  }, "The form submission should not be blocked by the iframe's CSP.");
+</script>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html
new file mode 100644
index 0000000000..8727a82119
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>form-action-src-redirect-allowed-target-blank</title>
+  <meta http-equiv="Content-Security-Policy" content="form-action 'self'">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script>
+    function OnDocumentLoaded() {
+      let test = async_test("form submission targetting _blank allowed after a redirect");
+      window.addEventListener("message", function(event) {
+        if (event.data == "DocumentNotBlocked") {
+          event.source.close();
+          test.done();
+        }
+      });
+
+      let form = document.getElementById("form");
+      form.action =
+        "/content-security-policy/form-action/support/post-message-to-opener.sub.html";
+
+      let submit = document.getElementById("submit");
+      submit.click();
+    }
+  </script>
+</head>
+<body onload="OnDocumentLoaded();">
+  <form id="form" method="GET" target="_blank" rel="opener">
+    <input type="hidden" name="message" value="DocumentNotBlocked">
+    <input type="submit" id="submit">
+  </form>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed-target-frame.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed-target-frame.sub.html
new file mode 100644
index 0000000000..81921d395e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed-target-frame.sub.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>form-action-src-allowed-target-frame</title>
+  <meta http-equiv="Content-Security-Policy" content="form-action 'self'">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script>
+    function OnDocumentLoaded() {
+      let test = async_test("form submission targetting a frame allowed");
+      window.addEventListener("message", function(event) {
+        if (event.data == "DocumentNotBlocked") {
+          test.done();
+        }
+      });
+
+      let form = document.getElementById("form");
+      form.action =
+        "/content-security-policy/form-action/support/post-message-to-parent.sub.html";
+
+      let submit = document.getElementById("submit");
+      submit.click();
+    }
+  </script>
+</head>
+<body onload="OnDocumentLoaded();">
+  <form id="form" method="GET" target="frame">
+    <input type="hidden" name="message" value="DocumentNotBlocked">
+    <input type="submit" id="submit">
+  </form>
+  <iframe name="frame"></iframe>
+</body>
+</html>
+
diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed.sub.html
new file mode 100644
index 0000000000..418d6f51b0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>form-action-src-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('Fail');
+        });
+        window.addEventListener("message", function(event) {
+            log(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                document.getElementById('submit').click();
+                log("TEST COMPLETE");
+            }, 0);
+        });
+
+    </script>
+</head>
+
+<body>
+    <iframe name="test_target" id="test_iframe"></iframe>
+
+    <form action="/common/redirect.py?location=/content-security-policy/support/postmessage-pass.html" id="theform" method="post" target="test_target">
+        <input type="text" name="fieldname" value="fieldvalue">
+        <input type="submit" id="submit" value="submit">
+    </form>
+    <p>Tests that allowed form actions work correctly.</p>
+    <div id="log"></div>
+    </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-blocked.sub.html
new file mode 100644
index 0000000000..a113d9a264
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-blocked.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>form-action-src-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=form-action","TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('violated-directive=' + e.violatedDirective);
+        });
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                document.getElementById('submit').click();
+            }, 0);
+        });
+        setTimeout(function() {log("TEST COMPLETE");}, 1);
+
+    </script>
+</head>
+
+<body>
+    <iframe name="test_target" id="test_iframe"></iframe>
+    <form action="/common/redirect.py?location=/content-security-policy/support/postmessage-fail.html" id="theform" method="post" target="test_target">
+        <input type="text" name="fieldname" value="fieldvalue">
+        <input type="submit" id="submit" value="submit">
+    </form>
+    <p>Tests that blocking form actions works correctly.</p>
+    <div id="log"></div>
+
+    </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-default-ignored.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-default-ignored.sub.html
new file mode 100644
index 0000000000..58db5bf735
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-default-ignored.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; frame-src 'self';">
+    <title>form-action-src-default-ignored</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('Fail');
+        });
+        window.addEventListener("message", function(event) {
+            log(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                document.getElementById('submit').click();
+                log("TEST COMPLETE");
+            }, 0);
+        });
+
+    </script>
+</head>
+
+<body>
+    <iframe name="test_target" id="test_iframe"></iframe>
+
+    <form action="/common/redirect.py?location=/content-security-policy/support/postmessage-pass.html" id="theform" method="post" target="test_target">
+        <input type="text" name="fieldname" value="fieldvalue">
+        <input type="submit" id="submit" value="submit">
+    </form>
+    <p>Tests that default-src does not cascade to form-action.</p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-get-allowed.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-get-allowed.sub.html
new file mode 100644
index 0000000000..1dd7fbcd41
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-get-allowed.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>form-action-src-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('Fail');
+        });
+        window.addEventListener("message", function(event) {
+            log(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                document.getElementById('submit').click();
+                log("TEST COMPLETE");
+            }, 0);
+        });
+
+    </script>
+</head>
+
+<body>
+    <iframe name="test_target" id="test_iframe"></iframe>
+
+    <form action="/content-security-policy/support/postmessage-pass.html" id="theform" method="get" target="test_target">
+        <input type="text" name="fieldname" value="fieldvalue">
+        <input type="submit" id="submit" value="submit">
+    </form>
+    <p>Tests that allowed form actions work correctly
+        with GET and a redirect.</p>
+    <div id="log"></div>
+    </body>
+
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-get-blocked.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-get-blocked.sub.html
new file mode 100644
index 0000000000..638badc73a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-get-blocked.sub.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>form-action-src-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=form-action","TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('violated-directive=' + e.violatedDirective);
+        });
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                document.getElementById('submit').click();
+                log("TEST COMPLETE");
+            }, 0);
+        });
+
+    </script>
+</head>
+
+<body>
+    <iframe name="test_target" id="test_iframe"></iframe>
+
+    <form action="/common/redirect.py?location=/content-security-policy/support/postmessage-fail.html" id="theform" method="get" target="test_target">
+        <input type="text" name="fieldname" value="fieldvalue">
+        <input type="submit" id="submit" value="submit">
+    </form>
+    <p>Tests that disallowed form actions are blocked
+        with GET and redirects.</p>
+    <div id="log"></div>
+"></script>
+    </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html
new file mode 100644
index 0000000000..6997ef6e86
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self';">
+    <title>form-action-src-javascript-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=form-action","TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script nonce='noncynonce'>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('violated-directive=' + e.violatedDirective);
+        });
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                document.getElementById('submit').click();
+                log("TEST COMPLETE");
+            }, 0);
+        });
+    </script>
+</head>
+
+<body>
+    <form action="javascript:log(&quot;FAIL!&quot;)" id="theform" method="post">
+        <input type="text" name="fieldname" value="fieldvalue">
+        <input type="submit" id="submit" value="submit">
+    </form>
+    <p>Tests that blocking form actions works correctly. If this test passes, a CSP violation will be generated, and will not see a JavaScript alert.</p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html.sub.headers
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html.sub.headers
diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-prevented.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-prevented.html
new file mode 100644
index 0000000000..feae47ee79
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-prevented.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self';">
+</head>
+
+<body>
+  <form action='/content-security-policy/support/postmessage-pass-to-opener.html'
+        id='form_id'
+        target="_blank">
+        <input type="submit" />
+  </form>
+
+  <p>
+    Test that "form-action 'none'" doesn't create a violation report if the event was prevented.
+  </p>
+</body>
+
+<script nonce='noncynonce'>
+  async_test(t => {
+    document.addEventListener('securitypolicyviolation', function(e) {
+      assert_unreached('Form submission was blocked.');
+    });
+
+    window.addEventListener('message', function(event) {
+      assert_unreached('Form submission was blocked.');
+    })
+
+    window.addEventListener("load", function() {
+      let form = document.getElementById("form_id");
+      form.addEventListener("submit", e => {
+        e.preventDefault();
+        setTimeout(() => {
+          t.done();
+        }, 0);
+      });
+      // clicking the input is used here as form.submit() will submit a form without an event and should also be blocked.
+      form.querySelector("input").click();
+    });
+  }, "The form submission should not be blocked by when javascript prevents the load.");
+</script>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html
new file mode 100644
index 0000000000..e1f23db73c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>form-action-src-redirect-allowed-target-blank</title>
+  <meta http-equiv="Content-Security-Policy" content="form-action 'self'">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script>
+    function OnDocumentLoaded() {
+      let test = async_test("form submission targetting _blank allowed after a redirect");
+      window.addEventListener("message", function(event) {
+        if (event.data == "DocumentNotBlocked") {
+          event.source.close();
+          test.done();
+        }
+      });
+
+      let form = document.getElementById("form");
+      let final_url = "/content-security-policy/form-action/support/post-message-to-opener.sub.html?message=DocumentNotBlocked";
+      let redirect_url = "/common/redirect.py?location=";
+      form.action = redirect_url + encodeURIComponent(final_url);
+
+      let submit = document.getElementById("submit");
+      submit.click();
+    }
+  </script>
+</head>
+<body onload="OnDocumentLoaded();">
+  <form id="form" method="POST" target="_blank" rel="opener">
+    <input type="submit" id="submit">
+  </form>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub.html
new file mode 100644
index 0000000000..6afd4459b0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>form-action-src-redirect-allowed-target-frame</title>
+  <meta http-equiv="Content-Security-Policy" content="form-action 'self'">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script>
+    function OnDocumentLoaded() {
+      let test = async_test("form submission targetting a frame allowed after a redirect");
+      window.addEventListener("message", function(event) {
+        if (event.data == "DocumentNotBlocked") {
+          test.done();
+        }
+      });
+
+      let form = document.getElementById("form");
+      let final_url = "/content-security-policy/form-action/support/post-message-to-parent.sub.html?message=DocumentNotBlocked";
+      let redirect_url = "/common/redirect.py?location=";
+      form.action = redirect_url + encodeURIComponent(final_url);
+
+      let submit = document.getElementById("submit");
+      submit.click();
+    }
+  </script>
+</head>
+<body onload="OnDocumentLoaded();">
+  <form id="form" method="POST" target="frame">
+    <input type="submit" id="submit">
+  </form>
+  <iframe name="frame"></iframe>
+</body>
+</html>
+
diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-blocked.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-blocked.sub.html
new file mode 100644
index 0000000000..ac25e03d5c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-blocked.sub.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>form-action-src-redirect-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=form-action","blocked-uri=http://{{hosts[][]}}:{{ports[http][0]}}/common/redirect.py?location=http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html","TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('violated-directive=' + e.violatedDirective);
+            log('blocked-uri=' + e.blockedURI);
+        });
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                document.getElementById('submit').click();
+                log("TEST COMPLETE");
+            }, 0);
+        });
+        setTimeout(function() {}, 1000);
+
+    </script>
+</head>
+
+<body>
+    <iframe name="test_target" id="test_iframe"></iframe>
+
+    <form id="form1" action="/common/redirect.py?location=http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html" method="post" target="test_target">
+        <input type="text" name="fieldname" value="fieldvalue">
+        <input type="submit" id="submit" value="submit">
+    </form>
+    <p>Tests that blocking a POST form with a redirect works correctly. If this test passes, a CSP violation will be generated.</p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/form-action/support/post-message-to-opener.sub.html b/testing/web-platform/tests/content-security-policy/form-action/support/post-message-to-opener.sub.html
new file mode 100644
index 0000000000..0348139057
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/form-action/support/post-message-to-opener.sub.html
@@ -0,0 +1,3 @@
+<script>
+  opener.postMessage("{{GET[message]}}", "*");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/form-action/support/post-message-to-parent.sub.html b/testing/web-platform/tests/content-security-policy/form-action/support/post-message-to-parent.sub.html
new file mode 100644
index 0000000000..63e464be21
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/form-action/support/post-message-to-parent.sub.html
@@ -0,0 +1,3 @@
+<script>
+  parent.postMessage("{{GET[message]}}", "*");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https.html
new file mode 100644
index 0000000000..a0656a97a7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script>
+</head>
+<body>
+  <script>
+    var t = async_test("A 'frame-ancestors' CSP directive set from a serviceworker response with a value 'none' should block rendering.");
+
+    // Register service worker.
+    var worker = 'support/service-worker.js';
+    var scope = 'support/service-worker/';
+    service_worker_unregister_and_register(t, worker, scope)
+      .then(registration => wait_for_state(t, registration.installing, 'activated'))
+      .then(() => {
+        // Load iframe.
+        var iframe = document.createElement("iframe");
+        let timer;
+        function pollForLoadCompletion() {
+          timer = t.step_timeout(() => iframeMayBeLoaded({isPoll: true}), 10);
+        }
+        function iframeMayBeLoaded({isPoll}) {
+          var failed = false;
+          clearTimeout(timer);
+          try {
+            let href = iframe.contentWindow.location.href;
+            if (isPoll && (href === "about:blank" || iframe.contentDocument.readyState !== "complete")) {
+              pollForLoadCompletion();
+              return;
+            }
+            failed = true;
+          } catch (ex) {}
+          t.step_func_done(() => assert_false(failed, "The IFrame should have been blocked. It wasn't."))();
+        };
+        iframe.addEventListener("load", () => iframeMayBeLoaded({isPoll: false}));
+        iframe.addEventListener("error", () => iframeMayBeLoaded({isPoll: false}));
+        iframe.src = "/content-security-policy/frame-ancestors/support/service-worker/frame-ancestors-none.html";
+        document.body.appendChild(iframe);
+        pollForLoadCompletion();
+      });
+  </script>
+</body>
+</html>
+
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html
new file mode 100644
index 0000000000..674deb655a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames.");
+
+        testNestedIFrame("'none'", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html
new file mode 100644
index 0000000000..85b7f0efdc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.");
+
+        testNestedIFrame("'self'", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html
new file mode 100644
index 0000000000..7f5a867de9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a value '*' should render in nested frames.");
+
+        testNestedIFrame("*", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_LOAD);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html
new file mode 100644
index 0000000000..99ab0718e8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.");
+
+        testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_LOAD);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html
new file mode 100644
index 0000000000..9bcf63735e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.");
+
+        testNestedIFrame(CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html
new file mode 100644
index 0000000000..1cdd540149
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html
@@ -0,0 +1,16 @@
+
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames.");
+
+        testNestedIFrame("'none'", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html
new file mode 100644
index 0000000000..da97339711
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.");
+
+        testNestedIFrame("'self'", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html
new file mode 100644
index 0000000000..3658fb6502
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a value '*' should render in nested frames.");
+
+        // Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked.
+        testNestedIFrame("*", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html
new file mode 100644
index 0000000000..1f1ffb9f89
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.");
+
+        // Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked.
+        testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html
new file mode 100644
index 0000000000..62dd1c1ef6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.");
+
+        testNestedIFrame(CROSSORIGIN_ORIGIN, SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html
new file mode 100644
index 0000000000..d7c83ae2f5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a URL value should compare against each frame's origin rather than URL, " +
+                          "so a nested frame with a sandboxed parent frame should be blocked due to the parent having a unique origin.");
+
+        testNestedSandboxedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html
new file mode 100644
index 0000000000..f01c6d766f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames.");
+
+        testNestedIFrame("'none'", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html
new file mode 100644
index 0000000000..bae5992e86
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.");
+
+        testNestedIFrame("'self'", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html
new file mode 100644
index 0000000000..85d66f660a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a value '*' should render in nested frames.");
+
+        testNestedIFrame("*", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html
new file mode 100644
index 0000000000..dff041be9a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.");
+
+        testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html
new file mode 100644
index 0000000000..5d2fc57ac1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.");
+
+        testNestedIFrame(SAMEORIGIN_ORIGIN, CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html
new file mode 100644
index 0000000000..234cca82c8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames.");
+
+        testNestedIFrame("'none'", SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html
new file mode 100644
index 0000000000..747c563696
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.");
+
+        testNestedIFrame("'self'", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html
new file mode 100644
index 0000000000..d7eaf73fd6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a value '*' should render in nested frames.");
+
+        testNestedIFrame("*", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html
new file mode 100644
index 0000000000..432c25f0d2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.");
+
+        testNestedIFrame(SAMEORIGIN_ORIGIN, SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html
new file mode 100644
index 0000000000..c02091bf4f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.");
+
+        testNestedIFrame(CROSSORIGIN_ORIGIN, SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-none-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-none-block.html
new file mode 100644
index 0000000000..f494468e37
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-none-block.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+  <script>
+    async_test(t => {
+      window.addEventListener('securitypolicyviolation', t.step_func(function(e) {
+        if (e.violatedDirective === 'frame-ancestors')
+          assert_unreached('No securitypolicyviolation event shoud be raised in the parent.');
+      }));
+      t.step_timeout(function() { t.done(); }, 2000);
+    });
+
+    test = async_test("A 'frame-ancestors' CSP directive with a value 'none' should block rendering.");
+
+    sameOriginFrameShouldBeBlocked("'none'");
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo.html
new file mode 100644
index 0000000000..9e6d3d729c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+    <script>
+        async_test(function (t) {
+            var i = document.createElement('iframe');
+            i.src = "support/frame-ancestors-and-x-frame-options.sub.html?policy='self'&xfo=DENY";
+            i.onload = t.step_func_done(function () {
+                assert_equals(i.contentWindow.origin, window.origin, "The same-origin page loaded.");
+            });
+            document.body.appendChild(i);
+        }, "A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would block the page.");
+
+        async_test(function (t) {
+            var i = document.createElement('iframe');
+            i.src = "support/frame-ancestors-and-x-frame-options.sub.html?policy=other-origin.com&xfo=SAMEORIGIN";
+            checkDone = t.step_func(function() {
+                clearTimeout(timer);
+                try {
+                    if (i.contentWindow.location.href === "about:blank" ||
+                        (i.contentDocument && i.contentDocument.readyState !== "complete")) {
+                        timer = t.step_timeout(checkDone, 10);
+                        return;
+                    }
+                } catch(e) {}
+                assert_equals(i.contentDocument, null);
+                t.done();
+            });
+            i.onload = checkDone;
+            let timer = t.step_timeout(checkDone, 10);
+            document.body.appendChild(i);
+        }, "A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would allow the page.");
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-sandbox-same-origin-self.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-sandbox-same-origin-self.html
new file mode 100644
index 0000000000..4a2a19698d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-sandbox-same-origin-self.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+  <script>
+    test = async_test("A 'frame-ancestors' CSP directive with a 'self' value " +
+      "should compare the child URL (self) against each parent's origin's URL" +
+      " rather then URL. When the ancestors are sandboxed, they never match.");
+
+    testNestedSandboxedIFrame('self', SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-self-allow.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-self-allow.html
new file mode 100644
index 0000000000..a8a295dfc4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-self-allow.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a value 'self' should allow rendering.");
+
+        sameOriginFrameShouldBeAllowed("'self'");
+    </script>
+</body>
+</html>
+
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-self-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-self-block.html
new file mode 100644
index 0000000000..438f2b8eb2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-self-block.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a value 'self' should block rendering.");
+
+        crossOriginFrameShouldBeBlocked("'self'");
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-crossorigin.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-crossorigin.html
new file mode 100644
index 0000000000..09ee28bbea
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-crossorigin.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with '*' should allow rendering.");
+
+        // Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked.
+        crossOriginFrameShouldBeBlocked("*");
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-sameorigin.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-sameorigin.html
new file mode 100644
index 0000000000..62bbe45b25
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-sameorigin.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with '*' should allow rendering.");
+
+        sameOriginFrameShouldBeAllowed("*");
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-url-allow.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-url-allow.sub.html
new file mode 100644
index 0000000000..f4f42e475f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-url-allow.sub.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a URL matching this origin should allow rendering.");
+
+        sameOriginFrameShouldBeAllowed('{{location[scheme]}}://{{location[host]}}');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-url-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-url-block.html
new file mode 100644
index 0000000000..c320370be5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-url-block.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="support/frame-ancestors-test.sub.js"></script>
+</head>
+<body>
+    <script>
+        test = async_test("A 'frame-ancestors' CSP directive with a URL which doesn't match this origin should be blocked.");
+
+        crossOriginFrameShouldBeBlocked("http://example.com/");
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/report-blocked-frame.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/report-blocked-frame.sub.html
new file mode 100644
index 0000000000..a7532b7cf2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/report-blocked-frame.sub.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<meta name="timeout" content="long">
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <title>Blocked frames are reported correctly</title>
+</head>
+<body>
+  <iframe src="support/content-security-policy.sub.html?policy=report-uri%20/reporting/resources/report.py%3Fop=put%26reportID={{$id:uuid()}}%3B%20frame-ancestors%20'none'"></iframe>
+  <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-ancestors%20'none'&reportID={{$id}}"></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/report-only-frame.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/report-only-frame.sub.html
new file mode 100644
index 0000000000..55289db6d6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/report-only-frame.sub.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<meta name="timeout" content="long">
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <title>Blocked frames are reported correctly</title>
+</head>
+<body>
+  <iframe src="support/content-security-policy-report-only.sub.html?policy=report-uri%20/reporting/resources/report.py%3Fop=put%26reportID={{$id:uuid()}}%3B%20frame-ancestors%20'none'"></iframe>
+  <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-ancestors%20'none'&reportID={{$id}}"></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html
new file mode 100644
index 0000000000..c8317b91cf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html
@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<html>
+<body>
+    <p>This is an IFrame sending a Content-Security-Policy-Report-Only header containing "{{GET[policy]}}".</p>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html.sub.headers
new file mode 100644
index 0000000000..ccb142e569
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy-Report-Only: {{GET[policy]}}
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html
new file mode 100644
index 0000000000..2182f4a3d2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html
@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<html>
+<body>
+    <p>This is an IFrame sending a Content Security Policy header containing "{{GET[policy]}}".</p>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html.sub.headers
new file mode 100644
index 0000000000..322c99d518
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: {{GET[policy]}}
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html
new file mode 100644
index 0000000000..e22fea3ccd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<body>
+    <p>This is an IFrame sending a Content Security Policy header containing "frame-ancestors {{GET[policy]}}" and "X-Frame-Options: {{GET[xfo]}}".</p>
+    <script>
+        // This is an IFrame sending a Content Security Policy header containing "frame-ancestors {{GET[policy]}}" and "X-Frame-Options: {{GET[xfo]}}".
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html.sub.headers
new file mode 100644
index 0000000000..636e0facde
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html.sub.headers
@@ -0,0 +1,3 @@
+Content-Type: text/html; charset=UTF-8
+Content-Security-Policy: frame-ancestors {{GET[policy]}}
+X-Frame-Options: {{GET[xfo]}}
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js
new file mode 100644
index 0000000000..6e816e89b3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js
@@ -0,0 +1,147 @@
+var SAME_ORIGIN = true;
+var CROSS_ORIGIN = false;
+
+var EXPECT_BLOCK = true;
+var EXPECT_LOAD = false;
+
+var SAMEORIGIN_ORIGIN = "{{location[scheme]}}://{{location[host]}}";
+var CROSSORIGIN_ORIGIN = "http://{{domains[www1]}}:{{ports[http][1]}}";
+
+var test;
+
+function endTest(failed, message) {
+    if (typeof test === 'undefined') return;
+
+    if (failed) {
+        test.step(function() {
+            assert_unreached(message);
+            test.done();
+        });
+    }
+    else test.done({message: message});
+}
+
+window.addEventListener("message", function (e) {
+    if (window.parent != window)
+        window.parent.postMessage(e.data, "*");
+    else
+        if (e.data.type === 'test_result')
+            endTest(e.data.failed, "Inner IFrame msg: " + e.data.message);
+});
+
+function injectNestedIframe(policy, parent, child, expectation, isSandboxed) {
+    var iframe = document.createElement("iframe");
+
+    var url = "/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html"
+              + "?policy=" + policy
+              + "&parent=" + parent
+              + "&child=" + child
+              + "&expectation=" + expectation;
+    url = (parent == "same" ? SAMEORIGIN_ORIGIN : CROSSORIGIN_ORIGIN) + url;
+
+    iframe.src = url;
+
+    if (isSandboxed)
+        iframe.sandbox = 'allow-scripts';
+
+    document.body.appendChild(iframe);
+}
+
+let timer;
+function pollForLoadCompletion({iframe, expectBlock}) {
+    let fn = iframeLoaded({expectBlock, isPoll: true});
+    timer = test.step_timeout(() => fn({target: iframe}), 10);
+}
+
+function injectIFrame(policy, sameOrigin, expectBlock) {
+    var iframe = document.createElement("iframe");
+    iframe.addEventListener("load", iframeLoaded({expectBlock, isPoll: false}));
+    iframe.addEventListener("error", iframeLoaded({expectBlock, isPoll: false}));
+
+    var url = "/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=" + policy;
+    if (sameOrigin)
+        url = SAMEORIGIN_ORIGIN + url;
+    else
+        url = CROSSORIGIN_ORIGIN + url;
+
+    iframe.src = url;
+    document.body.appendChild(iframe);
+    pollForLoadCompletion({iframe, expectBlock});
+}
+
+function iframeLoaded({isPoll, expectBlock}) {
+    return function(ev) {
+        clearTimeout(timer);
+        var failed = true;
+        var message = "";
+        try {
+            let url = ev.target.contentWindow.location.href;
+            if (isPoll && (url === "about:blank" || ev.target.contentDocument.readyState !== "complete")) {
+                pollForLoadCompletion({iframe: ev.target, expectBlock});
+                return;
+            }
+            if (expectBlock) {
+                message = "The IFrame should have been blocked (or cross-origin). It wasn't.";
+                failed = true;
+            } else {
+                message = "The IFrame should not have been blocked. It wasn't.";
+                failed = false;
+            }
+        } catch (ex) {
+            if (expectBlock) {
+                message = "The IFrame should have been blocked (or cross-origin). It was.";
+                failed = false;
+            } else {
+                message = "The IFrame should not have been blocked. It was.";
+                failed = true;
+            }
+        }
+        if (window.parent != window)
+            window.parent.postMessage({type: 'test_result', failed: failed, message: message}, '*');
+        else
+            endTest(failed, message);
+    };
+}
+
+function originFrameShouldBe(child, expectation, policy) {
+    if (child == "cross" && expectation == "blocked") crossOriginFrameShouldBeBlocked(policy);
+    if (child == "same" && expectation == "blocked") sameOriginFrameShouldBeBlocked(policy);
+    if (child == "cross" && expectation == "allowed") crossOriginFrameShouldBeAllowed(policy);
+    if (child == "same" && expectation == "allowed") sameOriginFrameShouldBeAllowed(policy);
+}
+
+function crossOriginFrameShouldBeBlocked(policy) {
+    window.onload = function () {
+        injectIFrame(policy, CROSS_ORIGIN, EXPECT_BLOCK);
+    };
+}
+
+function crossOriginFrameShouldBeAllowed(policy) {
+    window.onload = function () {
+        injectIFrame(policy, CROSS_ORIGIN, EXPECT_LOAD);
+    };
+}
+
+function sameOriginFrameShouldBeBlocked(policy) {
+    window.onload = function () {
+        injectIFrame(policy, SAME_ORIGIN, EXPECT_BLOCK);
+    };
+}
+
+function sameOriginFrameShouldBeAllowed(policy) {
+    window.onload = function () {
+        injectIFrame(policy, SAME_ORIGIN, EXPECT_LOAD);
+    };
+}
+
+function testNestedIFrame(policy, parent, child, expectation) {
+    window.onload = function () {
+        injectNestedIframe(policy, parent == SAME_ORIGIN ? "same" : "cross", child == SAME_ORIGIN ? "same" : "cross", expectation == EXPECT_LOAD ? "allowed" : "blocked", false /* isSandboxed */);
+    };
+}
+
+function testNestedSandboxedIFrame(policy, parent, child, expectation) {
+    window.onload = function () {
+        injectNestedIframe(policy, parent == SAME_ORIGIN ? "same" : "cross", child == SAME_ORIGIN ? "same" : "cross", expectation == EXPECT_LOAD ? "allowed" : "blocked", true /* isSandboxed */);
+    };
+}
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html
new file mode 100644
index 0000000000..de65277343
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<body>
+    <p>This is an IFrame sending a Content Security Policy header containing "frame-ancestors {{GET[policy]}}".</p>
+    <script>
+         // This is an IFrame sending a Content Security Policy header containing "frame-ancestors {{GET[policy]}}"
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html.sub.headers
new file mode 100644
index 0000000000..9369a4101f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html.sub.headers
@@ -0,0 +1,2 @@
+Content-Type: text/html; charset=UTF-8
+Content-Security-Policy: frame-ancestors {{GET[policy]}}
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html
new file mode 100644
index 0000000000..993b6bfd4b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<body>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js'></script>
+
+    <span id="escape">{{GET[policy]}}</span>
+
+    <script>
+        test = async_test("Testing a {{GET[child]}}-origin child with a policy of {{GET[policy]}} nested in a {{GET[parent]}}-origin parent");
+        const policy = document.getElementById("escape").textContent;
+        originFrameShouldBe("{{GET[child]}}", "{{GET[expectation]}}", policy);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html.sub.headers
new file mode 100644
index 0000000000..e853d6cee5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html.sub.headers
@@ -0,0 +1 @@
+Content-Type: text/html; charset=UTF-8
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/service-worker.js b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/service-worker.js
new file mode 100644
index 0000000000..ebced90f50
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/service-worker.js
@@ -0,0 +1,10 @@
+self.onfetch = e => {
+  e.respondWith(function() {
+    return new Promise((resolve) => {
+      var headers = new Headers;
+      headers.append("Content-Security-Policy", "frame-ancestors 'none'");
+      var response = new Response("", { "headers" : headers, "status": 200, "statusText" : "OK" });
+      resolve(response);
+    });
+  }());
+};
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-default.sub.html b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-default.sub.html
new file mode 100644
index 0000000000..a9d40adee0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-default.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="frame-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>frame-src-about-blank-allowed-by-default</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+
+    <p>These frames should not be blocked by Content-Security-Policy.
+        It&apos;s pointless to block about:blank iframes because
+        blocking a frame just results in displaying about:blank anyway!
+    </p>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+        });
+    </script>
+
+    <iframe src="about:blank"></iframe>
+    <object type="text/html" data="about:blank"></object>
+
+    <div id="log"></div>
+    <script>
+        log("PASS");
+    </script>
+</body>
+
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-scheme.sub.html b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-scheme.sub.html
new file mode 100644
index 0000000000..f5b62aaa2f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-scheme.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="frame-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>frame-src-about-blank-allowed-by-scheme</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+
+    <p>This frame should not be blocked by Content-Security-Policy.
+    </p>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+        });
+    </script>
+
+    <iframe src="about:blank"></iframe>
+    <div id="log"></div>
+    <script>
+        log("PASS");
+    </script>
+</body>
+
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-allowed.sub.html
new file mode 100644
index 0000000000..8421a9cbfb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-allowed.sub.html
@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>frame-src-allowed</title>
+    <meta http-equiv="Content-Security-Policy" content="frame-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+        });
+
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+
+        var t_alert = async_test('Expecting alerts: ["PASS"]');
+        var expected_alerts = ["PASS"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_equals(expected_alerts[i], msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <p>
+        This iframe should be allowed.
+    </p>
+    <script>
+        window.wasPostTestScriptParsed = true;
+        var loads = 0;
+
+        function loadEvent() {
+            loads++;
+            log("PASS " + "IFrame #" + loads + " generated a load event.");
+        }
+
+    </script>
+</head>
+
+<body>
+    <iframe src="/content-security-policy/support/postmessage-pass.html" onload="loadEvent()"></iframe>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-blocked.sub.html
new file mode 100644
index 0000000000..a4957f8715
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-blocked.sub.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="frame-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>frame-src-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.","violated-directive=frame-src"]'></script>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_equals(expected_alerts[i], msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <p>
+        IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
+    </p>
+    <script>
+        window.wasPostTestScriptParsed = true;
+        var loads = 0;
+
+        function loadEvent() {
+            loads++;
+            log("PASS " + "IFrame #" + loads + " generated a load event.");
+        }
+
+    </script>
+</head>
+
+<body>
+    <iframe src="/content-security-policy/support/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub.html b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub.html
new file mode 100644
index 0000000000..956c79fbf0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="frame-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>frame-src-cross-origin-load</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.","PASS IFrame %232 generated a load event.","PASS IFrame %233 generated a load event.","violated-directive=frame-src"]'></script>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+
+        var t_alert = async_test('Expecting alerts: ["PASS","PASS"]');
+        var expected_alerts = ["PASS", "PASS"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_equals(expected_alerts[i], msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_alert.done();
+            });
+        }
+
+    </script>
+
+    <p>
+        IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
+    </p>
+    <script>
+        window.wasPostTestScriptParsed = true;
+        var loads = 0;
+
+        function loadEvent() {
+            loads++;
+            log("PASS " + "IFrame #" + loads + " generated a load event.");
+        }
+
+    </script>
+</head>
+
+<body>
+    <iframe src="../support/postmessage-pass.html" onload="loadEvent()"></iframe>
+    <iframe src="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/postmessage-pass.html" onload="loadEvent()"></iframe>
+    <iframe src="http://www2.{{host}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-cross-origin-same-document-navigation.window.js b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-cross-origin-same-document-navigation.window.js
new file mode 100644
index 0000000000..4c77193541
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-cross-origin-same-document-navigation.window.js
@@ -0,0 +1,45 @@
+// META: script=/common/get-host-info.sub.js
+// META: script=/common/utils.js
+// META: script=/common/dispatcher/dispatcher.js
+
+// Regression test for https://crbug.com/1262203
+//
+// A cross-origin document initiates a same-document navigation. This navigation
+// is subject to CSP:frame-src 'none', but this doesn't apply, since it's a
+// same-document navigation. This test checks this doesn't lead to a crash.
+
+promise_test(async test => {
+  const child_token = token();
+  const child = new RemoteContext(child_token);
+  const iframe = document.createElement("iframe");
+  iframe.src = remoteExecutorUrl(child_token, {
+    host: get_host_info().REMOTE_HOST
+  });
+  document.body.appendChild(iframe);
+
+  // Install a promise waiting for a same-document navigation to happen in the
+  // child.
+  await child.execute_script(() => {
+    window.sameDocumentNavigation = new Promise(resolve => {
+      window.addEventListener("popstate", resolve);
+    });
+  });
+
+  // Append a new CSP, disallowing new iframe navigations.
+  const meta = document.createElement("meta");
+  meta.httpEquiv = "Content-Security-Policy";
+  meta.content = "frame-src 'none'";
+  document.head.appendChild(meta);
+
+  document.addEventListener(
+      "securitypolicyviolation",
+      test.unreached_func("same-document navigations aren't subject to CSP"));
+
+  // Create a same-document navigation, inititated cross-origin in the iframe.
+  // It must not be blocked by the CSP above.
+  iframe.src += "#foo";
+
+  // Make sure the navigation succeeded and was indeed a same-document one:
+  await child.execute_script(() => sameDocumentNavigation);
+  assert_equals(await child.execute_script(() => location.href), iframe.src);
+})
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html
new file mode 100644
index 0000000000..f5ac88b052
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html
@@ -0,0 +1,35 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="./support/testharness-helper.sub.js"></script>
+<body></body>
+<script>
+    function waitForViolation(el, policy, blocked_origin) {
+      return new Promise(resolve => {
+        el.addEventListener('securitypolicyviolation', e => {
+          if (e.originalPolicy == policy && (new URL(e.blockedURI)).origin == blocked_origin)
+            resolve(e);
+        });
+      });
+    }
+
+    async_test(t => {
+      var i = document.createElement("iframe");
+      var redirect = generateCrossOriginRedirectFrame();
+      i.src = redirect.url;
+
+      // Report-only policy should trigger a violation on the original request.
+      var original_report_only = waitForViolation(window, "frame-src http://foo.test", (new URL(i.src)).origin)
+      // Report-only policy should trigger a violation on the redirected request.
+      var redirect_report_only = waitForViolation(window, "frame-src http://foo.test", (new URL(redirect.target)).origin)
+      // Enforced policy should trigger a violation on the redirected request.
+      var redirect_enforced = waitForViolation(window, "frame-src 'self'", (new URL(redirect.target)).origin)
+
+      Promise.all([original_report_only, redirect_report_only, redirect_enforced]).then(t.step_func(_ => {
+        t.done();
+      }));
+
+      document.body.appendChild(i);
+    }, "Redirected iframe src should evaluate both enforced and report-only policies on both original request and when following redirect");
+</script>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html.headers b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html.headers
new file mode 100644
index 0000000000..338bea13b8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html.headers
@@ -0,0 +1,2 @@
+Content-Security-Policy: frame-src 'self'
+Content-Security-Policy-Report-Only: frame-src http://foo.test
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-same-document-meta.sub.html b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-same-document-meta.sub.html
new file mode 100644
index 0000000000..f4122f3d35
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-same-document-meta.sub.html
@@ -0,0 +1,52 @@
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<html>
+<body></body>
+<script>
+    promise_test(async test => {
+      // 1. Load an iframe (not blocked).
+      let iframe = document.createElement("iframe");
+      {
+        iframe.name = "theiframe";
+        iframe.src =
+          "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-src/support/frame.html?0";
+        let iframeLoaded = new Promise(resolve => { iframe.onload = resolve });
+        document.body.appendChild(iframe);
+        await iframeLoaded;
+      }
+
+      // 2. Start blocking iframes using CSP frame-src 'none'.
+      {
+        let meta = document.createElement('meta');
+        meta.httpEquiv = "Content-Security-Policy";
+        meta.content = "frame-src 'none'";
+        document.getElementsByTagName('head')[0].appendChild(meta);
+      }
+
+      // 3. Blocked same-document navigation using iframe.src.
+      {
+        let violation = new Promise(resolve => {
+          window.addEventListener('securitypolicyviolation', () => resolve());
+        });
+        iframe.src =
+          "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-src/support/frame.html?1";
+        await violation;
+      }
+
+      // 4. Blocked same-document navigation using window.open.
+      {
+        let violation = new Promise(resolve => {
+          window.addEventListener('securitypolicyviolation', resolve);
+        });
+        window.open(
+          "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-src/support/frame.html?2",
+          "theiframe");
+        await violation;
+      }
+
+      // 5. Regression test for https://crbug.com/1018385. The browser should
+      // not crash while displaying the error page.
+      await new Promise(resolve => window.setTimeout(resolve, 1000));
+    }, "Same-document navigations in an iframe blocked by CSP frame-src dynamically using the <meta> tag");
+</script>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-same-document.sub.html b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-same-document.sub.html
new file mode 100644
index 0000000000..9868f92955
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-same-document.sub.html
@@ -0,0 +1,22 @@
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<html>
+<body></body>
+<script>
+    let crossOriginUrl =
+      "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-src/support/frame.html";
+
+    promise_test(async test => {
+      let iframe = document.createElement("iframe");
+      document.body.appendChild(iframe);
+
+      for(let hash of ["#0", "#1"]) {
+        let violation = new Promise(resolve => {
+          window.addEventListener('securitypolicyviolation', resolve);
+        });
+        iframe.src = crossOriginUrl + hash;
+        await violation;
+      }
+    }, "Same-document navigation in an iframe blocked by CSP frame-src");
+</script>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-same-document.sub.html.headers b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-same-document.sub.html.headers
new file mode 100644
index 0000000000..6502444407
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-same-document.sub.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: frame-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-sandboxed-allowed.html b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-sandboxed-allowed.html
new file mode 100644
index 0000000000..419a14458b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-sandboxed-allowed.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Frame-src: 'self' matches even if the parent's origin is unique.</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+  </head>
+  <body>
+    <script>
+      var t = async_test('SubframeLoaded');
+
+      window.addEventListener('securitypolicyviolation', t.step_func(function(e) {
+        if (e.violatedDirective === "frame-src") {
+          assert_unreached('unexpected securitypolicyviolation');
+          t.done();
+        }
+      }));
+
+      window.addEventListener("message", t.step_func(function(event) {
+        assert_equals(event.data, "PASS", 'unexpected message: ' + event.data);
+        t.done();
+      }));
+
+      f = document.createElement("iframe");
+      f.src = "/content-security-policy/support/postmessage-pass.html";
+      document.body.appendChild(f);
+    </script>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-sandboxed-allowed.html.headers b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-sandboxed-allowed.html.headers
new file mode 100644
index 0000000000..ec9e8deb59
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-sandboxed-allowed.html.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: frame-src 'self'; sandbox allow-scripts
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-self-unique-origin.html b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-self-unique-origin.html
new file mode 100644
index 0000000000..3d04a08ad7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-self-unique-origin.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>frame-src-self-unique-origin</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <p>
+        The origin of an URL is called "unique" when it is considered to be
+        different from every origin, including itself. The origin of a
+        data-url is unique. When the current origin is unique, the CSP source
+        'self' must not match any URL.
+    </p>
+    <script>
+        var iframe = document.createElement("iframe");
+        iframe.src = encodeURI(`data:text/html,
+          <script>
+              /* Add the CSP: frame-src: 'self'. */
+              var meta = document.createElement('meta');
+              meta.httpEquiv = 'Content-Security-Policy';
+              meta.content = "frame-src 'self'";
+              document.getElementsByTagName('head')[0].appendChild(meta);
+
+              /* Notify the parent the iframe has been blocked. */
+              window.addEventListener('securitypolicyviolation', e => {
+                  if (e.originalPolicy == "frame-src 'self'")
+                      window.parent.postMessage('Test PASS', '*');
+              });
+          </scr`+`ipt>
+
+          This iframe should be blocked by CSP:
+          <iframe src='data:text/html,blocked_iframe'></iframe>
+        `);
+        if (window.async_test) {
+            async_test(t => {
+                window.addEventListener("message", e => {
+                    if (e.data == "Test PASS")
+                      t.done();
+                });
+            }, "Iframe's url must not match with 'self'. It must be blocked.");
+        }
+        document.body.appendChild(iframe);
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/support/frame.html b/testing/web-platform/tests/content-security-policy/frame-src/support/frame.html
new file mode 100644
index 0000000000..50be429587
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/support/frame.html
@@ -0,0 +1,2 @@
+<!doctype html>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/support/testharness-helper.sub.js b/testing/web-platform/tests/content-security-policy/frame-src/support/testharness-helper.sub.js
new file mode 100644
index 0000000000..b9e9a6c856
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/support/testharness-helper.sub.js
@@ -0,0 +1,5 @@
+function generateCrossOriginRedirectFrame() {
+  var target = "http://{{domains[天気の良い日]}}:" + document.location.port + "/content-security-policy/frame-src/support/frame.html";
+  var url = "/common/redirect.py?location=" + encodeURIComponent(target);
+  return { url: url, target: target };
+}
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/script-tag.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/script-tag.http.html
new file mode 100644
index 0000000000..a5505da3ec
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/script-tag.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for script-tag to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for script-tag to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for script-tag to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for script-tag to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/script-tag.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/script-tag.http.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/script-tag.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/script-tag.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/script-tag.https.html
new file mode 100644
index 0000000000..1001b8934c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/script-tag.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for script-tag to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for script-tag to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for script-tag to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for script-tag to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/script-tag.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/script-tag.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/script-tag.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-classic.http.html
new file mode 100644
index 0000000000..9539763e52
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-classic.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-classic.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-classic.http.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-classic.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-classic.https.html
new file mode 100644
index 0000000000..e8f4411aa2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-classic.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-classic.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-classic.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-classic.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import-data.http.html
new file mode 100644
index 0000000000..dca4996e6b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import-data.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import-data.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import-data.http.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import-data.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import-data.https.html
new file mode 100644
index 0000000000..e082a0aabd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import-data.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import.http.html
new file mode 100644
index 0000000000..79880d3822
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import.http.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import.https.html
new file mode 100644
index 0000000000..b561c096e0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-import.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-module.http.html
new file mode 100644
index 0000000000..a8fd6b61f4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-module.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-module.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-module.http.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-module.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-module.https.html
new file mode 100644
index 0000000000..a9ccaf5f8d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-module.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-module.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-module.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/sharedworker-module.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-classic.http.html
new file mode 100644
index 0000000000..755e1cfcc8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-classic.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-classic.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-classic.http.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-classic.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-classic.https.html
new file mode 100644
index 0000000000..f745886d17
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-classic.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-classic.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-classic.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-classic.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import-data.http.html
new file mode 100644
index 0000000000..128bca9dc5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import-data.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import-data.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import-data.http.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import-data.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import-data.https.html
new file mode 100644
index 0000000000..a819b2f680
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import-data.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import.http.html
new file mode 100644
index 0000000000..c15a45c6cf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import.http.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import.https.html
new file mode 100644
index 0000000000..fb93bdec2e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-module.http.html
new file mode 100644
index 0000000000..ae0d919833
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-module.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-module.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-module.http.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-module.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-module.https.html
new file mode 100644
index 0000000000..f630ea0ff1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-module.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-module.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-module.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worker-module.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-animation-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-animation-import-data.https.html
new file mode 100644
index 0000000000..c743fc6561
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-animation-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-animation-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-animation-import-data.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-animation-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-animation.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-animation.https.html
new file mode 100644
index 0000000000..b25544c193
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-animation.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-animation.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-animation.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-animation.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-audio-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-audio-import-data.https.html
new file mode 100644
index 0000000000..46ed3a0bf1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-audio-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-audio-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-audio-import-data.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-audio-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-audio.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-audio.https.html
new file mode 100644
index 0000000000..57d8809f75
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-audio.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-audio.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-audio.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-audio.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-layout-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-layout-import-data.https.html
new file mode 100644
index 0000000000..1503c93758
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-layout-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-layout-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-layout-import-data.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-layout-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-layout.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-layout.https.html
new file mode 100644
index 0000000000..c3fae6d44f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-layout.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-layout.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-layout.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-layout.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-paint-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-paint-import-data.https.html
new file mode 100644
index 0000000000..122cedef88
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-paint-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-paint-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-paint-import-data.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-paint-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-paint.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-paint.https.html
new file mode 100644
index 0000000000..843b00e675
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-paint.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-paint.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-paint.https.html.headers
new file mode 100644
index 0000000000..32b65539e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-self/worklet-paint.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/script-tag.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/script-tag.http.html
new file mode 100644
index 0000000000..4a8673d320
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/script-tag.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/script-tag.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/script-tag.http.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/script-tag.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/script-tag.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/script-tag.https.html
new file mode 100644
index 0000000000..99d3fa4dbc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/script-tag.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/script-tag.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/script-tag.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/script-tag.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-classic.http.html
new file mode 100644
index 0000000000..9539763e52
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-classic.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-classic.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-classic.http.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-classic.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-classic.https.html
new file mode 100644
index 0000000000..e8f4411aa2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-classic.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-classic.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-classic.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-classic.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import-data.http.html
new file mode 100644
index 0000000000..dca4996e6b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import-data.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import-data.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import-data.http.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import-data.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import-data.https.html
new file mode 100644
index 0000000000..e082a0aabd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import-data.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import.http.html
new file mode 100644
index 0000000000..235eb3b5ea
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import.http.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import.https.html
new file mode 100644
index 0000000000..c0e60c1197
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-import.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-module.http.html
new file mode 100644
index 0000000000..a8fd6b61f4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-module.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-module.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-module.http.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-module.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-module.https.html
new file mode 100644
index 0000000000..a9ccaf5f8d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-module.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-module.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-module.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/sharedworker-module.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-classic.http.html
new file mode 100644
index 0000000000..755e1cfcc8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-classic.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-classic.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-classic.http.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-classic.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-classic.https.html
new file mode 100644
index 0000000000..f745886d17
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-classic.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-classic.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-classic.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-classic.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import-data.http.html
new file mode 100644
index 0000000000..128bca9dc5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import-data.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import-data.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import-data.http.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import-data.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import-data.https.html
new file mode 100644
index 0000000000..a819b2f680
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import-data.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import.http.html
new file mode 100644
index 0000000000..8e729f63bd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import.http.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import.https.html
new file mode 100644
index 0000000000..ecb08bfb33
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-import.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-module.http.html
new file mode 100644
index 0000000000..ae0d919833
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-module.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-module.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-module.http.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-module.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-module.https.html
new file mode 100644
index 0000000000..f630ea0ff1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-module.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-module.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-module.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worker-module.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-animation-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-animation-import-data.https.html
new file mode 100644
index 0000000000..c743fc6561
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-animation-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-animation-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-animation-import-data.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-animation-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-animation.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-animation.https.html
new file mode 100644
index 0000000000..35f658cb06
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-animation.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-animation.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-animation.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-animation.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-audio-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-audio-import-data.https.html
new file mode 100644
index 0000000000..46ed3a0bf1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-audio-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-audio-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-audio-import-data.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-audio-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-audio.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-audio.https.html
new file mode 100644
index 0000000000..e2b02e941f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-audio.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-audio.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-audio.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-audio.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-layout-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-layout-import-data.https.html
new file mode 100644
index 0000000000..1503c93758
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-layout-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-layout-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-layout-import-data.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-layout-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-layout.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-layout.https.html
new file mode 100644
index 0000000000..e8c8564561
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-layout.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-layout.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-layout.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-layout.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-paint-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-paint-import-data.https.html
new file mode 100644
index 0000000000..122cedef88
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-paint-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-paint-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-paint-import-data.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-paint-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-paint.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-paint.https.html
new file mode 100644
index 0000000000..e06edb7be2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-paint.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-paint.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-paint.https.html.headers
new file mode 100644
index 0000000000..cbc7a1b54f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/script-src-wildcard/worklet-paint.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src * 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/script-tag.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/script-tag.http.html
new file mode 100644
index 0000000000..4a8673d320
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/script-tag.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/script-tag.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/script-tag.http.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/script-tag.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/script-tag.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/script-tag.https.html
new file mode 100644
index 0000000000..99d3fa4dbc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/script-tag.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/script-tag.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/script-tag.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/script-tag.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-classic.http.html
new file mode 100644
index 0000000000..2cf32d1d11
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-classic.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-classic.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-classic.http.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-classic.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-classic.https.html
new file mode 100644
index 0000000000..377eeaccc7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-classic.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-classic.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-classic.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-classic.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import-data.http.html
new file mode 100644
index 0000000000..dca4996e6b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import-data.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import-data.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import-data.http.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import-data.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import-data.https.html
new file mode 100644
index 0000000000..e082a0aabd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import-data.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import.http.html
new file mode 100644
index 0000000000..53d060edeb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import.http.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import.https.html
new file mode 100644
index 0000000000..3537249e42
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-import.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-module.http.html
new file mode 100644
index 0000000000..8cfd3c6332
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-module.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-module.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-module.http.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-module.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-module.https.html
new file mode 100644
index 0000000000..5982ad0521
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-module.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-module.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-module.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/sharedworker-module.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-classic.http.html
new file mode 100644
index 0000000000..403963d561
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-classic.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-classic.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-classic.http.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-classic.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-classic.https.html
new file mode 100644
index 0000000000..ceb78f54f2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-classic.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-classic.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-classic.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-classic.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import-data.http.html
new file mode 100644
index 0000000000..128bca9dc5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import-data.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import-data.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import-data.http.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import-data.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import-data.https.html
new file mode 100644
index 0000000000..a819b2f680
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import-data.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import.http.html
new file mode 100644
index 0000000000..0a5e46bcac
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import.http.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import.https.html
new file mode 100644
index 0000000000..777ec91f99
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-import.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-module.http.html
new file mode 100644
index 0000000000..8e418f50b7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-module.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-module.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-module.http.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-module.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-module.https.html
new file mode 100644
index 0000000000..7ebb8250cd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-module.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-module.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-module.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worker-module.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-animation-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-animation-import-data.https.html
new file mode 100644
index 0000000000..e76d985825
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-animation-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-animation-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-animation-import-data.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-animation-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-animation.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-animation.https.html
new file mode 100644
index 0000000000..35f658cb06
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-animation.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-animation.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-animation.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-animation.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-audio-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-audio-import-data.https.html
new file mode 100644
index 0000000000..88f6fa6ff8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-audio-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-audio-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-audio-import-data.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-audio-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-audio.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-audio.https.html
new file mode 100644
index 0000000000..e2b02e941f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-audio.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-audio.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-audio.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-audio.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-layout-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-layout-import-data.https.html
new file mode 100644
index 0000000000..84d673d706
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-layout-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-layout-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-layout-import-data.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-layout-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-layout.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-layout.https.html
new file mode 100644
index 0000000000..e8c8564561
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-layout.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-layout.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-layout.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-layout.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-paint-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-paint-import-data.https.html
new file mode 100644
index 0000000000..5c4c1c57b9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-paint-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-paint-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-paint-import-data.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-paint-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-paint.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-paint.https.html
new file mode 100644
index 0000000000..e06edb7be2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-paint.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-paint.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-paint.https.html.headers
new file mode 100644
index 0000000000..c75aa51ab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-none/worklet-paint.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/script-tag.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/script-tag.http.html
new file mode 100644
index 0000000000..4a8673d320
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/script-tag.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/script-tag.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/script-tag.http.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/script-tag.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/script-tag.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/script-tag.https.html
new file mode 100644
index 0000000000..99d3fa4dbc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/script-tag.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/script-tag.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/script-tag.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/script-tag.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-classic.http.html
new file mode 100644
index 0000000000..9539763e52
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-classic.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-classic.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-classic.http.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-classic.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-classic.https.html
new file mode 100644
index 0000000000..e8f4411aa2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-classic.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-classic.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-classic.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-classic.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import-data.http.html
new file mode 100644
index 0000000000..dca4996e6b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import-data.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import-data.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import-data.http.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import-data.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import-data.https.html
new file mode 100644
index 0000000000..e082a0aabd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import-data.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import.http.html
new file mode 100644
index 0000000000..79880d3822
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import.http.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import.https.html
new file mode 100644
index 0000000000..b561c096e0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-import.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-module.http.html
new file mode 100644
index 0000000000..a8fd6b61f4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-module.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-module.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-module.http.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-module.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-module.https.html
new file mode 100644
index 0000000000..a9ccaf5f8d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-module.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-module.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-module.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/sharedworker-module.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-classic.http.html
new file mode 100644
index 0000000000..755e1cfcc8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-classic.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-classic.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-classic.http.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-classic.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-classic.https.html
new file mode 100644
index 0000000000..f745886d17
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-classic.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-classic.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-classic.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-classic.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import-data.http.html
new file mode 100644
index 0000000000..128bca9dc5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import-data.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import-data.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import-data.http.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import-data.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import-data.https.html
new file mode 100644
index 0000000000..a819b2f680
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import-data.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import.http.html
new file mode 100644
index 0000000000..c15a45c6cf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import.http.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import.https.html
new file mode 100644
index 0000000000..fb93bdec2e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-import.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-module.http.html
new file mode 100644
index 0000000000..ae0d919833
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-module.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-module.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-module.http.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-module.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-module.https.html
new file mode 100644
index 0000000000..f630ea0ff1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-module.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-module.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-module.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worker-module.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-animation-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-animation-import-data.https.html
new file mode 100644
index 0000000000..e76d985825
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-animation-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-animation-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-animation-import-data.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-animation-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-animation.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-animation.https.html
new file mode 100644
index 0000000000..35f658cb06
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-animation.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-animation.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-animation.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-animation.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-audio-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-audio-import-data.https.html
new file mode 100644
index 0000000000..88f6fa6ff8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-audio-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-audio-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-audio-import-data.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-audio-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-audio.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-audio.https.html
new file mode 100644
index 0000000000..e2b02e941f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-audio.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-audio.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-audio.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-audio.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-layout-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-layout-import-data.https.html
new file mode 100644
index 0000000000..84d673d706
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-layout-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-layout-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-layout-import-data.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-layout-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-layout.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-layout.https.html
new file mode 100644
index 0000000000..e8c8564561
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-layout.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-layout.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-layout.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-layout.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-paint-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-paint-import-data.https.html
new file mode 100644
index 0000000000..5c4c1c57b9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-paint-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-paint-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-paint-import-data.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-paint-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-paint.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-paint.https.html
new file mode 100644
index 0000000000..e06edb7be2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-paint.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-paint.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-paint.https.html.headers
new file mode 100644
index 0000000000..d55f863f72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-self/worklet-paint.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/script-tag.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/script-tag.http.html
new file mode 100644
index 0000000000..4a8673d320
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/script-tag.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/script-tag.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/script-tag.http.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/script-tag.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/script-tag.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/script-tag.https.html
new file mode 100644
index 0000000000..99d3fa4dbc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/script-tag.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/script-tag.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/script-tag.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/script-tag.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-classic.http.html
new file mode 100644
index 0000000000..9539763e52
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-classic.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-classic.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-classic.http.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-classic.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-classic.https.html
new file mode 100644
index 0000000000..e8f4411aa2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-classic.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-classic.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-classic.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-classic.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import-data.http.html
new file mode 100644
index 0000000000..dca4996e6b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import-data.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import-data.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import-data.http.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import-data.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import-data.https.html
new file mode 100644
index 0000000000..e082a0aabd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import-data.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import.http.html
new file mode 100644
index 0000000000..235eb3b5ea
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import.http.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import.https.html
new file mode 100644
index 0000000000..c0e60c1197
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-import.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-module.http.html
new file mode 100644
index 0000000000..a8fd6b61f4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-module.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-module.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-module.http.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-module.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-module.https.html
new file mode 100644
index 0000000000..a9ccaf5f8d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-module.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-module.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-module.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/sharedworker-module.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-classic.http.html
new file mode 100644
index 0000000000..755e1cfcc8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-classic.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-classic.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-classic.http.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-classic.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-classic.https.html
new file mode 100644
index 0000000000..f745886d17
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-classic.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-classic.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-classic.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-classic.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import-data.http.html
new file mode 100644
index 0000000000..128bca9dc5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import-data.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import-data.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import-data.http.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import-data.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import-data.https.html
new file mode 100644
index 0000000000..a819b2f680
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import-data.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import.http.html
new file mode 100644
index 0000000000..8e729f63bd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import.http.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import.http.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import.https.html
new file mode 100644
index 0000000000..ecb08bfb33
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-import.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-module.http.html
new file mode 100644
index 0000000000..ae0d919833
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-module.http.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-module.http.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-module.http.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-module.http.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-module.https.html
new file mode 100644
index 0000000000..f630ea0ff1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-module.https.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-module.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-module.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worker-module.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-animation-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-animation-import-data.https.html
new file mode 100644
index 0000000000..e76d985825
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-animation-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-animation-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-animation-import-data.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-animation-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-animation.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-animation.https.html
new file mode 100644
index 0000000000..35f658cb06
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-animation.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-animation.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-animation.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-animation.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-audio-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-audio-import-data.https.html
new file mode 100644
index 0000000000..88f6fa6ff8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-audio-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-audio-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-audio-import-data.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-audio-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-audio.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-audio.https.html
new file mode 100644
index 0000000000..e2b02e941f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-audio.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-audio.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-audio.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-audio.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-layout-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-layout-import-data.https.html
new file mode 100644
index 0000000000..84d673d706
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-layout-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-layout-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-layout-import-data.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-layout-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-layout.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-layout.https.html
new file mode 100644
index 0000000000..e8c8564561
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-layout.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-layout.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-layout.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-layout.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-paint-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-paint-import-data.https.html
new file mode 100644
index 0000000000..5c4c1c57b9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-paint-import-data.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-paint-import-data.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-paint-import-data.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-paint-import-data.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-paint.https.html b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-paint.https.html
new file mode 100644
index 0000000000..e06edb7be2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-paint.https.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-paint.https.html.headers b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-paint.https.html.headers
new file mode 100644
index 0000000000..59e5c0fc4a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.http-rp/worker-src-wildcard/worklet-paint.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: worker-src *
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/script-tag.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/script-tag.http.html
new file mode 100644
index 0000000000..2490b51d29
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/script-tag.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for script-tag to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for script-tag to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for script-tag to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for script-tag to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/script-tag.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/script-tag.https.html
new file mode 100644
index 0000000000..ce2d9dcc40
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/script-tag.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for script-tag to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for script-tag to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for script-tag to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for script-tag to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-classic.http.html
new file mode 100644
index 0000000000..3d8a6c917d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-classic.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-classic.https.html
new file mode 100644
index 0000000000..017f25415f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-classic.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-import-data.http.html
new file mode 100644
index 0000000000..8b65298fe2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-import-data.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-import-data.https.html
new file mode 100644
index 0000000000..07ee2c8474
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-import.http.html
new file mode 100644
index 0000000000..1f64e8ab9d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-import.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-import.https.html
new file mode 100644
index 0000000000..d91caff000
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-import.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-module.http.html
new file mode 100644
index 0000000000..1645db76b4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-module.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-module.https.html
new file mode 100644
index 0000000000..1be825f89e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/sharedworker-module.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-classic.http.html
new file mode 100644
index 0000000000..9c0a4f09b4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-classic.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-classic.https.html
new file mode 100644
index 0000000000..1c05c68113
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-classic.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-import-data.http.html
new file mode 100644
index 0000000000..9d779e5c32
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-import-data.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-import-data.https.html
new file mode 100644
index 0000000000..811604d52c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-import.http.html
new file mode 100644
index 0000000000..5d4e86c55d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-import.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-import.https.html
new file mode 100644
index 0000000000..4813ae58bb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-import.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-module.http.html
new file mode 100644
index 0000000000..0fe08ca09c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-module.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-module.https.html
new file mode 100644
index 0000000000..c116226abe
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worker-module.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-animation-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-animation-import-data.https.html
new file mode 100644
index 0000000000..d8eb6d72cb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-animation-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-animation.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-animation.https.html
new file mode 100644
index 0000000000..755ec46954
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-animation.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-audio-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-audio-import-data.https.html
new file mode 100644
index 0000000000..bd31e5a853
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-audio-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-audio.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-audio.https.html
new file mode 100644
index 0000000000..63dbc4fcbc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-audio.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-layout-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-layout-import-data.https.html
new file mode 100644
index 0000000000..2dd7414c44
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-layout-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-layout.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-layout.https.html
new file mode 100644
index 0000000000..6e8ab9f324
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-layout.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-paint-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-paint-import-data.https.html
new file mode 100644
index 0000000000..ed95e243c4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-paint-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-paint.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-paint.https.html
new file mode 100644
index 0000000000..6619a3c6a8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-self/worklet-paint.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/script-tag.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/script-tag.http.html
new file mode 100644
index 0000000000..298019cfae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/script-tag.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/script-tag.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/script-tag.https.html
new file mode 100644
index 0000000000..bcd9e41164
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/script-tag.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-classic.http.html
new file mode 100644
index 0000000000..8af7a3b337
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-classic.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-classic.https.html
new file mode 100644
index 0000000000..1b52800782
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-classic.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-import-data.http.html
new file mode 100644
index 0000000000..b9663e2993
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-import-data.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-import-data.https.html
new file mode 100644
index 0000000000..7f97a53c5b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-import.http.html
new file mode 100644
index 0000000000..f91d542671
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-import.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-import.https.html
new file mode 100644
index 0000000000..0ed064fa95
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-import.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-module.http.html
new file mode 100644
index 0000000000..b3c7e12802
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-module.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-module.https.html
new file mode 100644
index 0000000000..f2731a389e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/sharedworker-module.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-classic.http.html
new file mode 100644
index 0000000000..17ed6fc9c6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-classic.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-classic.https.html
new file mode 100644
index 0000000000..9a397d129f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-classic.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-import-data.http.html
new file mode 100644
index 0000000000..4d4134b88f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-import-data.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-import-data.https.html
new file mode 100644
index 0000000000..34f4bc67fd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-import.http.html
new file mode 100644
index 0000000000..ce1b63e280
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-import.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-import.https.html
new file mode 100644
index 0000000000..9f2b25ea2b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-import.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-module.http.html
new file mode 100644
index 0000000000..f939428700
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-module.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-module.https.html
new file mode 100644
index 0000000000..df6fa84aab
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worker-module.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-animation-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-animation-import-data.https.html
new file mode 100644
index 0000000000..abd386200f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-animation-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-animation-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-animation.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-animation.https.html
new file mode 100644
index 0000000000..258bebb569
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-animation.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-audio-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-audio-import-data.https.html
new file mode 100644
index 0000000000..4fbd224b57
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-audio-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-audio-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-audio.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-audio.https.html
new file mode 100644
index 0000000000..91920cfde7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-audio.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-layout-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-layout-import-data.https.html
new file mode 100644
index 0000000000..fcaaba6d1d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-layout-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-layout-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-layout.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-layout.https.html
new file mode 100644
index 0000000000..25aa1900fc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-layout.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-paint-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-paint-import-data.https.html
new file mode 100644
index 0000000000..8eb2ccf20c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-paint-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worklet-paint-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-paint.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-paint.https.html
new file mode 100644
index 0000000000..4c1c9d9442
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/script-src-wildcard/worklet-paint.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/script-tag.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/script-tag.http.html
new file mode 100644
index 0000000000..808f87b8af
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/script-tag.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/script-tag.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/script-tag.https.html
new file mode 100644
index 0000000000..3984c0aca0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/script-tag.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-classic.http.html
new file mode 100644
index 0000000000..c9a52b9e8a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-classic.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-classic.https.html
new file mode 100644
index 0000000000..9c5d99d653
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-classic.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-import-data.http.html
new file mode 100644
index 0000000000..67aa293d60
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-import-data.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-import-data.https.html
new file mode 100644
index 0000000000..962656cf85
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-import.http.html
new file mode 100644
index 0000000000..d7d3fde214
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-import.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-import.https.html
new file mode 100644
index 0000000000..a71218033e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-import.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-module.http.html
new file mode 100644
index 0000000000..eab9578956
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-module.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-module.https.html
new file mode 100644
index 0000000000..54ee491d2c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/sharedworker-module.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-classic.http.html
new file mode 100644
index 0000000000..fb2a513be6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-classic.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-classic.https.html
new file mode 100644
index 0000000000..b858ab6fd3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-classic.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-import-data.http.html
new file mode 100644
index 0000000000..c51f5fdfc9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-import-data.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-import-data.https.html
new file mode 100644
index 0000000000..ba72382263
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-import.http.html
new file mode 100644
index 0000000000..ecc354b42c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-import.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-import.https.html
new file mode 100644
index 0000000000..d46f8002c7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-import.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-module.http.html
new file mode 100644
index 0000000000..dbb3736d8c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-module.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-module.https.html
new file mode 100644
index 0000000000..ecb46e6c5a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worker-module.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-animation-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-animation-import-data.https.html
new file mode 100644
index 0000000000..cd1323b7b9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-animation-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-animation.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-animation.https.html
new file mode 100644
index 0000000000..56a7b38990
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-animation.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-audio-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-audio-import-data.https.html
new file mode 100644
index 0000000000..4b6d27f353
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-audio-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-audio.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-audio.https.html
new file mode 100644
index 0000000000..230b24b0cb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-audio.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-layout-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-layout-import-data.https.html
new file mode 100644
index 0000000000..256d27bd5a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-layout-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-layout.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-layout.https.html
new file mode 100644
index 0000000000..f91d5994b4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-layout.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-paint-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-paint-import-data.https.html
new file mode 100644
index 0000000000..0a4ce7eea9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-paint-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-paint.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-paint.https.html
new file mode 100644
index 0000000000..70d2bc43d5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-none/worklet-paint.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/script-tag.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/script-tag.http.html
new file mode 100644
index 0000000000..01473eca10
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/script-tag.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/script-tag.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/script-tag.https.html
new file mode 100644
index 0000000000..9e2b8e4fcc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/script-tag.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-classic.http.html
new file mode 100644
index 0000000000..da84d477fe
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-classic.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-classic.https.html
new file mode 100644
index 0000000000..c8a0fe0962
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-classic.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-import-data.http.html
new file mode 100644
index 0000000000..53c2883a53
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-import-data.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-import-data.https.html
new file mode 100644
index 0000000000..88c76a0e94
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-import.http.html
new file mode 100644
index 0000000000..d758a8ea94
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-import.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-import.https.html
new file mode 100644
index 0000000000..856627977e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-import.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-module.http.html
new file mode 100644
index 0000000000..4f8ac90112
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-module.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-module.https.html
new file mode 100644
index 0000000000..21540178d4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/sharedworker-module.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-classic.http.html
new file mode 100644
index 0000000000..3bbe1c567e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-classic.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-classic.https.html
new file mode 100644
index 0000000000..f6324c395b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-classic.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-import-data.http.html
new file mode 100644
index 0000000000..3fd637403f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-import-data.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-import-data.https.html
new file mode 100644
index 0000000000..44847d3730
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-import.http.html
new file mode 100644
index 0000000000..739c7dc36c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-import.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-import.https.html
new file mode 100644
index 0000000000..0b39eecc3b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-import.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-module.http.html
new file mode 100644
index 0000000000..bca26ecf79
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-module.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-module.https.html
new file mode 100644
index 0000000000..830632fffe
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worker-module.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-animation-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-animation-import-data.https.html
new file mode 100644
index 0000000000..ccc4ff906c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-animation-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-animation.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-animation.https.html
new file mode 100644
index 0000000000..26d075f78f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-animation.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-audio-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-audio-import-data.https.html
new file mode 100644
index 0000000000..1cd0b7cb78
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-audio-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-audio.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-audio.https.html
new file mode 100644
index 0000000000..02fc8f4aa7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-audio.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-layout-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-layout-import-data.https.html
new file mode 100644
index 0000000000..e76314d865
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-layout-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-layout.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-layout.https.html
new file mode 100644
index 0000000000..47c069f349
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-layout.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-paint-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-paint-import-data.https.html
new file mode 100644
index 0000000000..3667b8f711
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-paint-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-paint.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-paint.https.html
new file mode 100644
index 0000000000..f8acb0ce05
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-self/worklet-paint.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/script-tag.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/script-tag.http.html
new file mode 100644
index 0000000000..bfde09236b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/script-tag.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/script-tag.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/script-tag.https.html
new file mode 100644
index 0000000000..4374b3ee74
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/script-tag.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "script-tag",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for script-tag to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-classic.http.html
new file mode 100644
index 0000000000..b8f7ada43e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-classic.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-classic.https.html
new file mode 100644
index 0000000000..5cba138c77
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-classic.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-import-data.http.html
new file mode 100644
index 0000000000..946e251e9a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-import-data.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-import-data.https.html
new file mode 100644
index 0000000000..172ef2c982
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for sharedworker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-import.http.html
new file mode 100644
index 0000000000..e0128ae1e9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-import.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-import.https.html
new file mode 100644
index 0000000000..9ecc4b4ede
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-import.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-module.http.html
new file mode 100644
index 0000000000..60825b9f16
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-module.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-module.https.html
new file mode 100644
index 0000000000..4ce3dc37ca
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/sharedworker-module.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "sharedworker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for sharedworker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-classic.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-classic.http.html
new file mode 100644
index 0000000000..b0cb7ddfaf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-classic.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-classic.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-classic.https.html
new file mode 100644
index 0000000000..ae6eef0c91
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-classic.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-classic",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-import-data.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-import-data.http.html
new file mode 100644
index 0000000000..0cc445bc9f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-import-data.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-import-data.https.html
new file mode 100644
index 0000000000..a84d5bedc8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "blocked",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects blocked for worker-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-import.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-import.http.html
new file mode 100644
index 0000000000..2a7ceb247b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-import.http.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-http origin and swap-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and no-redirect redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and swap-origin redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-import.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-import.https.html
new file mode 100644
index 0000000000..ce4a52582d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-import.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-import",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-module.http.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-module.http.html
new file mode 100644
index 0000000000..fd0c39f350
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-module.http.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-http origin and keep-origin redirection from http context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-http",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "http",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-http origin and no-redirect redirection from http context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-module.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-module.https.html
new file mode 100644
index 0000000000..8eaab9e278
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worker-module.https.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worker-module",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-animation-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-animation-import-data.https.html
new file mode 100644
index 0000000000..3569ae6faa
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-animation-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-animation.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-animation.https.html
new file mode 100644
index 0000000000..0fa6c1f84a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-animation.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-animation",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-animation to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-audio-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-audio-import-data.https.html
new file mode 100644
index 0000000000..dcb8922876
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-audio-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-audio.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-audio.https.html
new file mode 100644
index 0000000000..16a020813e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-audio.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-audio",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-audio to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-layout-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-layout-import-data.https.html
new file mode 100644
index 0000000000..2ef11440f2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-layout-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-layout.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-layout.https.html
new file mode 100644
index 0000000000..6f85b4f0bb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-layout.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-layout",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-layout to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-paint-import-data.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-paint-import-data.https.html
new file mode 100644
index 0000000000..e1ffaaccfd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-paint-import-data.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint-import-data",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint-import-data to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-paint.https.html b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-paint.https.html
new file mode 100644
index 0000000000..27c2573a69
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/gen/top.meta/worker-src-wildcard/worklet-paint.https.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="timeout" content="long">
+    <meta http-equiv="Content-Security-Policy" content="worker-src *">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <script src="../../../generic/test-case.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      TestCase(
+        [
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "cross-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to cross-https origin and swap-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "keep-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and keep-origin redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "no-redirect",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and no-redirect redirection from https context."
+          },
+          {
+            "expectation": "allowed",
+            "origin": "same-https",
+            "redirection": "swap-origin",
+            "source_context_list": [],
+            "source_scheme": "https",
+            "subresource": "worklet-paint",
+            "subresource_policy_deliveries": [],
+            "test_description": "Content Security Policy: Expects allowed for worklet-paint to same-https origin and swap-origin redirection from https context."
+          }
+        ],
+        new SanityChecker()
+      ).start();
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/304-response-should-update-csp.sub.html b/testing/web-platform/tests/content-security-policy/generic/304-response-should-update-csp.sub.html
new file mode 100644
index 0000000000..b16eadaedc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/304-response-should-update-csp.sub.html
@@ -0,0 +1,52 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <title>Test that a 304 response will update the CSP header</title>
+</head>
+<body>
+  <script>
+    var t1 = async_test("Test that the first frame uses nonce abc");
+    var t2 = async_test("Test that the first frame does not use nonce def");
+
+    var t3 = async_test("Test that the second frame uses nonce def");
+    var t4 = async_test("Test that the second frame does not use nonce abc");
+
+    var i1 = document.createElement('iframe');
+    // We add a random parameter to avoid previous tests cached requests.
+    // We want to make sure i1 gets a 200 code and i2 gets a 304 code.
+    i1.src = "support/304-response.py?{{$id:uuid()}}";
+
+    var i2 = document.createElement('iframe');
+    i2.src = "support/304-response.py?{{$id}}";
+
+    var load_second_frame = function() {
+      document.body.appendChild(i2);
+    }
+
+    window.onmessage = function(e) {
+      if (e.source == i1.contentWindow) {
+        if (e.data == "abc_executed") { t1.done(); return; }
+        if (e.data == "script-src 'nonce-abc' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';") { t2.done(); return; }
+
+        t1.step(function() { assert_unreached("Unexpected message received"); });
+        t2.step(function() { assert_unreached("Unexpected message received"); });
+      }
+
+      if (e.source == i2.contentWindow) {
+        if (e.data == "def_executed") { t3.done(); return; }
+        if (e.data == "script-src 'nonce-def' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';") { t4.done(); return; }
+
+        t3.step(function() { assert_unreached("Unexpected message received"); });
+        t4.step(function() { assert_unreached("Unexpected message received"); });
+      }
+
+    };
+
+    i1.onload = load_second_frame;
+    document.body.appendChild(i1);
+  </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/cspro-not-enforced-in-worker.html b/testing/web-platform/tests/content-security-policy/generic/cspro-not-enforced-in-worker.html
new file mode 100644
index 0000000000..784cdc8875
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/cspro-not-enforced-in-worker.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <!-- This tests that a report only policy is not treated as enforcing when
+         inherited by a worker. This manifests in particular for `unsafe-eval`
+         in this bug crbug.com/777076  -->
+    <script nonce="abc">
+      var t1 = async_test("Check that inline is allowed since the inherited policy is report only");
+      var t2 = async_test("Check that eval is allowed since the inherited policy is report only");
+
+      var w = new Worker("support/eval.js");
+      w.onmessage = function(e) {
+        if (e.data == "unsafe-inline allowed") t1.done();
+        else if (e.data == "unsafe-eval allowed") t2.done();
+      }
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/cspro-not-enforced-in-worker.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/cspro-not-enforced-in-worker.html.sub.headers
new file mode 100644
index 0000000000..877e192bbf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/cspro-not-enforced-in-worker.html.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy-Report-Only: script-src 'self' 'nonce-abc';
diff --git a/testing/web-platform/tests/content-security-policy/generic/directive-name-case-insensitive.sub.html b/testing/web-platform/tests/content-security-policy/generic/directive-name-case-insensitive.sub.html
new file mode 100644
index 0000000000..c65c59fb23
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/directive-name-case-insensitive.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="
+      IMg-sRC 'self' 'unsafe-inline' http://{{domains[www1]}}:{{ports[http][0]}};
+      img-src 'self' 'unsafe-inline' http://{{domains[www2]}}:{{ports[http][0]}};">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+  <script>
+    var t1 = async_test("Test that the www1 image is allowed to load");
+    var t2 = async_test("Test that the www2 image is not allowed to load");
+    var t_spv = async_test("Test that the www2 image throws a violation event");
+    window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+      assert_equals(e.violatedDirective, "img-src");
+      assert_equals(e.blockedURI, "http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png");
+    }));
+  </script>
+
+  <img src="http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/pass.png"
+       onload="t1.done();"
+       onerror="t1.step(function() { assert_unreached('www1 image should have loaded'); t1.done(); });">
+
+  <img src="http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png"
+       onerror="t2.done();"
+       onload="t2.step(function() { assert_unreached('www2 image should not have loaded'); t2.done(); });">
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/duplicate-directive.sub.html b/testing/web-platform/tests/content-security-policy/generic/duplicate-directive.sub.html
new file mode 100644
index 0000000000..0ab708356c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/duplicate-directive.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-inline'; script-src 'none'; connect-src 'self';">
+    <title>duplicate-directive</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src='../support/alertAssert.sub.js?alerts=["PASS (1/1)"]'></script>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("FAIL");
+        });
+        alert_assert('PASS (1/1)');
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the effect of duplicated directives. It passes if the alert_assert() is executed.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html b/testing/web-platform/tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html
new file mode 100644
index 0000000000..0be7cf29a2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html
@@ -0,0 +1,28 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+    <title>Test for order of Type(evalInput) and host callout</title>
+</head>
+<body>
+    <div id='log'></div>
+
+    <script nonce='abc'>
+    test(function() {
+      assert_throws_js(EvalError, function() {
+        eval("0");
+      }, "eval of a string should reach host callout");
+    }, "eval of a string should be checked by CSP");
+
+    test(function() {
+      let array = ["0"];
+      assert_equals(
+        eval(array),
+        array,
+        "eval is identity when applied to non-strings");
+    }, "eval of a non-string should not be checked by CSP");
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html.headers b/testing/web-platform/tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html.headers
new file mode 100644
index 0000000000..85de8bd415
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'nonce-abc'
diff --git a/testing/web-platform/tests/content-security-policy/generic/fail-0_1.js b/testing/web-platform/tests/content-security-policy/generic/fail-0_1.js
new file mode 100644
index 0000000000..5c580273dc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/fail-0_1.js
@@ -0,0 +1,3 @@
+(function () {
+  scriptsrc1.step(function() { assert_unreached('Unsafe inline script ran.') });
+})();
diff --git a/testing/web-platform/tests/content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html b/testing/web-platform/tests/content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html
new file mode 100644
index 0000000000..afb272cf36
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html
@@ -0,0 +1,60 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>filesystem-urls-do-not-match-self</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <p>
+        filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the &apos;self&apos; or &apos;*&apos; source in CSP directives because they are more akin to 'unsafe-inline' content..
+    </p>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+          log("violated-directive=" + e.violatedDirective);
+        });
+
+        if(!window.webkitRequestFileSystem) {
+            t_log = async_test();
+            t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test.");
+            t_log.phase = t_log.phases.HAS_RESULT;
+            t_log.done();
+            log("violated-directive=script-src"); // simulate needed logs to pass test
+        } else {
+            function fail() {
+                alert_assert("FAIL!");
+            }
+            window.webkitRequestFileSystem(
+                TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) {
+                    fs.root.getFile('fail.js', {
+                        create: true
+                    }, function(fileEntry) {
+                        fileEntry.createWriter(function(fileWriter) {
+                            fileWriter.onwriteend = function(e) {
+                                var script = document.createElement('script');
+                                script.src = fileEntry.toURL('application/javascript');
+                                document.body.appendChild(script);
+                            };
+                            // Create a new Blob and write it to pass.js.
+                            var b = new Blob(['fail();'], {
+                                type: 'application/javascript'
+                            });
+                            fileWriter.write(b);
+                        });
+                    });
+                });
+        }
+
+
+    </script>
+    <div id="log"></div>
+
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/filesystem-urls-match-filesystem.sub.html b/testing/web-platform/tests/content-security-policy/generic/filesystem-urls-match-filesystem.sub.html
new file mode 100644
index 0000000000..f629228f9f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/filesystem-urls-match-filesystem.sub.html
@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' filesystem:; connect-src 'self';">
+    <title>filesystem-urls-match-filesystem</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS (1/1)"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <p>
+        filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the &apos;self&apos; or &apos;*&apos; source in CSP directives because they are more akin to 'unsafe-inline' content, but should match filesystem: source.
+    </p>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+        });
+
+        if(!window.webkitRequestFileSystem) {
+            t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test.");
+            t_log.phase = t_log.phases.HAS_RESULT;
+            t_log.done();
+            log("PASS (1/1)"); // simulate needed logs to pass test
+        } else {
+            function pass() {
+                log("PASS (1/1)");
+            }
+            window.webkitRequestFileSystem(
+                TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) {
+                    fs.root.getFile('pass.js', {
+                        create: true
+                    }, function(fileEntry) {
+                        fileEntry.createWriter(function(fileWriter) {
+                            fileWriter.onwriteend = function(e) {
+                                var script = document.createElement('script');
+                                script.src = fileEntry.toURL('application/javascript');
+                                document.body.appendChild(script);
+                            };
+                            // Create a new Blob and write it to pass.js.
+                            var b = new Blob(['pass();'], {
+                                type: 'application/javascript'
+                            });
+                            fileWriter.write(b);
+                        });
+                    });
+                });
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html
new file mode 100644
index 0000000000..71ff3219b6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html
@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>default-src should cascade to img-src directive</title>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='../support/siblingPath.js'></script>
+</head>
+<body>
+    <h1>default-src should cascade to img-src directive</h1>
+    <div id='log'></div>
+
+    <script>
+      var imgsrc = async_test("Verify cascading of default-src to img-src policy");
+      var onerrorFired = false;
+      var t_spv = async_test("Should fire violation events for every failed violation");
+
+      window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+          assert_equals(e.violatedDirective, "img-src");
+      }));
+    </script>
+
+    <img id='imgfail' src=''
+         onload='imgsrc.step(function() { assert_unreached("Image load was not blocked."); });'
+         onerror='onerrorFired = true;'>
+    <img src='../support/pass.png'
+         onload='imgsrc.step(function() { assert_true(true, "Image load was blocked."); });'>
+
+    <script>
+      document.getElementById('imgfail').src = buildSiblingPath('www1', '../support/fail.png');
+      onload = function() {
+        imgsrc.step(function() { assert_true(onerrorFired, "onerror handler for blocked img didn't fire");});
+        imgsrc.done();
+      }
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html
new file mode 100644
index 0000000000..b374b8b88e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html
@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>default-src should cascade to script-src directive</title>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='../support/siblingPath.js'></script>
+</head>
+<body>
+    <h1>default-src should cascade to script-src directive</h1>
+    <div id='log'></div>
+
+    <script>
+      var scriptsrc1 = async_test("Verify cascading of default-src to script-src policy: block");
+      var scriptsrc2 = async_test("Verify cascading of default-src to script-src policy: allow");
+      var allowedScriptRan = false;
+      var t_spv = async_test("Should fire violation events for every failed violation");
+
+      window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+          assert_equals(e.violatedDirective, "script-src-elem");
+      }));
+    </script>
+
+    <script src='pass-0_1.js'></script>
+
+    <script>
+      var inlineScript = document.createElement('script');
+      inlineScript.src = buildSiblingPath('www1', 'fail-0_1.js');
+      document.getElementById('log').appendChild(inlineScript);
+      onload = function() {
+          scriptsrc1.done();
+          scriptsrc2.step( function() { assert_true(allowedScriptRan, "allowed script didn't run") });
+          scriptsrc2.done();
+      }
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_10.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_10.sub.html
new file mode 100644
index 0000000000..62b69fb8fd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_10.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>test implicit port number matching (requires port 80)</title>
+    <meta http-equiv="Content-Security-Policy content="script-src 'self' {{domains[www]}} 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script>
+      var t = async_test("Test that script does not fire violation event");
+      window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired a violation event"));
+
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://{{domains[www]}}/content-security-policy/generic/positiveTest.js";
+      head.appendChild(script);
+    </script>
+
+    <script>
+        t.done();
+    </script>
+</head>
+<body>
+    <h1>test implicit port number matching (requires port 80)</h1>
+    <div id='log'></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html
new file mode 100644
index 0000000000..f48c1e3c56
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>implicit port number matching fails with a different port</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' www.{{host}} 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='negativeTests.js'></script>
+    <script>
+      var t_spv = async_test("Should fire violation events for every failed violation");
+      window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+          assert_equals(e.violatedDirective, "script-src-elem");
+      }));
+
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://www." + location.hostname + ":{{ports[http][1]}}/content-security-policy/generic/unreached.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>implicit port number matching fails with a different port</h1>
+    <div id='log'></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html
new file mode 100644
index 0000000000..4f295441cd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html
@@ -0,0 +1,28 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>'self' keyword positive test</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script nonce='abc'>
+      var t_spv = async_test("Should fire violation events for every failed violation");
+      window.addEventListener(
+        "securitypolicyviolation", t_spv.unreached_func("securitypolicyviolation should not be emitted"));
+
+      window.addEventListener("load", function() {
+        t_spv.done();
+      });
+    </script>
+    <script src='positiveTest.js'></script>
+    <script nonce='abc'>
+      test(function() {
+        assert_true(window.cspPositiveTest);
+      }, "Allows scripts from the same host.");
+    </script>
+</head>
+<body>
+    <h1>'self' keyword positive test</h1>
+    <div id='log'></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html
new file mode 100644
index 0000000000..6cb75e31ae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>'self' fails with a different port</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='negativeTests.js'></script>
+    <script>
+      var t_spv = async_test("Should fire violation events for every failed violation");
+      window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+          assert_equals(e.violatedDirective, "script-src-elem");
+      }));
+
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://" + location.hostname + ":{{ports[http][1]}}/content-security-policy/generic/unreached.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>'self' fails with a different port</h1>
+    <div id='log'></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html
new file mode 100644
index 0000000000..d9c230d2a5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>'self' fails with a different host (including sub-host e.g. foo.com as self with content from bar.foo.com)</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='negativeTests.js'></script>
+    <script>
+      var t_spv = async_test("Should fire violation events for every failed violation");
+      window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+          assert_equals(e.violatedDirective, "script-src-elem");
+      }));
+
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://www." + location.hostname + ":" + location.port + "/content-security-policy/generic/unreached.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>'self' fails with a different host (including sub-host e.g. foo.com as self with content from bar.foo.com)</h1>
+    <div id='log'></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_8.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_8.sub.html
new file mode 100644
index 0000000000..a9a76c825e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_8.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>test wildcard host name matching (asterisk as a subdomain of the current domain)</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' *.{{host}}:{{ports[http][0]}} 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='wildcardHostTest.js'></script>
+    <script>
+      var t = async_test("Test that script does not fire violation event");
+      window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired a violation event"));
+      window.addEventListener("load", t.step_func(function() {
+        assert_true(window.wildcardHostTestRan);
+        t.done();
+      }));
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://www." + location.hostname + ":" + location.port + "/content-security-policy/generic/wildcardHostTestSuceeds.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>test wildcard host name matching (asterisk as a subdomain of the current domain)</h1>
+    <div id='log'></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html
new file mode 100644
index 0000000000..c326af0e54
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>test wildcard host name matching (asterisk as part of a subdomain is not accepted)</title>
+    <script>
+      var t_spv = async_test("Should fire violation events for every failed violation");
+      var spvEvent;
+      window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) {
+          spvEvent = e;
+      }));
+      addEventListener("load", t_spv.step_func_done(function() {
+          assert_true(!!spvEvent);
+          assert_equals(spvEvent.violatedDirective, "script-src-elem");
+      }));
+
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://www." + location.hostname + ":" + location.port + "/content-security-policy/generic/wildcardHostTestSuceeds.js";
+      head.appendChild(script);
+    </script>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' *w.{{host}}:{{ports[http][0]}} w*.{{host}}:{{ports[http][0]}} 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='wildcardHostTestFailure.js'></script>
+</head>
+<body>
+    <h1>test wildcard host name matching (asterisk as part of a subdomain is not accepted)</h1>
+    <div id='log'></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html
new file mode 100644
index 0000000000..564927bd7e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>test wildcard port number matching</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' {{host}}:* 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='wildcardPortTest.js'></script>
+    <script>
+      var t = async_test("Test that script does not fire violation event");
+      window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired a violation event"));
+      window.addEventListener("load", function() {
+        t.done();
+      });
+
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://" + location.hostname + ":{{ports[http][1]}}/content-security-policy/generic/wildcardPortTestSuceeds.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>test wildcard port number matching</h1>
+    <div id='log'></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/invalid-characters-in-policy.html b/testing/web-platform/tests/content-security-policy/generic/invalid-characters-in-policy.html
new file mode 100644
index 0000000000..e46449117f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/invalid-characters-in-policy.html
@@ -0,0 +1,75 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      // Make sure that csp works properly in normal situations
+      {
+        "csp": "",
+        "expected": true,
+        "name": "Should load image without any CSP",
+      },
+      {
+        "csp": "img-src 'none';",
+        "expected": false,
+        "name": "Should not load image with 'none' CSP",
+      },
+
+      // Now test with non-ASCII characters.
+      {
+        "csp": "img-src 'none' \u00A1invalid-source; style-src 'none'",
+        "expected": true,
+        "name": "Non-ASCII character in directive value should drop the whole directive.",
+      },
+      {
+        "csp": "img-src ‘none’;",
+        "expected": true,
+        "name": "Non-ASCII quote character in directive value should drop the whole directive.",
+      },
+      {
+        "csp": "img-src 'none'; style-src \u00A1invalid-source 'none'",
+        "expected": false,
+        "name": "Non-ASCII character in directive value should not affect other directives.",
+      },
+      {
+        "csp": "img-src 'none'; style\u00A1-src 'none'",
+        "expected": false,
+        "name": "Non-ASCII character in directive name should not affect other directives.",
+      },
+    ];
+
+    tests.forEach(test => {
+      async_test(t => {
+        var url = "support/load_img_and_post_result_meta.sub.html?csp="
+            + encodeURIComponent(test.csp);
+        test_image_loads_as_expected(test, t, url);
+      }, test.name + " - meta tag");
+
+      async_test(t => {
+        var url = "support/load_img_and_post_result_header.html?csp="
+            + encodeURIComponent(test.csp);
+        test_image_loads_as_expected(test, t, url);
+      }, test.name + " - HTTP header");
+    });
+
+    function test_image_loads_as_expected(test, t, url) {
+      var i = document.createElement('iframe');
+      i.src = url;
+      window.addEventListener('message', t.step_func(function(e) {
+        if (e.source != i.contentWindow) return;
+        if (test.expected) {
+          assert_equals(e.data, "img loaded");
+        } else {
+          assert_equals(e.data, "img not loaded");
+        }
+        t.done();
+      }));
+      document.body.appendChild(i);
+    }
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/negativeTests.js b/testing/web-platform/tests/content-security-policy/generic/negativeTests.js
new file mode 100644
index 0000000000..44b4d7f683
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/negativeTests.js
@@ -0,0 +1,3 @@
+var t1 = async_test("Prevents access to external scripts.");
+
+onload = function() {t1.done();}
diff --git a/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html
new file mode 100644
index 0000000000..9a89ec05ad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>no default src doesn't behave exactly like *</title>
+    <meta name="timeout" content="long">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]">    </script>
+    <script src='positiveTest.js'></script>
+    <!-- enforcing policy: foobar; report-uri ...
+    -->
+</head>
+<body>
+    <h1>no default src doesn't behave exactly like *</h1>
+    This page has a CSP header but an unknown directive.
+    This should have no impact on an img loaded from a data:
+    uri, or an inline script, although that would be blocked by a default-src policy of *.
+    <br>
+    <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAKgAAABACAIAAAABPqsMAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH1QoMCC8h3if5rgAAAB10RVh0Q29tbWVudABDcmVhdGVkIHdpdGggVGhlIEdJTVDvZCVuAAAGD0lEQVR42u2aa0yTVxiA39ILxa4KIkKrVCCIitzrqkAXQiXDSFjQHyZDBRRdtoDzgooao5uaoInID4hRJFC8RBOzxQuKigyYokuDSB0WlaJQlQrITRCwte1+nKVhpbT9aGUue59fb84573dO+uR7v/drS4OfAPkf4oQfAYpHUDyC4hEUj6B4BMUjKB5B8QiKR1A8guIRFI+geATFIygeQfEIikdQPEIVxmd1GsN+w9hBrV7bN9Kn7FHWqmqLHxY3vW2ycIWtS7Yeiz9G4h0VO47eO2rj1p4cz7WhayW+kuCZwdNdpjsznIe0Q53vO1X9qsbOxrr2uprWmrb+Nofn/lvQPqs/W5oVb0KBrCDrVpZGpzE7++iHR8Ezg0ms6FIsPL7Qho+Ali3O3h+zn81gW1n5M82BuVjqqZEpyjyVeMrs1CL+IqN1AAj0CBTNElm9YGFiYc7SHKvmHJ6Lpd7K/cF0YvK5/KV+S3eLd/tP9weAlNAUaYO0qrXKJGtd2DoS6A16J5oTGZG9llnYKDEgcUPEBhI/636WL8uvelHV1t82rB1mM9geHA8fV58QzxAhTxjjE+PAXCz15ku92cLIZXFr1tWEe4UDwLk/z635dc3oWWe6s3q72o3tBgD7qvYdiD0AAH0jfbxc3sjHkfF2LF9dvsx/GQDcbLmZdCHJwkrH5mKpp8CAZiC7IpvEUd5RJrMrFqwg1pU9ykO/H2rpbQEAV7brygUrLVxz8ezFJNh2cxtVc/bkonhq3Ht5jwReX3iNV+elDVIDGKQNUpNxs0x1nkoCZY+S6mHsyUXxE30oGP7R/3tP9Y7ziyNP91J5KQCUNpTqDXoAkPhKBNME412ne6ibBEEzg6iewZ5cFE8NY4XveN8xejw1LJV0cxXPK169ewUAL9+9vP38NgA40ZxSQ1OtlpDCxMI50+ZMrPxMIBfFU4DD5ByOO2zyoRPSwtJIUPyw2DhojNPC0mhg/jU67488AxgAQMgTNv/YfPXbq5miTNEskQvDxep57MnFrt56V890YvK4vFif2D1f7QlwDyCDcafjKl9UkjhmTkx1WjUA9Az38HP5H3Qfxvb5saWx1a3VZjfdsmRL7te5pGAY0Rl0ii7FnbY7l55cqnxRSZ4ajs1F8WbEW8bkXU6aJCXFvEBWsKl80+iVBcsLMr7MAIDT8tOpl8Yt+JGzIw9KDkp8JWYLg7JHmXUr68rTKw7PRfEUxJ98cHJz+Wbjbc1lcdXb1RwmBwCEhcJ6df3oxUKesO67OgAY0g55HfUa0AxYuLJgmmD53OVigTiCFxHgHkCn0UfP7rq960jtkU+Ri+LH/ZGmf6S/pbelVlVb0lDS2Nk4ejY9PL3omyIAkHfIw06EjU2Xfy8P8QwBgI1XNxbVF9l4EheGi5AvTJibkB6R7jHFAwAMYBAXi016C4fn4jPe1p807q6/G+0dbWMTHl0cTfVIbmy3suQy8jZxUXFx1cVVk5OLXb0lAtwDbLROXgWNvaHt9I70ZlzPILFYIJ60XBRvCcvfytm/ntDU9fc/AEjdnrTcTwrjv2udTqOnhKaQOOlC0uWnl8dbmTA3oSy5DABSQlP2/rZXZ9BR2mjejHkksNwbOjwX73jzxPvH87l8AOh433Gt+ZqFlTeUN9SDagDgc/nx/vGUdpnCnJIXn0fiB+0PJi0X73jrdfvso7Mf9R8trNQZdGfkZ3ZG7yRZ15uvG6dUW1W1qtp6db2iS9HW36YeUA9qBrV6LYfJ8XPzk/hKMkWZfm5+ZLHJS4E9udjVT7Crd3dxb89qZ9FZABB0POhx12PL6+fPmN+U0QQAGp2Gn8vvHu6m9JWR2bbcnlws9RNkdchqYl32WmbVOgA8efvk/qv7AMCis5KDkyntpdFpcu7mJP+SPIFz2pOLpd5SnS9pKLExpeRhSeTsSABYH74+X5ZPBgV5gijvqAheRKBHoI+rD4/L47K4TDpzWDv8ZvCNoktR3Vp9vvF8+0D72Avak4ulHsFSj6B4BMUjKB5B8QiKR1A8guIRFI+geATFo3gExSMoHkHxCIpHUDyC4hEUj6B45HPmL9so2ZKs94sNAAAAAElFTkSuQmCC'>
+    <script>
+      setup({ explicit_done: true });
+
+      test(function() {
+        assert_true(window.cspPositiveTest);
+      }, "Allows scripts from the same host.");
+    </script>
+
+    <div id='log'></div>
+
+    <script>
+      var script = document.createElement('script');
+      script.src = '../support/checkReport.sub.js?reportExists=false';
+      script.async = true;
+      script.defer = true;
+      script.addEventListener('load', function() {
+        done();
+      });
+      document.body.appendChild(script);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers
new file mode 100644
index 0000000000..b40d6ffbab
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: no-default-src={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: foobar; report-uri  /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/only-valid-whitespaces-are-allowed.html b/testing/web-platform/tests/content-security-policy/generic/only-valid-whitespaces-are-allowed.html
new file mode 100644
index 0000000000..9b3636c9fe
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/only-valid-whitespaces-are-allowed.html
@@ -0,0 +1,67 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      // Make sure that csp works properly in normal situations
+      { "csp": "", "expected": true, "name": "Should load image without any CSP" },
+      { "csp": "img-src 'none';", "expected": false, "name": "Should not load image with 'none' CSP" },
+      // Ensure ASCII whitespaces are properly parsed
+      // ASCII whitespace is U+0009 TAB, U+000A LF, U+000C FF, U+000D CR, or U+0020 SPACE.
+
+      // between directive name and value
+      { "csp": "img-src\u0009'none';", "expected": false, "name": "U+0009 TAB   should be properly parsed between directive name and value" },
+      { "csp": "img-src\u000C'none';", "expected": false, "name": "U+000C FF    should be properly parsed between directive name and value" },
+      { "csp": "img-src\u000A'none';", "expected": false, "name": "U+000A LF    should be properly parsed between directive name and value" },
+      { "csp": "img-src\u000D'none';", "expected": false, "name": "U+000D CR    should be properly parsed between directive name and value" },
+      { "csp": "img-src\u0020'none';", "expected": false, "name": "U+0020 SPACE should be properly parsed between directive name and value" },
+
+      // inside directive value
+      { "csp": "img-src http://example.com\u0009http://example2.com;", "expected": false, "name": "U+0009 TAB   should be properly parsed inside directive value" },
+      { "csp": "img-src http://example.com\u000Chttp://example2.com;", "expected": false, "name": "U+000C FF    should be properly parsed inside directive value" },
+      { "csp": "img-src http://example.com\u000Ahttp://example2.com;", "expected": false, "name": "U+000A LF    should be properly parsed inside directive value" },
+      { "csp": "img-src http://example.com\u000Dhttp://example2.com;", "expected": false, "name": "U+000D CR    should be properly parsed inside directive value" },
+      { "csp": "img-src http://example.com\u0020http://example2.com;", "expected": false, "name": "U+0020 SPACE should be properly parsed inside directive value" },
+
+      // Ensure nbsp (U+00A0) is not considered a valid whitespace
+      // https://github.com/webcompat/web-bugs/issues/18902 has more details about why this particularly relevant
+      { "csp": "img-src\u00A0'none';", "expected": true, "name": "U+00A0 NBSP  should not be parsed between directive name and value" },
+      { "csp": "img-src http://example.com\u00A0http://example2.com;", "expected": true, "name": "U+00A0 NBSP  should not be parsed inside directive value" },
+    ];
+
+    tests.forEach(test => {
+      async_test(t => {
+        var url = "support/load_img_and_post_result_meta.sub.html?csp=" + encodeURIComponent(test.csp);
+        test_image_loads_as_expected(test, t, url);
+      }, test.name + " - meta tag");
+
+      // We can't test csp delivered in an HTTP header if we're testing CR/LF characters
+      if (test.csp.indexOf("\u000A") == -1 && test.csp.indexOf("\u000D") == -1) {
+        async_test(t => {
+          var url = "support/load_img_and_post_result_header.html?csp=" + encodeURIComponent(test.csp);
+          test_image_loads_as_expected(test, t, url);
+        }, test.name + " - HTTP header");
+      }
+    });
+
+    function test_image_loads_as_expected(test, t, url) {
+      var i = document.createElement('iframe');
+      i.src = url;
+      window.addEventListener('message', t.step_func(function(e) {
+        if (e.source != i.contentWindow) return;
+        if (test.expected) {
+          assert_equals(e.data, "img loaded");
+        } else {
+          assert_equals(e.data, "img not loaded");
+        }
+        t.done();
+      }));
+      document.body.appendChild(i);
+    }
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/pass-0_1.js b/testing/web-platform/tests/content-security-policy/generic/pass-0_1.js
new file mode 100644
index 0000000000..3a08dd5621
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/pass-0_1.js
@@ -0,0 +1,3 @@
+(function () {
+   allowedScriptRan = true;
+})();
diff --git a/testing/web-platform/tests/content-security-policy/generic/policy-does-not-affect-child.sub.html b/testing/web-platform/tests/content-security-policy/generic/policy-does-not-affect-child.sub.html
new file mode 100644
index 0000000000..e36ca477b5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/policy-does-not-affect-child.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc';">
+    <title>object-src-url-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+  <script nonce='abc'>
+    window.onmessage = function(e) {
+      log(e.data);
+    }
+  </script>
+  <iframe src="support/log-pass.html"></iframe>
+  <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html b/testing/web-platform/tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html
new file mode 100644
index 0000000000..e21bede418
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html
@@ -0,0 +1,43 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <!-- This tests a bug that can occur when content layer CSP is not told
+       about the CSP inherited from the parent document which leads to it not
+       applying it to content layer CSP checks (such as frame-src with
+       PlzNavigate on).
+       Also see crbug.com/778658. -->
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    var t = async_test("iframe still inherits correct CSP");
+
+    window.onmessage = t.step_func_done(function(e) {
+      assert_equals(e.data, "frame-src");
+    });
+
+    function doDocWrite() {
+      x = document.getElementById('x');
+      x.location = "";
+
+      // While document.write is deprecated I did not find another way to reproduce
+      // the original exploit.
+      x.contentDocument.write(
+        '<script>window.addEventListener("securitypolicyviolation", function(e) {' +
+        '  window.top.postMessage(e.violatedDirective, "*");' +
+        '});</scr' + 'ipt>' +
+        '<iframe src="../support/fail.html"></iframe>'
+      );
+      x.contentDocument.close();
+
+      var s = document.createElement('script');
+      s.async = true;
+      s.defer = true;
+      s.src = '../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-src%20%27none%27';
+      document.lastChild.appendChild(s);
+    }
+  </script>
+  <iframe id="x" onload="doDocWrite()" srcdoc="<a href='about:blank'>123</a>"></iframe>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html.sub.headers
new file mode 100644
index 0000000000..73fb991fb1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: policy-inherited-correctly-by-plznavigate={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: frame-src 'none'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/positiveTest.js b/testing/web-platform/tests/content-security-policy/generic/positiveTest.js
new file mode 100644
index 0000000000..15053e055d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/positiveTest.js
@@ -0,0 +1 @@
+window.cspPositiveTest = true;
diff --git a/testing/web-platform/tests/content-security-policy/generic/support/304-response.py b/testing/web-platform/tests/content-security-policy/generic/support/304-response.py
new file mode 100644
index 0000000000..f9756555f7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/support/304-response.py
@@ -0,0 +1,33 @@
+def main(request, response):
+    if request.headers.get(b"If-None-Match"):
+        # we are now receing the second request, we will send back a different CSP
+        # with the 304 response
+        response.status = 304
+        headers = [(b"Content-Type", b"text/html"),
+                   (b"Content-Security-Policy", b"script-src 'nonce-def' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';"),
+                   (b"Cache-Control", b"private, max-age=0, must-revalidate"),
+                   (b"ETag", b"123456")]
+        return headers, u""
+    else:
+        headers = [(b"Content-Type", b"text/html"),
+                   (b"Content-Security-Policy", b"script-src 'nonce-abc' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';"),
+                   (b"Cache-Control", b"private, max-age=0, must-revalidate"),
+                   (b"Etag", b"123456")]
+        return headers, u'''
+<!DOCTYPE html>
+<html>
+<head>
+    <script>
+        window.addEventListener("securitypolicyviolation", function(e) {
+            top.postMessage(e.originalPolicy, '*');
+        });
+    </script>
+    <script nonce="abc">
+        top.postMessage('abc_executed', '*');
+    </script>
+    <script nonce="def">
+        top.postMessage('def_executed', '*');
+    </script>
+</head>
+</html>
+'''
diff --git a/testing/web-platform/tests/content-security-policy/generic/support/eval.js b/testing/web-platform/tests/content-security-policy/generic/support/eval.js
new file mode 100644
index 0000000000..d8ba2a5589
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/support/eval.js
@@ -0,0 +1,2 @@
+postMessage('unsafe-inline allowed');
+eval("postMessage('unsafe-eval allowed')");
diff --git a/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_header.html b/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_header.html
new file mode 100644
index 0000000000..c7a2e75dba
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_header.html
@@ -0,0 +1,11 @@
+<html>
+<body>
+  <script>
+    var img = document.createElement("img");
+    img.src = "/content-security-policy/support/pass.png";
+    img.onload = function() { parent.postMessage('img loaded', '*'); }
+    img.onerror = function() { parent.postMessage('img not loaded', '*'); }
+    document.body.appendChild(img);
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_header.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_header.html.sub.headers
new file mode 100644
index 0000000000..e9bf21bab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_header.html.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: {{GET[csp]}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_meta.sub.html b/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_meta.sub.html
new file mode 100644
index 0000000000..ac0cf39dd0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_meta.sub.html
@@ -0,0 +1,14 @@
+<html>
+<head>
+  <meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}">
+</head>
+<body>
+  <script>
+    var img = document.createElement("img");
+    img.src = "/content-security-policy/support/pass.png";
+    img.onload = function() { parent.postMessage('img loaded', '*'); }
+    img.onerror = function() { parent.postMessage('img not loaded', '*'); }
+    document.body.appendChild(img);
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/support/log-pass.html b/testing/web-platform/tests/content-security-policy/generic/support/log-pass.html
new file mode 100644
index 0000000000..4334ea4c66
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/support/log-pass.html
@@ -0,0 +1,3 @@
+<script>
+   window.parent.postMessage('PASS', '*');
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/generic/support/sandboxed-eval.sub.html b/testing/web-platform/tests/content-security-policy/generic/support/sandboxed-eval.sub.html
new file mode 100644
index 0000000000..9480e521de
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/support/sandboxed-eval.sub.html
@@ -0,0 +1,4 @@
+<script>
+  window.parent.postMessage('PASS (1/2): Script can execute', '*');
+  eval("window.parent.postMessage('PASS (2/2): Eval works', '*')");
+</script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/generic/support/sandboxed-eval.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/support/sandboxed-eval.sub.html.sub.headers
new file mode 100644
index 0000000000..c7e4e7cc5b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/support/sandboxed-eval.sub.html.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: sandbox allow-scripts
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/generic/test-case.sub.js b/testing/web-platform/tests/content-security-policy/generic/test-case.sub.js
new file mode 100644
index 0000000000..d9a6494dd3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/test-case.sub.js
@@ -0,0 +1,98 @@
+function TestCase(scenarios, sanityChecker) {
+  function runTest(scenario) {
+    sanityChecker.checkScenario(scenario, subresourceMap);
+
+    const urls = getRequestURLs(scenario.subresource,
+                                scenario.origin,
+                                scenario.redirection);
+
+    /** @type {Subresource} */
+    const subresource = {
+      subresourceType: scenario.subresource,
+      url: urls.testUrl,
+      policyDeliveries: scenario.subresource_policy_deliveries,
+    };
+
+    let violationEventResolve;
+    // Resolved with an array of securitypolicyviolation events.
+    const violationEventPromise = new Promise(resolve => {
+        violationEventResolve = resolve;
+      });
+
+    promise_test(async t => {
+      await xhrRequest(urls.announceUrl);
+
+      // Currently only requests from top-level Documents are tested
+      // (specified by `spec.src.json`) and thus securitypolicyviolation
+      // events are assumed to be fired on the top-level Document here.
+      // When adding non-top-level Document tests, securitypolicyviolation
+      // events should be caught in appropriate contexts.
+      const violationEvents = [];
+      const listener = e => { violationEvents.push(e); };
+      document.addEventListener('securitypolicyviolation', listener);
+
+      try {
+        // Send out the real resource request.
+        // This should tear down the key if it's not blocked.
+        const mainPromise = invokeRequest(subresource, scenario.source_context_list);
+        if (scenario.expectation === 'allowed') {
+          await mainPromise;
+        } else {
+          await mainPromise
+              .then(t.unreached_func('main promise resolved unexpectedly'))
+              .catch(_ => {});
+        }
+      } finally {
+        // Always perform post-processing/clean up for
+        // 'securitypolicyviolation' events and resolve
+        // `violationEventPromise`, to prevent timeout of the
+        // promise_test() below.
+
+        // securitypolicyviolation events are fired in a queued task in
+        // https://w3c.github.io/webappsec-csp/#report-violation
+        // so wait for queued tasks to run using setTimeout().
+        let timeout = 0;
+        if (scenario.subresource.startsWith('worklet-') &&
+            navigator.userAgent.includes("Firefox/")) {
+          // https://bugzilla.mozilla.org/show_bug.cgi?id=1808911
+          // In Firefox sometimes violations from Worklets are delayed.
+          timeout = 10;
+        }
+        await new Promise(resolve => setTimeout(resolve, timeout));
+
+        // Pass violation events to `violationEventPromise` (which will be tested
+        // in the subsequent promise_test()) and clean up the listener.
+        violationEventResolve(violationEvents);
+        document.removeEventListener('securitypolicyviolation', listener);
+      }
+
+      // Send request to check if the key has been torn down.
+      const assertResult = await xhrRequest(urls.assertUrl);
+
+      // Now check if the value has been torn down. If it's still there,
+      // we have blocked the request by content security policy.
+      assert_equals(assertResult.status, scenario.expectation,
+        "The resource request should be '" + scenario.expectation + "'.");
+
+    }, scenario.test_description);
+
+    promise_test(async _ => {
+        const violationEvents = await violationEventPromise;
+        if (scenario.expectation === 'allowed') {
+          assert_array_equals(violationEvents, [],
+              'no violation events should be fired');
+        } else {
+          assert_equals(violationEvents.length, 1,
+              'One violation event should be fired');
+        }
+      }, scenario.test_description + ": securitypolicyviolation");
+  }  // runTest
+
+  function runTests() {
+    for (const scenario of scenarios) {
+      runTest(scenario);
+    }
+  }
+
+  return {start: runTests};
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/unreached.js b/testing/web-platform/tests/content-security-policy/generic/unreached.js
new file mode 100644
index 0000000000..893fb5eba1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/unreached.js
@@ -0,0 +1,3 @@
+onload = function() {
+      t1.step(function() {assert_unreached("Script should not have ran.");});
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js
new file mode 100644
index 0000000000..da3e2790f5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js
@@ -0,0 +1,8 @@
+wildcardHostTestRan = false;
+
+onload = function() {
+  test(function() {
+        assert_true(wildcardHostTestRan, 'Script should have ran.')},
+        "Wildcard host matching works."
+    );
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js
new file mode 100644
index 0000000000..75ec8cf80e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js
@@ -0,0 +1,8 @@
+wildcardHostTestRan = false;
+
+onload = function() {
+  test(function() {
+        assert_false(wildcardHostTestRan, 'Script should not have ran.')},
+        "Wildcard host matching works."
+    );
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js
new file mode 100644
index 0000000000..8b115d7fc4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js
@@ -0,0 +1 @@
+wildcardHostTestRan = true;
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js
new file mode 100644
index 0000000000..3cd1d2eaed
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js
@@ -0,0 +1,8 @@
+wildcardPortTestRan = false;
+
+onload = function() {
+  test(function() {
+        assert_true(wildcardPortTestRan, 'Script should have ran.')},
+        "Wildcard port matching works."
+    );
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js
new file mode 100644
index 0000000000..0138deb2ee
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js
@@ -0,0 +1 @@
+wildcardPortTestRan = true;
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/img-src/icon-allowed.sub.html b/testing/web-platform/tests/content-security-policy/img-src/icon-allowed.sub.html
new file mode 100644
index 0000000000..5c8ecdee13
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/icon-allowed.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta http-equiv="Content-Security-Policy" content="img-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <p>Use callbacks to show that favicons are loaded as allowed by CSP when link tags are dynamically added to the page.</p>
+  <script>
+    var t = async_test("Test that image loads");
+    window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have triggered any violation events"));
+
+    function createLink(rel, src) {
+        var link = document.createElement('link');
+        link.rel = rel;
+        link.href = src;
+        link.onload = t.done();
+        link.onerror = t.unreached_func('The image should have loaded');
+        document.body.appendChild(link);
+    }
+    window.addEventListener('DOMContentLoaded', function() {
+        createLink('icon', '../support/pass.png');
+    });
+
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/icon-blocked.sub.html b/testing/web-platform/tests/content-security-policy/img-src/icon-blocked.sub.html
new file mode 100644
index 0000000000..cc882347a1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/icon-blocked.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta http-equiv="Content-Security-Policy" content="img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+<p>Use callbacks to show that favicons are not loaded in violation of CSP when link tags are dynamically added to the page.</p>
+  <script>
+    var t = async_test("Test that image does not load");
+    var t_spv = async_test("Test that spv event is fired");
+    window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+      assert_equals(e.violatedDirective, 'img-src');
+      assert_true(e.blockedURI.endsWith('/support/fail.png'));
+    }));
+
+    function createLink(rel, src) {
+        var link = document.createElement('link');
+        link.rel = rel;
+        link.href = src;
+        link.onerror = t.done();
+        link.onload = t.unreached_func('The image should not have loaded');
+        document.head.appendChild(link);
+    }
+    window.addEventListener('DOMContentLoaded', function() {
+        createLink('icon', '../support/fail.png');
+    });
+
+  </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.sub.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.sub.html
new file mode 100644
index 0000000000..9e4e345a16
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.sub.html
@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<meta http-equiv="Content-Security-Policy" content="img-src 'self' {{domains[www]}}:{{ports[http][0]}}">
+<html>
+<head>
+    <title>img element src attribute must match src list.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <div id='log'/>
+
+    <script>
+      async_test(function(t) {
+        i = new Image();
+        i.onload = t.step_func_done();
+        i.onerror = t.unreached_func("The img should have loaded");
+        i.src = '/content-security-policy/support/pass.png';
+      }, "img-src for relative path should load");
+
+      async_test(function(t) {
+        i = new Image();
+        i.onload = t.unreached_func("Image from unapproved domain was loaded.");
+        i.onerror = t.step_func_done();
+        i.src = 'http://{{domains[www1]}}/content-security-policy/support/fail.png';
+      }, "img-src from unapproved domains should not load");
+
+      async_test(function(t) {
+        i = new Image();
+        i.onload = t.step_func_done();
+        i.onerror = t.unreached_func("The img should have loaded");
+        i.src = location.protocol + '//{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/pass.png';
+      }, "img-src from approved domains should load");
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html
new file mode 100644
index 0000000000..23c33d5655
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<meta http-equiv="Content-Security-Policy" content="img-src *.{{host}}:{{ports[http][0]}}">
+<html>
+<head>
+    <title>img-src with full host and wildcard blocks correctly.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <div id='log'/>
+
+    <script>
+      var t1 = async_test("img src does not match full host and wildcard csp directive");
+    </script>
+    <img src='http://{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png'
+         onload='t1.step(function() { assert_unreached("Image should have loaded"); t1.done(); });'
+         onerror='t1.done();'>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html
new file mode 100644
index 0000000000..d2d36d1341
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<meta http-equiv="Content-Security-Policy" content="img-src *.{{host}}:{{ports[http][0]}}">
+<html>
+<head>
+    <title>img-src works correctly with partial host wildcard.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <div id='log'/>
+
+    <script>
+      var t1 = async_test("img src matches correctly partial wildcard host csp directive");
+    </script>
+    <img src='http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/pass.png'
+         onload='t1.done();'
+         onerror='t1.step(function() { assert_unreached("Image should have loaded"); t1.done(); });'>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-none-blocks.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-none-blocks.html
new file mode 100644
index 0000000000..9bc0326ef8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-none-blocks.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<meta http-equiv="Content-Security-Policy" content="img-src 'none';">
+<html>
+<head>
+    <title>img element src attribute must match src list.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <div id='log'/>
+
+    <script>
+      var t1 = async_test("img-src with 'none' source should not match");
+    </script>
+    <img src='/content-security-policy/support/fail.png'
+         onload='t1.step(function() { assert_unreached("Image should not have loaded"); t1.done(); });'
+         onerror='t1.done();'>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html
new file mode 100644
index 0000000000..215c10089b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<meta http-equiv="Content-Security-Policy" content="img-src http://www.{{host}}:*">
+<html>
+<head>
+    <title>img-src works correctly with port wildcard source</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <div id='log'/>
+
+    <script>
+      var t1 = async_test("img-src with wildcard port should match any port");
+    </script>
+    <img src='http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/pass.png'
+         onload='t1.done();'
+         onerror='t1.step(function() { assert_unreached("Image should have loaded."); t1.done()} );'>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-self-unique-origin.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-self-unique-origin.html
new file mode 100644
index 0000000000..dd689c02f3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-self-unique-origin.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>img-src-self-unique-origin</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <p>
+        The origin of an URL is called "unique" when it is considered to be
+        different from every origin, including itself. The origin of a
+        data-url is unique. When the current origin is unique, the CSP source
+        'self' must not match any URL.
+    </p>
+    <script>
+        var iframe = document.createElement("iframe");
+        iframe.src = encodeURI(`data:text/html,
+          <script>
+              /* Add the CSP: frame-src: 'self'. */
+              var meta = document.createElement('meta');
+              meta.httpEquiv = 'Content-Security-Policy';
+              meta.content = "img-src 'self'";
+              document.getElementsByTagName('head')[0].appendChild(meta);
+
+              /* Notify the parent the image has been blocked. */
+              window.addEventListener('securitypolicyviolation', e => {
+                  if (e.originalPolicy == "img-src 'self'")
+                      window.parent.postMessage('Test PASS', '*');
+              });
+          </scr`+`ipt>
+
+          This image should be blocked by CSP:
+          <img src='data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7'></img>
+        `);
+        if (window.async_test) {
+            async_test(t => {
+                window.addEventListener("message", e => {
+                    if (e.data == "Test PASS")
+                      t.done();
+                });
+            }, "Image's url must not match with 'self'. Image must be blocked.");
+        }
+        document.body.appendChild(iframe);
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-wildcard-allowed.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-wildcard-allowed.html
new file mode 100644
index 0000000000..72326ee6fc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-wildcard-allowed.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<meta http-equiv="Content-Security-Policy" content="img-src *;">
+<html>
+<head>
+    <title>img element src attribute must match src list.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <div id='log'/>
+
+    <script>
+      var t1 = async_test("img-src with wildcard should match all");
+    </script>
+    <img src='/content-security-policy/support/pass.png'
+         onload='t1.done();'
+         onerror='t1.step(function() { assert_unreached("Image should have loaded"); t1.done(); });'>
+
+    <script>
+      async_test(function(t) {
+
+        var pngBase64 = "iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAIAAAD/gAIDAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAnklEQVR42u3QMQEAAAgDoGlyo1vBzwciUJlw1ApkyZIlS5YsBbJkyZIlS5YCWbJkyZIlS4EsWbJkyZKlQJYsWbJkyVIgS5YsWbJkKZAlS5YsWbIUyJIlS5YsWQpkyZIlS5YsBbJkyZIlS5YCWbJkyZIlS4EsWbJkyZKlQJYsWbJkyVIgS5YsWbJkKZAlS5YsWbIUyJIlS5YsWQpkyfq2MosBSIeKONMAAAAASUVORK5CYII=";
+
+        blobContents = [atob(pngBase64)];
+        blob = new Blob(blobContents, {type: "image/png"});
+        img = document.createElement("img");
+        img.onerror = function (e) {
+          t.done();
+        };
+        img.onload = function () {
+          assert_unreached("Should not load blob img");
+          t.done();
+        };
+        blobURL = window.URL.createObjectURL(blob);
+        img.src = blobURL;
+
+      },"img-src with wildcard should not match blob");
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/report-blocked-data-uri.sub.html b/testing/web-platform/tests/content-security-policy/img-src/report-blocked-data-uri.sub.html
new file mode 100644
index 0000000000..d7405cd255
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/report-blocked-data-uri.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>report-blocked-data-uri</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=img-src"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+       window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+       });
+    </script>
+
+    <img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==">
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/blob-inherits-from-meta-http-equiv-with-invalid-characters.html b/testing/web-platform/tests/content-security-policy/inheritance/blob-inherits-from-meta-http-equiv-with-invalid-characters.html
new file mode 100644
index 0000000000..8463a2eaf1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/blob-inherits-from-meta-http-equiv-with-invalid-characters.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="
+    default-src 'none';
+    script-src blob: 'nonce-abc'">
+<script nonce="abc" src="/resources/testharness.js"></script>
+<script nonce="abc" src="/resources/testharnessreport.js"></script>
+</head>
+<script nonce="abc">
+    async_test(t => {
+        var script = document.createElement("script");
+        script.onerror = () => assert_unreached("FAIL should not have fired error event.");
+        script.onload = () => t.done();
+        script.src = URL.createObjectURL(new Blob(["alert('PASS executed blob URL script.');"]));
+        document.head.appendChild(script);
+    }, "blob: URL inherits CSP from a meta tag whose contents have newline characters.");
+</script>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/blob-url-in-child-frame-self-navigate-inherits.sub.html b/testing/web-platform/tests/content-security-policy/inheritance/blob-url-in-child-frame-self-navigate-inherits.sub.html
new file mode 100644
index 0000000000..f2b3d063e9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/blob-url-in-child-frame-self-navigate-inherits.sub.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script nonce="abc" src="/resources/testharness.js"></script>
+    <script nonce="abc" src="/resources/testharnessreport.js"></script>
+</head>
+
+<!-- This tests that navigating a main window to a local scheme preserves the current CSP.
+     We need to test this in a main window with no parent/opener so we use
+     a link with target=_blank and rel=noopener. -->
+<body>
+    <iframe src="support/navigate-self-to-blob.html?csp=script-src%20%27nonce-abc%27&report_id={{$id:uuid()}}"></iframe>
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27&reportID={{$id}}'></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub.html b/testing/web-platform/tests/content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub.html
new file mode 100644
index 0000000000..3b54528d56
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script nonce="abc" src="/resources/testharness.js"></script>
+    <script nonce="abc" src="/resources/testharnessreport.js"></script>
+</head>
+
+<!-- This tests that navigating a main window to a local scheme preserves the current CSP.
+     We need to test this in a main window with no parent/opener so we use
+     a link with target=_blank and rel=noopener. -->
+<body>
+    <script>
+      const a = document.createElement("a")
+      a.href = "support/navigate-self-to-blob.html?csp=script-src%20%27nonce-abc%27&report_id={{$id:uuid()}}";
+      a.target = "_blank"
+      a.rel = "noopener"
+      a.click()
+    </script>
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27&reportID={{$id}}'></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/blob-url-inherits-from-initiator.sub.html b/testing/web-platform/tests/content-security-policy/inheritance/blob-url-inherits-from-initiator.sub.html
new file mode 100644
index 0000000000..72d59325d1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/blob-url-inherits-from-initiator.sub.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Blob URL inherits CSP from initiator.</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+  let testCases = [
+    {
+      initiator_origin: window.origin,
+      name: "Initiator is same-origin with target frame.",
+    },
+    {
+      initiator_origin: "http://{{hosts[alt][]}}:{{ports[http][0]}}",
+      name: "Initiator is cross-origin with target frame.",
+    },
+  ];
+
+  testCases.forEach(test => {
+    async_test(t => {
+      // Create a popup. At the beginning, the popup has no CSPs.
+      let target = window.open();
+      t.add_cleanup(() => target.close());
+
+      // Create a child frame in the popup. The child frame has
+      // Content-Security-Policy: script-src 'unsafe-inline'. The child frame
+      // will navigate the popup to a blob URL, which will try if eval is
+      // allowed and message back.
+      let initiator = target.document.createElement('iframe');
+      initiator.sandbox = "allow-scripts allow-same-origin allow-top-navigation";
+      initiator.src = test.initiator_origin +
+        "/content-security-policy/inheritance/support/navigate-parent-to-blob.html";
+
+      window.addEventListener("message", t.step_func(e => {
+        if (e.source !== target) return;
+        assert_equals(e.data, "eval blocked",
+                      "Eval should be blocked by CSP in blob URL.");
+        t.done();
+      }));
+
+      target.document.body.appendChild(initiator);
+    }, test.name);
+  });
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/document-write-iframe.html b/testing/web-platform/tests/content-security-policy/inheritance/document-write-iframe.html
new file mode 100644
index 0000000000..d6ad88ddc9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/document-write-iframe.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<head>
+  <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <title>document.open() does not change Content Security Policies</title>
+</head>
+<body>
+  <script>
+    let message_from = (w) => {
+      return new Promise(resolve => {
+        let listener = msg => {
+          if (msg.source != w)
+            return;
+          window.removeEventListener('message', listener);
+          resolve(msg.data);
+        };
+        window.addEventListener('message', listener);
+      });
+    };
+
+    var documentBody = function(should_load) {
+      let image = should_load ? "pass.png" : "fail.png";
+      return `
+      <script>
+        function loaded() {
+          window.top.postMessage("loaded", '*');
+        };
+        window.addEventListener('securitypolicyviolation', function(e) {
+          window.top.postMessage("blocked", '*');
+        });
+      </scr`+`ipt>
+      <img src='/content-security-policy/support/${image}' onload='loaded()'>`;
+    };
+
+    promise_test(async () => {
+      let iframe = document.createElement('iframe');
+      document.body.appendChild(iframe);
+
+      let msg = message_from(iframe.contentWindow);
+      let doc = iframe.contentWindow.document;
+      doc.open();
+      doc.write("<html><body>" + documentBody(false) + "</body></html>");
+      doc.close();
+      assert_equals(await msg, "blocked");
+    }, "document.open() keeps inherited CSPs on empty iframe.");
+
+    promise_test(async () => {
+      let iframe = document.createElement('iframe');
+      let loaded = new Promise(resolve => iframe.onload = resolve);
+      iframe.src = "/common/blank.html";
+      document.body.appendChild(iframe);
+      await loaded;
+
+      let msg = message_from(iframe.contentWindow);
+      let doc = iframe.contentWindow.document;
+      doc.open();
+      doc.write("<html><body>" + documentBody(true) + "</body></html>");
+      doc.close();
+      assert_equals(await msg, "loaded");
+    }, "document.open() does not change delivered CSPs.");
+
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/frame-src-javascript-url.html b/testing/web-platform/tests/content-security-policy/inheritance/frame-src-javascript-url.html
new file mode 100644
index 0000000000..b08da85e87
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/frame-src-javascript-url.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="frame-src 'none'">
+
+<script>
+  const iframe_url = new URL("./support/empty.html", location.href);
+
+  // Regression test for: https://crbug.com/1064676
+  promise_test(async (t) => {
+    await new Promise(r => window.onload = r);
+
+    let url = `javascript:
+
+      window.addEventListener('securitypolicyviolation', e => {
+        parent.postMessage({
+          originalPolicy: e.originalPolicy,
+          blockedURI: e.blockedURI,
+        });
+      });
+
+      let iframe = document.createElement('iframe');
+      iframe.src = '${iframe_url}';
+      document.body.appendChild(iframe);
+
+    `;
+
+    let iframe = document.createElement('iframe');
+    iframe.src = encodeURI(url.replace(/\n/g, ""));
+
+    let violation = new Promise(r => window.addEventListener("message", r));
+    document.body.appendChild(iframe);
+    let {data} = await violation;
+
+    assert_equals(data.originalPolicy, "frame-src 'none'");
+    assert_equals(data.blockedURI, iframe_url.toString());
+
+  }, "<iframe src='javascript:...'>'s inherits policy (dynamically inserted <iframe> is blocked)");
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/history-iframe.sub.html b/testing/web-platform/tests/content-security-policy/inheritance/history-iframe.sub.html
new file mode 100644
index 0000000000..412b3ac346
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/history-iframe.sub.html
@@ -0,0 +1,178 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+<body>
+<script>
+  let message_from = (source_token, starts_with) => {
+    return new Promise(resolve => {
+      window.addEventListener('message', msg => {
+        if (msg.data.token === source_token) {
+          if (!starts_with || msg.data.msg.startsWith(starts_with))
+            resolve(msg.data.msg);
+        }
+      });
+    });
+  };
+
+  const img_url = window.origin + "/content-security-policy/support/fail.png";
+
+  const img_tag_string = img_token => `
+    <img src="${img_url}"
+         onload="top.postMessage(
+             {msg: 'img loaded', token: '${img_token}'}, '*');"
+         onerror="top.postMessage(
+             {msg: 'img blocked', token: '${img_token}'}, '*');"
+    >
+   `;
+
+  const html_test_payload = img_token => `
+    <!doctype html>
+    <script>
+      function add_image() {
+        let img = document.createElement('img');
+        img.onload = () => top.postMessage(
+            {msg: 'img loaded', token: '${img_token}'}, '*');
+        img.onerror = () => top.postMessage(
+            {msg: 'img blocked', token: '${img_token}'}, '*');
+        img.src = '${img_url}';
+        document.body.appendChild(img);
+      }
+    </scr`+`ipt>
+    <body onpageshow="add_image();"></body>
+  `;
+  let blob_url = blob_token => URL.createObjectURL(
+    new Blob([html_test_payload(blob_token)], { type: 'text/html' }));
+
+  let write_img_to_about_blank = async (t, iframe, img_token) => {
+    await t.step_wait(
+      condition = () => {
+        try {
+          return iframe.contentWindow.location.href == "about:blank";
+        } catch {}
+        return false;
+      },
+      description = "Wait for the iframe to navigate.",
+      timeout=6000,
+      interval=50);
+
+    let div = iframe.contentDocument.createElement('div');
+    div.innerHTML = img_tag_string(img_token);
+    iframe.contentDocument.body.appendChild(div);
+  };
+
+  let testCases = [
+    test_token => ({
+      token: test_token,
+      url: "about:blank",
+      add_img_function: (t, iframe) =>
+          write_img_to_about_blank(t, iframe, test_token),
+      other_origin: window.origin,
+      name: '"about:blank" document is navigated back from history same-origin.',
+    }),
+    test_token => ({
+      token: test_token,
+      url: "about:blank",
+      add_img_function: (t, iframe) =>
+          write_img_to_about_blank(t, iframe, test_token),
+      other_origin: "http://{{hosts[alt][]}}:{{ports[http][0]}}",
+      name: '"about:blank" document is navigated back from history cross-origin.',
+    }),
+    test_token => ({
+      token: test_token,
+      url: blob_url(test_token),
+      other_origin: window.origin,
+      name: 'blob URL document is navigated back from history same-origin.',
+    }),
+    test_token => ({
+      token: test_token,
+      url: blob_url(test_token),
+      other_origin: "http://{{hosts[alt][]}}:{{ports[http][0]}}",
+      name: 'blob URL document is navigated back from history cross-origin.',
+    }),
+    test_token => ({
+      token: test_token,
+      url: `data:text/html,${html_test_payload(test_token)}`,
+      other_origin: window.origin,
+      name: 'data URL document is navigated back from history same-origin.',
+    }),
+    test_token => ({
+      token: test_token,
+      url: `data:text/html,${html_test_payload(test_token)}`,
+      other_origin: "http://{{hosts[alt][]}}:{{ports[http][0]}}",
+      name: 'data URL document is navigated back from history cross-origin.',
+    }),
+    test_token => ({
+      token: test_token,
+      srcdoc: `${html_test_payload(test_token)}`,
+      other_origin: window.origin,
+      name: 'srcdoc iframe is navigated back from history same-origin.',
+    }),
+    test_token => ({
+      token: test_token,
+      srcdoc: `${html_test_payload(test_token)}`,
+      other_origin: "http://{{hosts[alt][]}}:{{ports[http][0]}}",
+      name: 'srcdoc iframe is navigated back from history cross-origin.',
+    }),
+  ].map(f => f(token()));
+
+  testCases.forEach(testCase => {
+    promise_test(async t => {
+      // Create an iframe.
+      let iframe = document.createElement('iframe');
+      document.body.appendChild(iframe);
+
+      // Perform a real navigation in the iframe. This is needed because the
+      // initial empty document is not stored in history (so there is no way of
+      // navigating back to it and test history inheritance).
+      const token_1 = token();
+      let loaded_1 = message_from(token_1);
+      iframe.contentWindow.location = testCase.other_origin +
+        "/content-security-policy/inheritance/support" +
+        `/postmessage-top.html?token=${token_1}`;
+      assert_equals(await loaded_1, "ready",
+                    "Could not navigate iframe.");
+
+      // Navigate to the local scheme document.
+      let message = message_from(testCase.token);
+      if (testCase.url)
+        iframe.contentWindow.location = testCase.url;
+      else
+        iframe.srcdoc = testCase.srcdoc;
+
+      // If the local scheme document is "about:blank", we need to write its
+      // content now.
+      if (testCase.add_img_function) {
+        testCase.add_img_function(t, iframe);
+      }
+
+      // Check that the local scheme document inherits CSP from the initiator.
+      assert_equals(await message, "img blocked",
+                    "Image should be blocked by CSP inherited from navigation initiator.");
+
+      // Navigate to another page, which will navigate back.
+      const token_2 = token();
+      let loaded_2 = message_from(token_2, "ready");
+      let message_2 = message_from(testCase.token, "img");
+      iframe.contentWindow.location = testCase.other_origin +
+        "/content-security-policy/inheritance/support" +
+        `/message-top-and-navigate-back.html?token=${token_2}`;
+      assert_equals(await loaded_2, "ready",
+                    "Could not navigate iframe.");
+
+      // If the local scheme document is "about:blank", we need to write its
+      // content again.
+      if (testCase.add_img_function) {
+        testCase.add_img_function(t, iframe);
+      }
+
+      // Check that the local scheme document reloaded from history still has
+      // the original CSPs.
+      assert_equals(await message_2, "img blocked",
+                    "Image should be blocked by CSP reloaded from history.");
+    }, "History navigation in iframe: " + testCase.name);
+  });
+</script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/history.sub.html b/testing/web-platform/tests/content-security-policy/inheritance/history.sub.html
new file mode 100644
index 0000000000..5ea6abe8fb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/history.sub.html
@@ -0,0 +1,195 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+
+<script>
+  let message_from = (source_token, starts_with) => {
+    return new Promise(resolve => {
+      window.addEventListener('message', msg => {
+        if (msg.data.token === source_token) {
+          if (!starts_with || msg.data.msg.startsWith(starts_with))
+            resolve(msg.data.msg);
+        }
+      });
+    });
+  };
+
+  const img_url = window.origin + "/content-security-policy/support/fail.png";
+
+  const function_addImage_string = img_token => `
+    function addImage() {
+      let img = document.createElement('img');
+      img.src = '${img_url}';
+      img.onload = () => opener.postMessage(
+          {msg: 'img loaded', token: '${img_token}'}, '*');
+      img.onerror = () => opener.postMessage(
+          {msg: 'img blocked', token: '${img_token}'}, '*');
+      document.body.appendChild(img);
+    }
+  `;
+
+  const img_tag_string = img_token => `
+    <img src="${img_url}"
+         onload="opener.postMessage(
+             {msg: 'img loaded', token: '${img_token}'}, '*');"
+         onerror="opener.postMessage(
+             {msg: 'img blocked', token: '${img_token}'}, '*');"
+    >
+  `;
+
+  let write_img_to_popup = (popup, img_token) => {
+    let div = popup.document.createElement('div');
+    div.innerHTML = img_tag_string(img_token);
+    popup.document.body.appendChild(div);
+  };
+
+  // A beforeunload event listener disables bfcache (Firefox only).
+  //
+  // Note: Chrome enables bfcache only on HTTP/HTTPS documents, so a blob will
+  // never be put in the bfcache. Moreover with Chrome, bfcache needs a single
+  // top-level browsing context in the browsing context group. Since we are
+  // using window.open() below, the back-forward cache is not triggered.
+  const disable_bfcache = `
+    window.addEventListener('beforeunload', function(event) {
+      eval('1+1');
+    });
+  `;
+
+  const blob_payload = blob_token => `
+    <!doctype html>
+    <script>window.window_token = "${blob_token}";</scr`+`ipt>
+    <script>${function_addImage_string(`${blob_token}`)}</scr`+`ipt>
+    <body onpageshow="addImage();"></body>
+  `;
+  let blob_url = blob_token => URL.createObjectURL(
+    new Blob([blob_payload(blob_token)], { type: 'text/html' }));
+
+  const blob_payload_no_bfcache = blob_token => `
+    <!doctype html>
+    <script>window.window_token = "${blob_token}";</scr`+`ipt>
+    <script>${disable_bfcache}</scr`+`ipt>
+    <script>${function_addImage_string(`${blob_token}`)}</scr`+`ipt>
+    <body onpageshow="addImage();"></body>
+  `;
+  let blob_url_no_bfcache = blob_token => URL.createObjectURL(
+    new Blob([blob_payload_no_bfcache(blob_token)], { type: 'text/html' }));
+
+  let testCases = [
+    test_token => ({
+      token: test_token,
+      url: "about:blank",
+      add_img_function: popup => write_img_to_popup(popup, test_token),
+      other_origin: window.origin,
+      name: '"about:blank" document is navigated back from history same-origin.',
+    }),
+    test_token => ({
+      token: test_token,
+      url: "about:blank",
+      add_img_function: popup => write_img_to_popup(popup, test_token),
+      other_origin: "http://{{hosts[alt][]}}:{{ports[http][0]}}",
+      name: '"about:blank" document is navigated back from history cross-origin.',
+    }),
+    test_token => ({
+      token: test_token,
+      url: blob_url(test_token),
+      other_origin: window.origin,
+      name: 'blob URL document is navigated back from history same-origin.',
+    }),
+    test_token => ({
+      token: test_token,
+      url: blob_url(test_token),
+      other_origin: "http://{{hosts[alt][]}}:{{ports[http][0]}}",
+      name: 'blob URL document is navigated back from history cross-origin.',
+    }),
+    test_token => ({
+      token: test_token,
+      url: blob_url_no_bfcache(test_token),
+      other_origin: window.origin,
+      name: 'blob URL document is navigated back from history (without bfcache on Firefox) same-origin.',
+    }),
+    test_token => ({
+      token: test_token,
+      url: blob_url_no_bfcache(test_token),
+      other_origin: "http://{{hosts[alt][]}}:{{ports[http][0]}}",
+      name: 'blob URL document is navigated back from history (without bfcache on Firefox) cross-origin.',
+    }),
+  ].map(f => f(token()));
+
+  let async_promise_test = (promise, description) => {
+    async_test(test => {
+      promise(test)
+        .then(() => {test.done();})
+        .catch(test.step_func(error => { throw error; }));
+    }, description);
+  };
+
+  testCases.forEach(testCase => {
+    async_promise_test(async t => {
+      // Create a popup.
+      let popup = window.open();
+
+      // Closing fails sometimes on Firefox:
+      // https://bugzilla.mozilla.org/show_bug.cgi?id=1698093
+      t.add_cleanup(() => { popup.close(); });
+
+      // Perform a real navigation in the popup. This is needed because the
+      // initial empty document is not stored in history (so there is no way of
+      // navigating back to it and test history inheritance).
+      const token_1 = token();
+      let loaded_1 = message_from(token_1);
+      popup.location = testCase.other_origin +
+        `/content-security-policy/inheritance/support` +
+        `/postmessage-opener.html?token=${token_1}`;
+      assert_equals(await loaded_1, "ready",
+                    "Could not open and navigate popup.");
+
+      // Navigate to the local scheme document. We need to wait for the
+      // navigation to succeed.
+      let wait = () => t.step_wait(
+        condition = () => {
+          try {
+            return popup.location.href == testCase.url;
+          } catch {}
+          return false;
+        },
+        description = "Wait for the popup to navigate.",
+        timeout=3000,
+        interval=50);
+
+      let message = message_from(testCase.token);
+      popup.location = testCase.url;
+      await wait();
+      if (testCase.add_img_function) {
+        testCase.add_img_function(popup);
+      }
+
+      // Check that the local scheme document inherits CSP from the initiator.
+      assert_equals(await message, "img blocked",
+                    "Image should be blocked by CSP inherited from navigation initiator.");
+
+      const token_2 = token();
+      let loaded_2 = message_from(token_2, "ready");
+      let message_2 = message_from(testCase.token, "img");
+      // Navigate to another page, which will navigate back.
+      popup.location = testCase.other_origin +
+        `/content-security-policy/inheritance/support` +
+        `/message-opener-and-navigate-back.html?token=${token_2}`;
+      assert_equals(await loaded_2, "ready",
+                    "Could not navigate popup.");
+
+      // We need to wait for the history navigation to be performed.
+      await wait();
+
+      // Check that the "about:blank" document reloaded from history has the
+      // original CSPs.
+      if (testCase.add_img_function) {
+        testCase.add_img_function(popup);
+      }
+      assert_equals(await message_2, "img blocked",
+                    "Image should be blocked by CSP reloaded from history.");
+    }, "History navigation: " + testCase.name);
+  });
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub.html b/testing/web-platform/tests/content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub.html
new file mode 100644
index 0000000000..73e974e51a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="img-src 'self'">
+
+<body>
+
+<script>
+  function wait_for_error_from_frame(frame, test) {
+    window.addEventListener('message', test.step_func(e => {
+      if (e.source != frame.contentWindow)
+        return;
+      assert_equals(e.data, "load");
+      frame.remove();
+      test.done();
+    }));
+  }
+
+  async_test(t => {
+    var i = document.createElement('iframe');
+    document.body.appendChild(i);
+
+    var img = document.createElement('img');
+    img.onload = t.step_func_done(_ => i.remove());
+    img.onerror = t.unreached_func();
+    i.contentDocument.body.appendChild(img);
+    img.src = "{{location[server]}}/images/red-16x16.png";
+  }, "<iframe>'s about:blank inherits policy.");
+
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.srcdoc = `
+      <img src='{{location[server]}}/images/red-16x16.png'
+        onload='window.top.postMessage("load", "*");'
+        onerror='window.top.postMessage("error", "*");'
+      >
+    `;
+
+    wait_for_error_from_frame(i, t);
+
+    document.body.appendChild(i);
+  }, "<iframe srcdoc>'s inherits policy.");
+
+  async_test(t => {
+    var i = document.createElement('iframe');
+    var b = new Blob(
+      [`
+        <img src='{{location[server]}}/images/red-16x16.png'
+          onload='window.top.postMessage("load", "*");'
+          onerror='window.top.postMessage("error", "*");'
+        >
+      `], {type:"text/html"});
+    i.src = URL.createObjectURL(b);
+
+    wait_for_error_from_frame(i, t);
+
+    document.body.appendChild(i);
+  }, "<iframe src='blob:...'>'s inherits policy.");
+
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = `data:text/html,<img src='{{location[server]}}/images/red-16x16.png'
+      onload='window.top.postMessage("load", "*");'
+      onerror='window.top.postMessage("error", "*");'
+    >`;
+
+    wait_for_error_from_frame(i, t);
+
+    document.body.appendChild(i);
+  }, "<iframe src='data:...'>'s inherits policy.");
+
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = `javascript:"<img src='{{location[server]}}/images/red-16x16.png'
+      onload='window.top.postMessage(\\"load\\", \\"*\\");'
+      onerror='window.top.postMessage(\\"error\\", \\"*\\");'
+    >"`;
+
+    wait_for_error_from_frame(i, t);
+
+    document.body.appendChild(i);
+  }, "<iframe src='javascript:...'>'s inherits policy.");
+
+  async_test(t => {
+    var i = document.createElement('iframe');
+    var b = new Blob(
+      [`
+        <img src='{{location[server]}}/images/red-16x16.png'
+          onload='window.top.postMessage("load", "*");'
+          onerror='window.top.postMessage("error", "*");'
+        >
+      `], {type:"text/html"});
+    i.src = URL.createObjectURL(b);
+    i.sandbox = 'allow-scripts';
+
+    wait_for_error_from_frame(i, t);
+
+    document.body.appendChild(i);
+  }, "<iframe sandbox src='blob:...'>'s inherits policy. (opaque origin sandbox)");
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html b/testing/web-platform/tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html
new file mode 100644
index 0000000000..4b787e0c18
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html
@@ -0,0 +1,180 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+
+<body>
+
+<script>
+  function wait_for_error_from_frame(frame, test) {
+    window.addEventListener('message', test.step_func(e => {
+      if (e.source != frame.contentWindow)
+        return;
+      assert_equals(e.data, "error");
+      frame.remove();
+      test.done();
+    }));
+  }
+
+  function wait_for_error_from_window(opened_window, test) {
+    window.addEventListener('message', test.step_func(e => {
+      if (e.source != opened_window)
+        return;
+      assert_equals(e.data, "error");
+      opened_window.close();
+      test.done();
+    }));
+  }
+
+  async_test(t => {
+    var i = document.createElement('iframe');
+    document.body.appendChild(i);
+
+    var img = document.createElement('img');
+    img.onerror = t.step_func_done(_ => i.remove());
+    img.onload = t.unreached_func();
+    i.contentDocument.body.appendChild(img);
+    img.src = "{{location[server]}}/images/red-16x16.png";
+  }, "<iframe>'s about:blank inherits policy.");
+
+  async_test(t => {
+    var w = window.open("about:blank");
+
+    let then = t.step_func(() => {
+      then = () => {};
+      var img = w.document.createElement('img');
+      img.onerror = t.step_func_done(_ => w.close());
+      img.onload = t.unreached_func();
+      w.document.body.appendChild(img);
+      img.src = "{{location[server]}}/images/red-16x16.png";
+    });
+
+    // There are now interoperable way to wait for the initial about:blank
+    // document to load. Chrome loads it synchronously, hence we can't wait for
+    // w.onload. On the other side Firefox loads the initial empty document
+    // later and we can wait for the onload event.
+    w.onload = then;
+    setTimeout(then, 200);
+
+    // Navigations to about:blank happens synchronously. There is no need to
+    // wait for the document to load.
+  }, "window about:blank inherits policy.");
+
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.srcdoc = `
+      <img src='{{location[server]}}/images/red-16x16.png'
+        onload='window.top.postMessage("load", "*");'
+        onerror='window.top.postMessage("error", "*");'
+      >
+    `;
+
+    wait_for_error_from_frame(i, t);
+
+    document.body.appendChild(i);
+  }, "<iframe srcdoc>'s inherits policy.");
+
+  async_test(t => {
+    var i = document.createElement('iframe');
+    var b = new Blob(
+      [`
+        <img src='{{location[server]}}/images/red-16x16.png'
+          onload='window.top.postMessage("load", "*");'
+          onerror='window.top.postMessage("error", "*");'
+        >
+      `], {type:"text/html"});
+    i.src = URL.createObjectURL(b);
+
+    wait_for_error_from_frame(i, t);
+
+    document.body.appendChild(i);
+  }, "<iframe src='blob:...'>'s inherits policy.");
+
+  async_test(t => {
+    var b = new Blob(
+      [`
+        <img src='{{location[server]}}/images/red-16x16.png'
+          onload='window.opener.postMessage("load", "*");'
+          onerror='window.opener.postMessage("error", "*");'
+        >
+      `], {type:"text/html"});
+    let url = URL.createObjectURL(b);
+    var w = window.open(url);
+    wait_for_error_from_window(w, t);
+  }, "window url='blob:...' inherits policy.");
+
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = `data:text/html,<img src='{{location[server]}}/images/red-16x16.png'
+      onload='window.top.postMessage("load", "*");'
+      onerror='window.top.postMessage("error", "*");'
+    >`;
+
+    wait_for_error_from_frame(i, t);
+
+    document.body.appendChild(i);
+  }, "<iframe src='data:...'>'s inherits policy.");
+
+  // Opening a window toward a data-url isn't allowed anymore. Hence, it can't
+  // be tested.
+
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = `javascript:"<img src='{{location[server]}}/images/red-16x16.png'
+      onload='window.top.postMessage(\\"load\\", \\"*\\");'
+      onerror='window.top.postMessage(\\"error\\", \\"*\\");'
+    >"`;
+
+    wait_for_error_from_frame(i, t);
+
+    document.body.appendChild(i);
+  }, "<iframe src='javascript:...'>'s inherits policy (static <img> is blocked)");
+
+  async_test(t => {
+    let url = `javascript:"<img src='{{location[server]}}/images/red-16x16.png'
+      onload='window.opener.postMessage(\\"load\\", \\"*\\");'
+      onerror='window.opener.postMessage(\\"error\\", \\"*\\");'
+    >"`;
+
+    let w = window.open(url);
+    wait_for_error_from_window(w, t);
+  }, "window url='javascript:...'>'s inherits policy (static <img> is blocked)");
+
+  // Same as the previous javascript-URL test, but instead of loading the <img>
+  // from the new document, this one is created from the initial empty document,
+  // while evaluating the javascript-url.
+  // See https://crbug.com/1064676
+  async_test(t => {
+    let url = `javascript:
+      let img = document.createElement('img');
+      img.onload = () => window.top.postMessage('load', '*');
+      img.onerror = () => window.top.postMessage('error', '*');
+      img.src = '{{location[server]}}/images/red-16x16.png';
+      document.body.appendChild(img);
+    `;
+    var i = document.createElement('iframe');
+    i.src = encodeURI(url.replace(/\n/g, ""));
+    wait_for_error_from_frame(i, t);
+
+    document.body.appendChild(i);
+  }, "<iframe src='javascript:...'>'s inherits policy (dynamically inserted <img> is blocked)");
+
+  async_test(t => {
+    var i = document.createElement('iframe');
+    var b = new Blob(
+      [`
+        <img src='{{location[server]}}/images/red-16x16.png'
+          onload='window.top.postMessage("load", "*");'
+          onerror='window.top.postMessage("error", "*");'
+        >
+      `], {type:"text/html"});
+    i.src = URL.createObjectURL(b);
+    i.sandbox = 'allow-scripts';
+
+    wait_for_error_from_frame(i, t);
+
+    document.body.appendChild(i);
+  }, "<iframe sandbox src='blob:...'>'s inherits policy. (opaque origin sandbox)");
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/iframe-srcdoc-history-inheritance.html b/testing/web-platform/tests/content-security-policy/inheritance/iframe-srcdoc-history-inheritance.html
new file mode 100644
index 0000000000..907c88e813
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/iframe-srcdoc-history-inheritance.html
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<iframe></iframe>
+<script>
+promise_test(async t => {
+  // Wait for the page to load + one task so that navigations from here on are
+  // not done in "replace" mode.
+  await new Promise(resolve => window.onload = () => t.step_timeout(resolve, 0));
+  const iframe = document.querySelector('iframe');
+
+  iframe.srcdoc = `
+    <h1>This is a dummy page that should not store the inherited policy
+    container in this history entry</h1>
+  `;
+
+  await new Promise(resolve => iframe.onload = () => t.step_timeout(resolve, 0));
+
+  // Navigate the iframe away.
+  iframe.contentWindow.location.href = "/common/blank.html";
+  await new Promise(resolve => iframe.onload = resolve);
+
+  // Tighten the outer page's security policy.
+  const meta = document.createElement("meta");
+  meta.setAttribute("http-equiv", "Content-Security-Policy");
+  meta.setAttribute("content", "img-src 'none'");
+  document.head.append(meta);
+
+  // Navigate the iframe back to the `about:srcdoc` page (this should work
+  // independent of whether the implementation stores the srcdoc contents in the
+  // history entry or reclaims it from the attribute).
+  iframe.contentWindow.history.back();
+  await new Promise(resolve => iframe.onload = resolve);
+
+  const img = iframe.contentDocument.createElement('img');
+
+  const promise = new Promise((resolve, reject) => {
+    img.onload = resolve;
+    // If the img is blocked because of Content Security Policy, a violation
+    // should be reported first, and the test will fail. If for some other
+    // reason the error event is fired without the violation being reported,
+    // something else went wrong, hence the test should fail.
+    img.error = e => {
+      reject(new Error("The srcdoc iframe's img failed to load but not due to " +
+                       "a CSP violation"));
+    };
+    iframe.contentDocument.onsecuritypolicyviolation = e => {
+      reject(new Error("The srcdoc iframe's img has been blocked by the " +
+        "new CSP. It means it was different and wasn't restored from history"));
+    };
+  });
+  // The srcdoc iframe tries to load an image, which should succeed.
+  img.src = "/common/square.png";
+
+  return promise;
+});
+</script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/iframe-srcdoc-inheritance.html b/testing/web-platform/tests/content-security-policy/inheritance/iframe-srcdoc-inheritance.html
new file mode 100644
index 0000000000..e05150762f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/iframe-srcdoc-inheritance.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<head>
+  <meta http-equiv="Content-Security-Policy" content="img-src 'self'">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+  <script>
+    var t1 = async_test("First image should be blocked");
+    var t2 = async_test("Second image should be blocked");
+    window.onmessage = t1.step_func_done(function(e) {
+      if (e.data == "img blocked") {
+        frames[0].frames[0].frameElement.srcdoc =
+        `<script>
+           window.addEventListener('securitypolicyviolation', function(e) {
+             if (e.violatedDirective == 'img-src') {
+               top.postMessage('img blocked', '*');
+             }
+           })
+         </scr` + `ipt>
+         <img src='/content-security-policy/support/fail.png'
+              onload='top.postMessage("img loaded", "*")'/>`;
+        window.onmessage = t2.step_func_done(function(e) {
+          if (e.data != "img blocked")
+            assert_true(false, "The second image should have been blocked");
+        });
+      } else {
+        assert_true(false, "The first image should have been blocked");
+      }
+    });
+  </script>
+  <iframe src="support/srcdoc-child-frame.html"></iframe>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/inheritance-from-initiator.sub.html b/testing/web-platform/tests/content-security-policy/inheritance/inheritance-from-initiator.sub.html
new file mode 100644
index 0000000000..4621c57d45
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/inheritance-from-initiator.sub.html
@@ -0,0 +1,173 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="img-src http://{{hosts[][www]}}:{{ports[http][0]}}">
+<body>
+  <script>
+    let message_from = w => {
+      return new Promise(resolve => {
+        window.addEventListener('message', msg => {
+          if (msg.source == w) {
+            resolve(msg.data);
+          }
+        });
+      });
+    };
+
+    // `iframe_a` and `iframe_b` are two helper iframes with different
+    // CSPs.
+    let iframe_a, iframe_b;
+
+    // Setup `iframe_a` and `iframe_b`.
+    promise_setup(async () => {
+      iframe_a = document.createElement('iframe');
+      iframe_a.src = "./support/iframe-do.sub.html?" +
+        "img-src=http://{{hosts[][www1]}}:{{ports[http][0]}}";
+      document.body.appendChild(iframe_a);
+      await message_from(iframe_a.contentWindow);
+
+      iframe_b = document.createElement('iframe');
+      iframe_b.id = 'iframe_b';
+      iframe_b.src = "./support/iframe-do.sub.html?" +
+        "img-src=http://{{hosts[][www2]}}:{{ports[http][0]}}";
+      document.body.appendChild(iframe_b);
+      await message_from(iframe_b.contentWindow);
+    });
+
+    let test_iframe_id_counter = 0;
+
+    // Helper function to create the target iframe of a navigation.
+    let create_test_iframe = async () => {
+      let test_iframe = document.createElement('iframe');
+      test_iframe.id = "test_iframe_" + test_iframe_id_counter++;
+      test_iframe.name = test_iframe.id;
+      document.body.appendChild(test_iframe);
+      return test_iframe;
+    }
+
+    // The following code will try loading several images and check
+    // whether CSP has been inherited by the parent ("p"), `iframe_a`
+    // ("a") or `iframe_b` ("b"). It will post a message to the top
+    // with the result.
+    let data_payload = `
+      <body><script>
+        new Promise(async (resolve, reject) => {
+          const img_path = "/content-security-policy/support/pass.png";
+
+          let img_loaded = (origin) => new Promise(resolve => {
+            let img = document.createElement('img');
+            img.onerror = () => resolve(false);
+            img.onload = () => resolve(true);
+            img.src = origin + img_path;
+            document.body.appendChild(img);
+          });
+
+          inherited_from_p = await img_loaded(
+            "http://{{hosts[][www]}}:{{ports[http][0]}}");
+          inherited_from_a = await img_loaded(
+            "http://{{hosts[][www1]}}:{{ports[http][0]}}");
+          inherited_from_b = await img_loaded(
+            "http://{{hosts[][www2]}}:{{ports[http][0]}}");
+
+          if (inherited_from_a + inherited_from_b +
+               inherited_from_p !== 1) {
+            reject("Exactly one CSP should be inherited");
+          }
+          if (inherited_from_a) resolve("a");
+          if (inherited_from_b) resolve("b");
+          if (inherited_from_p) resolve("p");
+        }).then(from => top.postMessage(from, '*'),
+                error => top.postMessage(error, '*'));
+      </scr`+`ipt></body>
+    `;
+
+    let data_url = "data:text/html;base64," + btoa(data_payload);
+
+    promise_test(async t => {
+      let test_iframe = await create_test_iframe();
+      iframe_a.contentWindow.postMessage(
+        `parent.document.getElementById('${test_iframe.id}').src = '${data_url}'`);
+
+      assert_equals(await message_from(test_iframe.contentWindow), "p");
+    }, "Setting src inherits from parent.");
+
+    promise_test(async t => {
+      let test_iframe = await create_test_iframe();
+      iframe_a.contentWindow.postMessage(
+        `parent.document.getElementById('${test_iframe.id}').contentWindow.location = '${data_url}'`);
+
+      assert_equals(await message_from(test_iframe.contentWindow), "a");
+    }, "Changing contentWindow.location inherits from who changed it.");
+
+    promise_test(async t => {
+      let test_iframe = await create_test_iframe();
+      window.navigate_test_iframe = () => {
+        test_iframe.contentWindow.location = data_url;
+      };
+      iframe_a.contentWindow.postMessage(`parent.navigate_test_iframe();`);
+      assert_equals(await message_from(test_iframe.contentWindow), "p");
+    }, "Changing contentWindow.location indirectly inherits from who changed it directly.");
+
+    promise_test(async t => {
+      let test_iframe = await create_test_iframe();
+      iframe_a.contentWindow.postMessage(
+        `window.open('${data_url}', "${test_iframe.name}")`);
+
+      assert_equals(await message_from(test_iframe.contentWindow), "a");
+    }, "window.open() inherits from caller.");
+
+    promise_test(async t => {
+      let test_iframe = await create_test_iframe();
+      let a = iframe_b.contentDocument.createElement('a');
+      a.id = 'a';
+      a.href = data_url;
+      a.target = test_iframe.name;
+      iframe_b.contentDocument.body.appendChild(a);
+
+      iframe_a.contentWindow.postMessage(
+        `parent.document.getElementById('iframe_b').contentDocument.getElementById('a').click();`);
+
+      assert_equals(await message_from(test_iframe.contentWindow), "b");
+      iframe_b.contentDocument.body.removeChild(a);
+    }, "Click on anchor inherits from owner of the anchor.");
+
+    promise_test(async t => {
+      let test_iframe = await create_test_iframe();
+      let form = iframe_b.contentDocument.createElement('form');
+      form.id = 'form';
+      form.action = data_url;
+      form.target = test_iframe.name;
+      form.method = "POST";
+      iframe_b.contentDocument.body.appendChild(form);
+
+      iframe_a.contentWindow.postMessage(
+        `parent.document.getElementById('iframe_b').contentDocument.getElementById('form').submit();`);
+
+      assert_equals(await message_from(test_iframe.contentWindow), "b");
+      iframe_b.contentDocument.body.removeChild(form);
+    }, "Form submission through submit() inherits from owner of form.");
+
+    promise_test(async t => {
+      let test_iframe = await create_test_iframe();
+      let form = iframe_b.contentDocument.createElement('form');
+      form.id = 'form';
+      form.action = data_url;
+      form.target = test_iframe.name;
+      form.method = "POST";
+      iframe_b.contentDocument.body.appendChild(form);
+      let button = iframe_b.contentDocument.createElement('button');
+      button.type = "submit";
+      button.value = "submit";
+      button.id = "button";
+      form.appendChild(button);
+
+      iframe_a.contentWindow.postMessage(
+        `parent.document.getElementById('iframe_b').contentDocument.getElementById('button').click();`);
+
+      assert_equals(await message_from(test_iframe.contentWindow), "b");
+      iframe_b.contentDocument.body.removeChild(form);
+    }, "Form submission through button click inherits from owner of form.");
+
+  </script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html b/testing/web-platform/tests/content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html
new file mode 100644
index 0000000000..c473b3f426
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<head>
+  <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'self'">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <!-- Tests that mutations inside a context that inherits a copy of the CSP list
+       does not affect the parent context -->
+</head>
+<body>
+  <script>
+    var t1 = async_test("Test that parent document image loads");
+    var t2 = async_test("Test that embedded iframe document image does not load");
+    var t3 = async_test("Test that spv event is fired");
+
+    window.onmessage = function(e) {
+      if (e.data.type == 'spv') {
+        t3.step(function() {
+          assert_equals(e.data.violatedDirective, "img-src");
+          t3.done();
+        });
+      } else if (e.data.type == 'imgload') {
+        var img = document.createElement('img');
+        img.src = "../support/pass.png";
+        img.onload = function() { t1.done(); };
+        img.onerror = t1.unreached_func('Should have loaded the image');
+        document.body.appendChild(img);
+
+        t2.step(function() {
+          assert_false(e.data.loaded, "Should not have loaded image inside the frame because of its CSP");
+          t2.done();
+        });
+      }
+    }
+
+    var srcdoc = ['<meta http-equiv="Content-Security-Policy" content="img-src \'none\'">',
+                  '<script>',
+                  ' window.addEventListener("securitypolicyviolation", function(e) {',
+                  '  window.top.postMessage({type: "spv", violatedDirective: e.violatedDirective}, "*");',
+                  ' });',
+                  '</scr' + 'ipt>',
+                  '<img src="../support/fail.png"',
+                  '  onload="window.top.postMessage({type: \'imgload\', loaded: true}, \'*\')"',
+                  '  onerror="window.top.postMessage({type: \'imgload\', loaded: false}, \'*\')">'].join('\n');
+    var i = document.createElement('iframe');
+    i.srcdoc = srcdoc;
+    document.body.appendChild(i);
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/javascript-url-open-in-main-window.html b/testing/web-platform/tests/content-security-policy/inheritance/javascript-url-open-in-main-window.html
new file mode 100644
index 0000000000..2366284fc5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/javascript-url-open-in-main-window.html
@@ -0,0 +1,13 @@
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+  async_test(t => {
+    window.addEventListener("message", t.step_func_done(e => {
+      assert_equals(e.data, "img blocked",
+                    "Img should be blocked by CSP img-src 'none'");
+    }));
+
+    w = window.open("./support/navigate-self-to-javascript.html");
+    t.add_cleanup(w.close);
+  }, "Executing Javascript URL keeps enforcing previous CSPs of the document.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/javascript-url-srcdoc-cross-origin-iframe-inheritance.html b/testing/web-platform/tests/content-security-policy/inheritance/javascript-url-srcdoc-cross-origin-iframe-inheritance.html
new file mode 100644
index 0000000000..81210fe30f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/javascript-url-srcdoc-cross-origin-iframe-inheritance.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<head>
+  <meta charset="utf-8">
+  <title>Content Security Policy: nested inheritance</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+  <script>
+    // This test creates a page with CSP: frame-src 'self'. The page is
+    // navigated to a javascript URL creating a cross-origin iframe inside a
+    // srcdoc iframe. If everything works correctly, the cross-origin iframe
+    // should be blocked.
+    //
+    // Note that most of the logic is performed by the iframe. This file is only
+    // for managing testharness assertions.
+    async_test(t => {
+      window.addEventListener("message", t.step_func(function(e) {
+        if (e.data === "frame allowed") {
+          assert_unreached("Frame should have been blocked.");
+        } else if (e.data === "frame blocked") {
+          t.done();
+        }
+      }));
+    }, "Nested cross-origin iframe should be blocked by frame-src 'self'.");
+  </script>
+  <iframe src="./support/javascript-url-srcdoc-cross-origin-iframe-inheritance-helper.sub.html"></iframe>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/location-reload.html b/testing/web-platform/tests/content-security-policy/inheritance/location-reload.html
new file mode 100644
index 0000000000..5d68e381bc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/location-reload.html
@@ -0,0 +1,120 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+<body>
+<script>
+  let message_from = (w, starts_with) => {
+    return new Promise(resolve => {
+      window.addEventListener('message', msg => {
+        if (msg.source == w) {
+          if (!starts_with || msg.data.startsWith(starts_with))
+            resolve(msg.data);
+        }
+      });
+    });
+  };
+
+  const img_url = window.origin + "/content-security-policy/support/fail.png";
+  const img_tag_string = `
+      <img src="${img_url}"
+           onload="top.postMessage('img loaded', '*');"
+           onerror="top.postMessage('img blocked', '*');"
+      >
+   `;
+
+  const html_test_payload = `
+        <!doctype html>
+        <div>${img_tag_string}</div>
+  `;
+  let blob_url = URL.createObjectURL(
+    new Blob([html_test_payload], { type: 'text/html' }));
+
+  let write_img_to_iframe = (iframe) => {
+    let div = iframe.contentDocument.createElement('div');
+    div.innerHTML = img_tag_string;
+    iframe.contentDocument.body.appendChild(div);
+  };
+
+
+  // Test location.reload() for "about:blank".
+  promise_test(async t => {
+    // Create an empty iframe.
+    window.iframe = document.createElement('iframe');
+    document.body.appendChild(iframe);
+
+    // Add an img.
+    let message = message_from(iframe.contentWindow);
+    write_img_to_iframe(iframe);
+
+    // Check that the empty document inherits CSP from the initiator.
+    assert_equals(await message, "img blocked",
+                  "Image should be blocked by CSP inherited from the parent.");
+
+    // Now perform a reload.
+    let message_2 = message_from(iframe.contentWindow);
+    let loaded = new Promise(resolve => iframe.onload = resolve);
+    iframe.contentWindow.location.reload();
+    await loaded;
+
+    // Add an img.
+    write_img_to_iframe(iframe);
+
+    // Check that the empty document still has the right CSP after reload.
+    assert_equals(await message_2, "img blocked",
+                  "Image should be blocked by CSP after reload.");
+  }, "location.reload() of empty iframe.");
+
+
+  // Test location.reload() for a blob URL.
+  promise_test(async t => {
+    // Create an iframe.
+    window.iframe = document.createElement('iframe');
+    document.body.appendChild(iframe);
+
+    // Navigate to the blob URL.
+    let message = message_from(iframe.contentWindow);
+    iframe.contentWindow.location = blob_url;
+
+    // Check that the blob URL inherits CSP from the initiator.
+    assert_equals(await message, "img blocked",
+                  "Image should be blocked by CSP inherited from navigation initiator.");
+
+    // Now perform a reload.
+    let message_2 = message_from(iframe.contentWindow);
+    let loaded = new Promise(resolve => iframe.onload = resolve);
+      iframe.contentWindow.location.reload();
+    await loaded;
+
+    // Check that the blob URL document still has the right CSP after reload.
+    assert_equals(await message_2, "img blocked",
+                  "Image should be blocked by CSP after reload.");
+  }, "location.reload() of blob URL iframe.");
+
+
+  // Test location.reload() for a srcdoc iframe.
+  promise_test(async t => {
+    // Create a srcdoc iframe.
+    window.iframe = document.createElement('iframe');
+    document.body.appendChild(iframe);
+
+    let message = message_from(iframe.contentWindow);
+    iframe.srcdoc = `${html_test_payload}`;
+
+    // Check that the srcdoc iframe inherits from the parent.
+    assert_equals(await message, "img blocked",
+                  "Image should be blocked by CSP inherited from navigation initiator.");
+
+    // Now perform a reload.
+    let message_2 = message_from(iframe.contentWindow);
+    let loaded = new Promise(resolve => iframe.onload = resolve);
+      iframe.contentWindow.location.reload();
+    await loaded;
+
+    // Check that the srcdoc iframe still has the right CSP after reload.
+    assert_equals(await message_2, "img blocked",
+                  "Image should be blocked by CSP after reload.");
+  }, "location.reload() of srcdoc iframe.");
+</script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/sandboxed-blob-scheme.html b/testing/web-platform/tests/content-security-policy/inheritance/sandboxed-blob-scheme.html
new file mode 100644
index 0000000000..590fa7ec1a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/sandboxed-blob-scheme.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script nonce="abc" src="/resources/testharness.js"></script>
+    <script nonce="abc" src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var blob_string = "<script>alert(document.domain)<\/scr"+"ipt>";
+      var blob = new Blob([blob_string], {type : 'text/html'});
+      var url = URL.createObjectURL(blob);
+
+      var i = document.createElement('iframe');
+      i.src = url;
+      i.sandbox = "allow-scripts";
+      document.body.appendChild(i);
+    </script>
+    <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/sandboxed-blob-scheme.html.sub.headers b/testing/web-platform/tests/content-security-policy/inheritance/sandboxed-blob-scheme.html.sub.headers
new file mode 100644
index 0000000000..adc398d890
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/sandboxed-blob-scheme.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: sandboxed-blob-scheme={{$id:uuid()}}; Path=/content-security-policy/inheritance/
+Content-Security-Policy: script-src 'nonce-abc'; report-uri http://{{host}}:{{ports[http][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/sandboxed-data-scheme.html b/testing/web-platform/tests/content-security-policy/inheritance/sandboxed-data-scheme.html
new file mode 100644
index 0000000000..b97bfb0c05
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/sandboxed-data-scheme.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script nonce="abc" src="/resources/testharness.js"></script>
+    <script nonce="abc" src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var url = "data:text/html,<script>alert(document.domain)<\/scr"+"ipt>";
+
+      var i = document.createElement('iframe');
+      i.src = url;
+      i.sandbox = "allow-scripts";
+      document.body.appendChild(i);
+    </script>
+    <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/sandboxed-data-scheme.html.sub.headers b/testing/web-platform/tests/content-security-policy/inheritance/sandboxed-data-scheme.html.sub.headers
new file mode 100644
index 0000000000..96da6514b8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/sandboxed-data-scheme.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: sandboxed-data-scheme={{$id:uuid()}}; Path=/content-security-policy/inheritance/
+Content-Security-Policy: script-src 'nonce-abc'; report-uri http://{{host}}:{{ports[http][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/empty.html b/testing/web-platform/tests/content-security-policy/inheritance/support/empty.html
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/support/empty.html
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/iframe-do.sub.html b/testing/web-platform/tests/content-security-policy/inheritance/support/iframe-do.sub.html
new file mode 100644
index 0000000000..effc1adcdd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/support/iframe-do.sub.html
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<meta http-equiv="Content-Security-Policy" content="img-src {{GET[img-src]}}">
+<script>
+  window.addEventListener('message', function(e) {
+    eval(e.data);
+  });
+  top.postMessage('ready', '*');
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/javascript-url-srcdoc-cross-origin-iframe-inheritance-helper.sub.html b/testing/web-platform/tests/content-security-policy/inheritance/support/javascript-url-srcdoc-cross-origin-iframe-inheritance-helper.sub.html
new file mode 100644
index 0000000000..afe4753cf9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/support/javascript-url-srcdoc-cross-origin-iframe-inheritance-helper.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="Content-Security-Policy" content="frame-src 'self'">
+  <script>
+    // The following is the content of a srcdoc iframe. It contains:
+    // - a script that catches the frame-src securitypolicyviolation event and
+    // forwards the information to the parent,
+    // - a cross-origin iframe.
+    let doc = `
+      <script>
+        window.addEventListener("securitypolicyviolation", e => {
+          if (e.violatedDirective === "frame-src") {
+            window.top.postMessage("frame blocked", "*");
+          }
+        });
+      </scr` + `ipt>
+      <iframe src="http://{{hosts[alt][]}}:{{ports[http][0]}}/content-security-policy/inheritance/support/postmessage-top.html"></iframe>`;
+    doc = doc.replaceAll('"', "\\\'");
+
+    const js_url = "javascript:'<iframe srcdoc=\""+ doc +"\">'";
+    window.open(js_url, "_self");
+  </script>
+</head>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/message-opener-and-navigate-back.html b/testing/web-platform/tests/content-security-policy/inheritance/support/message-opener-and-navigate-back.html
new file mode 100644
index 0000000000..75ee5bee7c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/support/message-opener-and-navigate-back.html
@@ -0,0 +1,5 @@
+<script>
+  const params = new URLSearchParams(window.location.search);
+  opener.postMessage({msg: "ready", token: params.get("token")}, "*");
+  window.history.back();
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/message-top-and-navigate-back.html b/testing/web-platform/tests/content-security-policy/inheritance/support/message-top-and-navigate-back.html
new file mode 100644
index 0000000000..53d5a18cb3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/support/message-top-and-navigate-back.html
@@ -0,0 +1,5 @@
+<script>
+  const params = new URLSearchParams(window.location.search);
+  top.postMessage({msg: "ready", token: params.get("token")}, "*");
+  window.history.back();
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-parent-to-blob.html b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-parent-to-blob.html
new file mode 100644
index 0000000000..df4a443893
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-parent-to-blob.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
+  </head>
+  <body>
+    <script>
+      const blob_payload = `
+        <!doctype html>
+         <script>
+           var i = false;
+           try {
+             eval('i = true');
+           } catch {}
+           opener.postMessage(i ? "eval allowed" : "eval blocked", '*');
+         </scr` + `ipt>
+         `;
+      var blob_url = URL.createObjectURL(
+          new Blob([blob_payload], { type: 'text/html' }));
+      parent.location = blob_url;
+    </script>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-blob.html b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-blob.html
new file mode 100644
index 0000000000..9ea069969c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-blob.html
@@ -0,0 +1,6 @@
+<script nonce="abc">
+  var blob_string = "<script>alert(document.domain)<\/script>";
+  var blob = new Blob([blob_string], {type : 'text/html'});
+  var url = URL.createObjectURL(blob);
+  location.href=url;
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers
new file mode 100644
index 0000000000..2642b0fa06
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: {{GET[csp]}}; report-uri http://{{host}}:{{ports[http][0]}}/reporting/resources/report.py?op=put&reportID={{GET[report_id]}}
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-javascript.html b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-javascript.html
new file mode 100644
index 0000000000..86ea60c283
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-javascript.html
@@ -0,0 +1,12 @@
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'"/>
+<script>
+  const js_payload = `
+    <div>
+      <img src="${window.origin}/content-security-policy/support/fail.png"
+           onload="opener.postMessage(\\\'img loaded\\\', \\\'*\\\');"
+           onerror="opener.postMessage(\\\'img blocked\\\', \\\'*\\\');"
+      >
+    </div>
+  `;
+  open(`javascript:'${js_payload}'`,"_self");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/postmessage-opener.html b/testing/web-platform/tests/content-security-policy/inheritance/support/postmessage-opener.html
new file mode 100644
index 0000000000..7ee11bc78d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/support/postmessage-opener.html
@@ -0,0 +1,4 @@
+<script>
+  const params = new URLSearchParams(window.location.search);
+  opener.postMessage({msg: "ready", token: params.get("token")}, "*");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/postmessage-top.html b/testing/web-platform/tests/content-security-policy/inheritance/support/postmessage-top.html
new file mode 100644
index 0000000000..242063a80e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/support/postmessage-top.html
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<script>
+  const params = new URLSearchParams(window.location.search);
+  top.postMessage({msg: "ready", token: params.get("token")}, "*");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/srcdoc-child-frame.html b/testing/web-platform/tests/content-security-policy/inheritance/support/srcdoc-child-frame.html
new file mode 100644
index 0000000000..9148be203d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/support/srcdoc-child-frame.html
@@ -0,0 +1,19 @@
+<head>
+  <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+</head>
+<body>
+  <script>
+    var i = document.createElement('iframe');
+    i.srcdoc=`<script>
+                window.addEventListener('securitypolicyviolation', function(e) {
+                  if (e.violatedDirective == 'img-src') {
+                    top.postMessage('img blocked', '*');
+                  }
+                })
+              </scr` + `ipt>
+              <img src='/content-security-policy/support/fail.png'
+                onload='top.postMessage("img loaded", "*")'/>`;
+    i.id = "srcdoc-frame";
+    document.body.appendChild(i);
+  </script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html b/testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html
new file mode 100644
index 0000000000..cab192f836
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script nonce="abc" src="/resources/testharness.js"></script>
+    <script nonce="abc" src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var blob_string = "<script>alert(document.domain)<\/scr"+"ipt>";
+      var blob = new Blob([blob_string], {type : 'text/html'});
+      var url = URL.createObjectURL(blob);
+
+      var i = document.createElement('iframe');
+      i.src = url;
+      document.body.appendChild(i);
+    </script>
+    <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html.sub.headers b/testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html.sub.headers
new file mode 100644
index 0000000000..b1054d3506
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: unsandboxed-blob-scheme={{$id:uuid()}}; Path=/content-security-policy/inheritance/
+Content-Security-Policy: script-src 'nonce-abc'; report-uri http://{{host}}:{{ports[http][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-data-scheme.html b/testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-data-scheme.html
new file mode 100644
index 0000000000..a9d8e207dc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-data-scheme.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script nonce="abc" src="/resources/testharness.js"></script>
+    <script nonce="abc" src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var url = "data:text/html,<script>alert(document.domain)<\/scri"+"pt>";
+
+      var i = document.createElement('iframe');
+      i.src = url;
+      document.body.appendChild(i);
+    </script>
+    <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-data-scheme.html.sub.headers b/testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-data-scheme.html.sub.headers
new file mode 100644
index 0000000000..f4a6088578
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-data-scheme.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: unsandboxed-data-scheme={{$id:uuid()}}; Path=/content-security-policy/inheritance/
+Content-Security-Policy: script-src 'nonce-abc'; report-uri http://{{host}}:{{ports[http][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/window-open-local-after-network-scheme.sub.html b/testing/web-platform/tests/content-security-policy/inheritance/window-open-local-after-network-scheme.sub.html
new file mode 100644
index 0000000000..0cdc03ce92
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/window-open-local-after-network-scheme.sub.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+<title>about:blank in popup inherits CSPs from the navigation initiator</title>
+<body>
+
+<script>
+  const message_from = (source_token, w) => {
+    return new Promise(resolve => {
+      window.addEventListener('message', msg => {
+        if (msg.data.token === source_token)
+          resolve(msg.data.msg);
+      });
+    });
+  };
+
+  const testCases = [
+    {
+      previous_origin: window.origin,
+      name: "Popup being navigated to about:blank was same-origin.",
+    },
+    {
+      previous_origin: "http://{{hosts[alt][]}}:{{ports[http][0]}}",
+      name: "Popup being navigated to about:blank was cross-origin.",
+    },
+  ];
+
+  testCases.forEach(testCase => {
+    promise_test(async t => {
+      // Create a popup and navigate it.
+      const popup_token = token();
+      // const popup = window.open("about:blank", testCase.name);
+      const loaded = message_from(popup_token);
+      const popup = window.open(
+        testCase.previous_origin +
+          "/content-security-policy/inheritance/support" +
+          `/postmessage-opener.html?token=${popup_token}`,
+        testCase.name);
+      t.add_cleanup(() => popup.close());
+
+      assert_equals(await loaded, "ready");
+
+      // Navigate the popup to "about:blank".
+      window.open("about:blank", testCase.name);
+      await t.step_wait(
+        condition = () => {
+          try {
+            return popup.location.href == "about:blank";
+          } catch {}
+          return false;
+        },
+        description = "Wait for the popup to navigate.",
+        timeout=3000,
+        interval=50);
+
+      // Now create an img in the popup and check if it is blocked by CSPs.
+      const script = popup.document.createElement('script');
+      script.innerText = `
+        function messageBack(msg) {
+          opener.postMessage(msg ,"*");
+        }
+      `;
+      popup.document.head.appendChild(script);
+      const div = popup.document.createElement('div');
+
+      const img_token = token();
+      const img_url = window.origin + "/content-security-policy/support/fail.png";
+      div.innerHTML = `
+        <img src="${img_url}"
+             onload="messageBack({msg: 'img loaded', token: '${img_token}'});"
+             onerror="messageBack({msg: 'img blocked', token: '${img_token}'});"
+        >
+      `;
+
+      const msg = message_from(img_token);
+      popup.document.body.appendChild(div);
+      assert_equals(await msg, "img blocked");
+    }, testCase.name);
+  });
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/window.html b/testing/web-platform/tests/content-security-policy/inheritance/window.html
new file mode 100644
index 0000000000..73def60ceb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/window.html
@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+
+<body>
+
+<script>
+  function wait_for_error_from_window(w, test) {
+    window.addEventListener('message', test.step_func(e => {
+      if (e.source != w)
+        return;
+      assert_equals(e.data, "error");
+      w.close();
+      test.done();
+    }));
+  }
+
+  async_test(t => {
+    var w = window.open();
+
+    var img = document.createElement('img');
+    img.onerror = t.step_func_done(_ => w.close());
+    img.onload = t.unreached_func();
+    img.src = "/images/red-16x16.png";
+    w.document.body.appendChild(img);
+  }, "window.open() inherits policy.");
+
+  async_test(t => {
+    var w = window.open();
+
+    wait_for_error_from_window(w, t);
+
+    w.document.write(`
+      <img src='/images/red-16x16.png'
+        onload='window.opener.postMessage("load", "*");'
+        onerror='window.opener.postMessage("error", "*");'
+      >
+    `);
+  }, "`document.write` into `window.open()` inherits policy.");
+
+  async_test(t => {
+    var b = new Blob(
+      [`
+        <img src='${window.origin}/images/red-16x16.png'
+          onload='window.opener.postMessage("load", "*");'
+          onerror='window.opener.postMessage("error", "*");'
+        >
+      `], {type:"text/html"});
+
+    wait_for_error_from_window(window.open(URL.createObjectURL(b)), t);
+  }, "window.open('blob:...') inherits policy.");
+
+  // Navigation to top-level `data:` is blocked.
+
+  async_test(t => {
+    var url =
+        `javascript:"<img src='${window.origin}/images/red-16x16.png'
+          onload='window.opener.postMessage(\\"load\\", \\"*\\");'
+          onerror='window.opener.postMessage(\\"error\\", \\"*\\");'
+        >"`;
+
+    wait_for_error_from_window(window.open(url), t);
+  }, "window.open('javascript:...') inherits policy.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-connect-src.html b/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-connect-src.html
new file mode 100644
index 0000000000..a1117d2e73
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-connect-src.html
@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- Test the 'connect-src' directive on dedicated workers -->
+<script>
+  let reportCookieName = location.pathname.split('/')[
+    location.pathname.split('/').length - 1].split('.')[0];
+  let reportID = document.cookie.split('; ')
+      .find(cookie => cookie.startsWith(reportCookieName + '='))
+      .split('=')[1].trim();
+
+  promise_test(async t => {
+    // Dedicated workers do not inherit CSP.
+    await fetch_tests_from_worker(
+      new Worker("./support/connect-src-allow.sub.js"));
+
+    // Dedicated workers honor CSP received in their response headers.
+    await fetch_tests_from_worker(
+      new Worker(
+        `./support/connect-src-self.sub.js?id=${reportID}` +
+          `&test-name=connect-src 'self'` +
+          `&pipe=sub|header(Content-Security-Policy,` +
+          `connect-src 'self' ; report-uri ` +
+          `/reporting/resources/report.py?op=put%26reportID=${reportID})`));
+
+
+    let blob = await fetch(`./support/connect-src-self.sub.js?id=${reportID}` +
+                        `&test-name=connect-src 'self'`)
+        .then(r => r.blob());
+
+    // 'blob:' URL workers inherit CSP.
+    let blob_url = URL.createObjectURL(blob);
+    await fetch_tests_from_worker(new Worker(blob_url));
+
+    if (window.webkitRequestFileSystem) {
+      // 'filesystem:' URL workers inherit CSP.
+      let fs = await new Promise(resolve =>
+        window.webkitRequestFileSystem(window.TEMPORARY, 1024*1024, resolve));
+
+      let fs_entry = await new Promise(resolve =>
+        fs.root.getFile('dedicated-connect-src.js',
+                        { create: true }, resolve));
+
+      let writer = await new Promise(resolve => fs_entry.createWriter(resolve));
+
+      writer.onerror = t.unreached_func("Could not write to filesystem entry");
+
+      writer.write(blob);
+      await new Promise(resolve => writer.onwriteend = resolve);
+
+      let fs_url = fs_entry.toURL();
+      await fetch_tests_from_worker(new Worker(fs_url));
+
+      await new Promise(resolve => fs_entry.remove(resolve));
+    }
+  });
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-connect-src.html.sub.headers b/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-connect-src.html.sub.headers
new file mode 100644
index 0000000000..6a1d758ce7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-connect-src.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: dedicatedworker-connect-src={{$id:uuid()}}; Path=/content-security-policy/inside-worker/
+Content-Security-Policy: connect-src 'self' ; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-report-only.html b/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-report-only.html
new file mode 100644
index 0000000000..270e705415
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-report-only.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- Test the 'connect-src' directive on dedicated workers in report-only mode
+-->
+<script>
+  let reportCookieName = location.pathname.split('/')[
+    location.pathname.split('/').length - 1].split('.')[0];
+  let reportID = document.cookie.split('; ')
+      .find(cookie => cookie.startsWith(reportCookieName + '='))
+      .split('=')[1].trim();
+
+  fetch_tests_from_worker(new Worker(
+    `./support/connect-src-self-report-only.sub.js?id=${reportID}`));
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-report-only.html.sub.headers b/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-report-only.html.sub.headers
new file mode 100644
index 0000000000..f82fd74759
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-report-only.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: dedicatedworker-report-only={{$id:uuid()}}; Path=/content-security-policy/inside-worker/
+Content-Security-Policy-Report-Only: connect-src 'self'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-script-src.html b/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-script-src.html
new file mode 100644
index 0000000000..296ba58f5e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-script-src.html
@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- Test the 'script-src' directive on dedicated workers -->
+<script nonce="a">
+  let reportCookieName = location.pathname.split('/')[
+    location.pathname.split('/').length - 1].split('.')[0];
+  let reportID = document.cookie.split('; ')
+      .find(cookie => cookie.startsWith(reportCookieName + '='))
+      .split('=')[1].trim();
+
+  promise_test(async t => {
+    // Dedicated workers do not inherit CSP in general.
+    await fetch_tests_from_worker(
+      new Worker("./support/script-src-allow.sub.js"));
+
+    // Dedicated workers honor CSP received in their response headers.
+    await fetch_tests_from_worker(
+      new Worker(
+        `./support/script-src-self.sub.js?id=${reportID}` +
+          `&test-name=script-src 'self'` +
+          `&pipe=sub|header(Content-Security-Policy,` +
+          `script-src 'self' ; report-uri ` +
+          `/reporting/resources/report.py?op=put%26reportID=${reportID})`));
+
+
+    let blob = await fetch(`./support/script-src-self.sub.js?id=${reportID}` +
+                        `&test-name=script-src 'self'`)
+        .then(r => r.blob());
+
+    // 'blob:' URL workers inherit CSP.
+    let blob_url = URL.createObjectURL(blob);
+    await fetch_tests_from_worker(new Worker(blob_url));
+
+    if (window.webkitRequestFileSystem) {
+      // 'filesystem:' URL workers inherit CSP.
+      let fs = await new Promise(resolve =>
+        window.webkitRequestFileSystem(window.TEMPORARY, 1024*1024, resolve));
+
+      let fs_entry = await new Promise(resolve =>
+        fs.root.getFile('dedicated-script-src.js',
+                        { create: true }, resolve));
+
+      let writer = await new Promise(resolve => fs_entry.createWriter(resolve));
+
+      writer.onerror = t.unreached_func("Could not write to filesystem entry");
+
+      writer.write(blob);
+      await new Promise(resolve => writer.onwriteend = resolve);
+
+      let fs_url = fs_entry.toURL();
+      await fetch_tests_from_worker(new Worker(fs_url));
+
+      await new Promise(resolve => fs_entry.remove(resolve));
+    }
+  });
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-script-src.html.sub.headers b/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-script-src.html.sub.headers
new file mode 100644
index 0000000000..c7768a5af0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/dedicatedworker-script-src.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: dedicatedworker-script-src={{$id:uuid()}}; Path=/content-security-policy/inside-worker/
+Content-Security-Policy: script-src 'self' 'nonce-a' blob: filesystem: ; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/serviceworker-connect-src.https.sub.html b/testing/web-platform/tests/content-security-policy/inside-worker/serviceworker-connect-src.https.sub.html
new file mode 100644
index 0000000000..f455fe6a16
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/serviceworker-connect-src.https.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- Test the 'connect-src' directive on service workers -->
+<meta http-equiv="content-security-policy" content="connect-src 'self'">
+<script>
+  [ // Service workers do not inherit CSP.
+    "./support/connect-src-allow.sub.js",
+
+    // Service workers honor CSP received in their response headers.
+    "./support/connect-src-self.sub.js?id={{$id1:uuid()}}" +
+      "&test-name=connect-src 'self'" +
+      "&pipe=sub|header(Content-Security-Policy," +
+      "connect-src 'self' ; report-uri " +
+      "/reporting/resources/report.py?op=put%26reportID={{$id1}})",
+
+    // Also test that connect-src falls back to default-src.
+    "./support/connect-src-self.sub.js?id={{$id2:uuid()}}" +
+      "&test-name=default-src 'self'" +
+      "&pipe=sub|header(Content-Security-Policy," +
+      "default-src 'self' ; report-uri " +
+      "/reporting/resources/report.py?op=put%26reportID={{$id2}})"]
+  .forEach(url => {
+    promise_test(async t => {
+      let r = await navigator.serviceWorker.register(
+        url, {scope: "./support/blank.html"});
+      t.add_cleanup(_ => r.unregister());
+      let sw = r.active || r.installing || r.waiting;
+      await fetch_tests_from_worker(sw);
+    });
+  });
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/serviceworker-report-only.https.sub.html b/testing/web-platform/tests/content-security-policy/inside-worker/serviceworker-report-only.https.sub.html
new file mode 100644
index 0000000000..b2bf3e566f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/serviceworker-report-only.https.sub.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- Test the 'connect-src' directive on service workers in report-only mode
+-->
+<script>
+  promise_test(async t => {
+    let r = await navigator.serviceWorker.register(
+      "./support/connect-src-self-report-only.sub.js?id={{uuid()}}",
+      {scope: "./support/blank.html"});
+    t.add_cleanup(_ => r.unregister());
+    let sw = r.active || r.installing || r.waiting;
+    await fetch_tests_from_worker(sw);
+  });
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/serviceworker-script-src.https.sub.html b/testing/web-platform/tests/content-security-policy/inside-worker/serviceworker-script-src.https.sub.html
new file mode 100644
index 0000000000..5631786cc5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/serviceworker-script-src.https.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- Test the 'script-src' directive on service workers -->
+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-a' blob: filesystem:">
+<script nonce="a">
+  [ // Service worker do not inherit CSP.
+    "./support/script-src-allow.sub.js",
+
+    // Service workers honor CSP received in their response headers.
+    "./support/script-src-self.sub.js?id={{$id1:uuid()}}" +
+      "&test-name=script-src 'self'" +
+      "&pipe=sub|header(Content-Security-Policy," +
+      "script-src 'self' ; report-uri " +
+      "/reporting/resources/report.py?op=put%26reportID={{$id1}})",
+
+    // Also check that script-src falls back to default-src.
+    "./support/script-src-self.sub.js?id={{$id2:uuid()}}" +
+      "&test-name=default-src 'self'" +
+      "&pipe=sub|header(Content-Security-Policy," +
+      "default-src 'self' ; report-uri " +
+      "/reporting/resources/report.py?op=put%26reportID={{$id2}})"]
+  .forEach(url => {
+    promise_test(async t => {
+      let r = await navigator.serviceWorker.register(
+        url, {scope: "./support/blank.html"});
+      t.add_cleanup(_ => r.unregister());
+      let sw = r.active || r.installing || r.waiting;
+      await fetch_tests_from_worker(sw);
+    });
+  });
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/sharedworker-connect-src.sub.html b/testing/web-platform/tests/content-security-policy/inside-worker/sharedworker-connect-src.sub.html
new file mode 100644
index 0000000000..24717bc9c6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/sharedworker-connect-src.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- Test the 'connect-src' directive on shared workers -->
+<meta http-equiv="content-security-policy" content="connect-src 'self'">
+<script>
+  promise_test(async () => {
+    // Shared workers do not inherit CSP.
+    await fetch_tests_from_worker(
+      new SharedWorker("./support/connect-src-allow.sub.js"));
+
+    // Shared workers honor CSP received in their response headers.
+    await fetch_tests_from_worker(
+      new SharedWorker(
+        "./support/connect-src-self.sub.js?id={{$id1:uuid()}}" +
+          "&test-name=connect-src 'self'" +
+          "&pipe=sub|header(Content-Security-Policy," +
+          "connect-src 'self' ; report-uri " +
+          "/reporting/resources/report.py?op=put%26reportID={{$id1}})"));
+
+    // Also test that connect-src falls back to default-src.
+    await fetch_tests_from_worker(
+      new SharedWorker(
+        "./support/connect-src-self.sub.js?id={{$id2:uuid()}}" +
+          "&test-name=default-src 'self'" +
+          "&pipe=sub|header(Content-Security-Policy," +
+          "default-src 'self' ; report-uri " +
+          "/reporting/resources/report.py?op=put%26reportID={{$id2}})"));
+  });
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/sharedworker-report-only.sub.html b/testing/web-platform/tests/content-security-policy/inside-worker/sharedworker-report-only.sub.html
new file mode 100644
index 0000000000..8233f00075
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/sharedworker-report-only.sub.html
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- Test the 'connect-src' directive on shared workers in report-only mode -->
+<script>
+  fetch_tests_from_worker(new SharedWorker(
+    "./support/connect-src-self-report-only.sub.js?id={{uuid()}}"));
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/sharedworker-script-src.sub.html b/testing/web-platform/tests/content-security-policy/inside-worker/sharedworker-script-src.sub.html
new file mode 100644
index 0000000000..88f56bdba7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/sharedworker-script-src.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- Test the 'script-src' directive on shared workers -->
+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-a' blob: filesystem:">
+<script nonce="a">
+  promise_test(async () => {
+    // Shared workers do not inherit CSP.
+    await fetch_tests_from_worker(
+      new SharedWorker("./support/script-src-allow.sub.js"));
+
+    // Service workers honor CSP received in their response headers.
+    await fetch_tests_from_worker(
+      new SharedWorker(
+        "./support/script-src-self.sub.js?id={{$id1:uuid()}}" +
+          "&test-name=script-src 'self'" +
+          "&pipe=sub|header(Content-Security-Policy," +
+          "script-src 'self' ; report-uri " +
+          "/reporting/resources/report.py?op=put%26reportID={{$id1}})"));
+
+    // Also check that script-src falls back to default-src.
+    await fetch_tests_from_worker(
+      new SharedWorker(
+        "./support/script-src-self.sub.js?id={{$id2:uuid()}}" +
+          "&test-name=default-src 'self'" +
+          "&pipe=sub|header(Content-Security-Policy," +
+          "default-src 'self' ; report-uri " +
+          "/reporting/resources/report.py?op=put%26reportID={{$id2}})"));
+  });
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-allow.sub.js b/testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-allow.sub.js
new file mode 100644
index 0000000000..7f0ee1f837
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-allow.sub.js
@@ -0,0 +1,82 @@
+importScripts("{{location[server]}}/resources/testharness.js");
+importScripts("{{location[server]}}/content-security-policy/support/testharness-helper.js");
+
+let base_same_origin_url =
+      "{{location[server]}}/content-security-policy/support/resource.py";
+let base_cross_origin_url =
+      "https://{{hosts[][www]}}:{{ports[https][1]}}" +
+      "/content-security-policy/support/resource.py";
+
+// Same-origin
+promise_test(t => {
+  let url = `${base_same_origin_url}?same-origin-fetch`;
+  assert_no_csp_event_for_url(t, url);
+
+  return fetch(url)
+    .then(t.step_func(r => assert_equals(r.status, 200)));
+}, "Same-origin 'fetch()' in " + self.location.protocol + " without CSP");
+
+// XHR is not available in service workers.
+if (self.XMLHttpRequest) {
+  promise_test(t => {
+    let url = `${base_same_origin_url}?same-origin-xhr`;
+    assert_no_csp_event_for_url(t, url);
+
+    return new Promise((resolve, reject) => {
+      let xhr = new XMLHttpRequest();
+      xhr.open("GET", url);
+      xhr.onload = resolve;
+      xhr.onerror = _ => reject("xhr.open should success.");
+      xhr.send();
+    });
+  }, "Same-origin XHR in " + self.location.protocol + " without CSP");
+}
+
+// Cross-origin
+promise_test(t => {
+  let url = `${base_cross_origin_url}?cross-origin-fetch`;
+  assert_no_csp_event_for_url(t, url);
+
+  return fetch(url)
+    .then(t.step_func(r => assert_equals(r.status, 200)));
+}, "Cross-origin 'fetch()' in " + self.location.protocol + " without CSP");
+
+// XHR is not available in service workers.
+if (self.XMLHttpRequest) {
+  promise_test(t => {
+    let url = `${base_cross_origin_url}?cross-origin-xhr`;
+    assert_no_csp_event_for_url(t, url);
+
+    return new Promise((resolve, reject) => {
+      let xhr = new XMLHttpRequest();
+      xhr.open("GET", url);
+      xhr.onload = resolve;
+      xhr.onerror = _ => reject("xhr.open should success.");
+      xhr.send();
+    });
+  }, "Cross-origin XHR in " + self.location.protocol + " without CSP");
+}
+
+// Same-origin redirecting to cross-origin
+promise_test(t => {
+  let url = `{{location[server]}}/common/redirect-opt-in.py?` +
+      `status=307&location=${base_cross_origin_url}?cross-origin-fetch`;
+  assert_no_csp_event_for_url(t, url);
+
+  return fetch(url)
+    .then(t.step_func(r => assert_equals(r.status, 200)));
+}, "Same-origin => cross-origin 'fetch()' in " + self.location.protocol +
+           " without CSP");
+
+// WebSocket
+promise_test(async function(t) {
+  let url = "wss://{{host}}:{{ports[wss][0]}}/echo";
+  assert_no_csp_event_for_url(t, url);
+
+  return new Promise(resolve => {
+    let ws = new WebSocket(url);
+    ws.onopen = resolve;
+  });
+}, "WebSocket without CSP");
+
+done();
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-self-report-only.sub.js b/testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-self-report-only.sub.js
new file mode 100644
index 0000000000..c624671476
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-self-report-only.sub.js
@@ -0,0 +1,130 @@
+importScripts("{{location[server]}}/resources/testharness.js");
+importScripts("{{location[server]}}/content-security-policy/support/testharness-helper.js");
+
+let base_same_origin_url =
+      "{{location[server]}}/content-security-policy/support/resource.py";
+
+// Same-origin
+promise_test(t => {
+  let url = `${base_same_origin_url}?same-origin-fetch`;
+  assert_no_csp_event_for_url(t, url);
+
+  return fetch(url)
+      .then(t.step_func(r => assert_equals(r.status, 200)));
+}, "Same-origin 'fetch()'.");
+
+// XHR is not available in service workers.
+if (self.XMLHttpRequest) {
+  promise_test(t => {
+    let url = `${base_same_origin_url}?same-origin-xhr`;
+    assert_no_csp_event_for_url(t, url);
+
+    return new Promise((resolve, reject) => {
+      var xhr = new XMLHttpRequest();
+      xhr.open("GET", url);
+      xhr.onload = resolve;
+      xhr.onerror = _ => reject("xhr.open should success.");
+      xhr.send();
+    });
+  }, "Same-origin XHR.");
+}
+
+let base_cross_origin_url =
+      "https://{{hosts[][www]}}:{{ports[https][1]}}" +
+      "/content-security-policy/support/resource.py";
+let fetch_cross_origin_url = `${base_cross_origin_url}?cross-origin-fetch`;
+
+// Cross-origin
+promise_test(t => {
+  let url = fetch_cross_origin_url;
+
+  return Promise.all([
+    waitUntilCSPEventForURL(t, url),
+    fetch(url)
+  ]);
+}, "Cross-origin 'fetch()'.");
+
+let xhr_cross_origin_url = `${base_cross_origin_url}?cross-origin-xhr`;
+
+// XHR is not available in service workers.
+if (self.XMLHttpRequest) {
+  promise_test(t => {
+    let url = xhr_cross_origin_url;
+
+    return Promise.all([
+      waitUntilCSPEventForURL(t, url),
+      new Promise((resolve, reject) => {
+        var xhr = new XMLHttpRequest();
+        xhr.open("GET", url);
+        xhr.onload = resolve;
+        xhr.onerror = _ => reject("xhr.open should not have thrown.");
+        xhr.send();
+      })
+    ]);
+  }, "Cross-origin XHR.");
+}
+
+let redirect_url = `{{location[server]}}/common/redirect-opt-in.py?` +
+      `status=307&location=${fetch_cross_origin_url}`;
+
+// Same-origin redirecting to cross-origin
+promise_test(t => {
+  let url = redirect_url;
+
+  return Promise.all([
+    waitUntilCSPEventForURL(t, url),
+    fetch(url)
+  ]);
+}, "Same-origin => cross-origin 'fetch()'.");
+
+let websocket_url = "wss://{{host}}:{{ports[wss][0]}}/echo";
+
+// The WebSocket URL is not the same as 'self'
+promise_test(t => {
+  return Promise.all([
+    waitUntilCSPEventForURL(t, websocket_url),
+    new Promise(resolve => {
+      let ws = new WebSocket(websocket_url);
+      ws.onopen = resolve;
+    })
+  ]);
+}, "WebSocket.");
+
+let expected_blocked_urls = self.XMLHttpRequest
+    ? [ fetch_cross_origin_url, xhr_cross_origin_url, redirect_url, websocket_url ]
+    : [ fetch_cross_origin_url, redirect_url, websocket_url ];
+
+promise_test(async t => {
+  let report_url = `{{location[server]}}/reporting/resources/report.py?` +
+      `?op=retrieve_report&reportID={{GET[id]}}` +
+      `&min_count=${expected_blocked_urls.length}`;
+
+  let response = await fetch(report_url);
+  assert_equals(response.status, 200, "Fetching reports failed");
+
+  let response_json = await response.json();
+  let reports = response_json.map(x => x["csp-report"]);
+
+  assert_array_equals(
+      reports.map(x => x["blocked-uri"]).sort(),
+      expected_blocked_urls.sort(),
+      "Reports do not match");
+  reports.forEach(x => {
+    assert_equals(
+        x["violated-directive"], "connect-src",
+        "Violated directive in report does not match");
+    assert_equals(
+        x["effective-directive"], "connect-src",
+        "Effective directive in report does not match");
+    assert_equals(
+        x["disposition"], "report",
+        "Disposition in report does not match");
+    assert_equals(
+        x["document-uri"],
+        "{{location[server]}}/content-security-policy/inside-worker/" +
+          "support/connect-src-self-report-only.sub.js?id={{GET[id]}}",
+        "Document uri in report does not match");
+  });
+});
+
+done();
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-self-report-only.sub.js.sub.headers b/testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-self-report-only.sub.js.sub.headers
new file mode 100644
index 0000000000..02e8e1f433
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-self-report-only.sub.js.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy-Report-Only: connect-src 'self'; report-uri /reporting/resources/report.py?op=put&reportID={{GET[id]}}
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-self.sub.js b/testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-self.sub.js
new file mode 100644
index 0000000000..3c3ecc01c2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-self.sub.js
@@ -0,0 +1,143 @@
+importScripts("{{location[server]}}/resources/testharness.js");
+importScripts("{{location[server]}}/content-security-policy/support/testharness-helper.js");
+
+let base_same_origin_url =
+      "{{location[server]}}/content-security-policy/support/resource.py";
+let base_cross_origin_url =
+      "https://{{hosts[][www]}}:{{ports[https][1]}}" +
+      "/content-security-policy/support/resource.py";
+
+// Same-origin
+promise_test(t => {
+  let url = `${base_same_origin_url}?same-origin-fetch`;
+  assert_no_csp_event_for_url(t, url);
+
+  return fetch(url)
+    .then(t.step_func(r => assert_equals(r.status, 200)));
+}, "Same-origin 'fetch()' in " + self.location.protocol +
+             " with {{GET[test-name]}}");
+
+// XHR is not available in service workers.
+if (self.XMLHttpRequest) {
+  promise_test(t => {
+    let url = `${base_same_origin_url}?same-origin-xhr`;
+    assert_no_csp_event_for_url(t, url);
+
+    return new Promise((resolve, reject) => {
+      let xhr = new XMLHttpRequest();
+      xhr.open("GET", url);
+      xhr.onload = resolve;
+      xhr.onerror = _ => reject("xhr.open should success.");
+      xhr.send();
+    });
+  }, "Same-origin XHR in " + self.location.protocol +
+               " with {{GET[test-name]}}");
+}
+
+let fetch_cross_origin_url = `${base_cross_origin_url}?cross-origin-fetch`;
+
+// Cross-origin
+promise_test(t => {
+  let url = fetch_cross_origin_url;
+
+  return Promise.all([
+    waitUntilCSPEventForURL(t, url),
+    fetch(url)
+        .then(t.step_func(_ => assert_unreached(
+            "cross-origin fetch should have thrown.")))
+        .catch(t.step_func(e => assert_true(e instanceof TypeError)))
+  ]);
+}, "Cross-origin 'fetch()' in " + self.location.protocol +
+             " with {{GET[test-name]}}");
+
+let xhr_cross_origin_url = `${base_cross_origin_url}?cross-origin-xhr`;
+
+// XHR is not available in service workers.
+if (self.XMLHttpRequest) {
+  promise_test(t => {
+    let url = xhr_cross_origin_url;
+
+    return Promise.all([
+      waitUntilCSPEventForURL(t, url),
+      new Promise((resolve, reject) => {
+        let xhr = new XMLHttpRequest();
+        xhr.open("GET", url);
+        xhr.onload = _ => reject("xhr.open should have thrown.");
+        xhr.onerror = resolve;
+        xhr.send();
+      })
+    ]);
+  }, "Cross-origin XHR in " + self.location.protocol +
+               " with {{GET[test-name]}}");
+}
+
+let redirect_url = `{{location[server]}}/common/redirect-opt-in.py?` +
+      `status=307&location=${fetch_cross_origin_url}`;
+
+// Same-origin redirecting to cross-origin
+promise_test(t => {
+  let url = redirect_url;
+
+  return Promise.all([
+    waitUntilCSPEventForURL(t, url),
+    fetch(url)
+        .then(t.step_func(_ => assert_unreached(
+            "cross-origin redirect should have thrown.")))
+      .catch(t.step_func(e => assert_true(e instanceof TypeError)))
+  ]);
+}, "Same-origin => cross-origin 'fetch()' in " + self.location.protocol +
+             " with {{GET[test-name]}}");
+
+
+let websocket_url = "wss://{{host}}:{{ports[wss][0]}}/echo";
+
+// The WebSocket URL is not the same as 'self'
+promise_test(t => {
+  return Promise.all([
+    waitUntilCSPEventForURL(t, websocket_url),
+    new Promise((resolve, reject) => {
+      // Firefox throws in the constructor, Chrome triggers the error event.
+      try {
+        let ws = new WebSocket(websocket_url);
+        ws.onerror = resolve;
+        ws.onopen = reject; // unexpected
+      } catch (e) {
+        resolve();
+      }
+    })
+  ]);
+}, "WebSocket in " + self.location.protocol + " with {{GET[test-name]}}");
+
+let expected_blocked_urls = self.XMLHttpRequest
+    ? [ fetch_cross_origin_url, xhr_cross_origin_url, redirect_url, websocket_url ]
+    : [ fetch_cross_origin_url, redirect_url, websocket_url ];
+
+promise_test(async t => {
+  let report_url = `{{location[server]}}/reporting/resources/report.py` +
+      `?op=retrieve_report&reportID={{GET[id]}}` +
+      `&min_count=${expected_blocked_urls.length}`;
+
+  let response = await fetch(report_url);
+  assert_equals(response.status, 200, "Fetching reports failed");
+
+  let response_json = await response.json();
+  let reports = response_json.map(x => x["csp-report"]);
+
+  assert_array_equals(
+      reports.map(x => x["blocked-uri"]).sort(),
+      expected_blocked_urls.sort(),
+      "Reports do not match");
+  reports.forEach(x => {
+    assert_equals(
+        x["violated-directive"], "connect-src",
+        "Violated directive in report does not match");
+    assert_equals(
+        x["effective-directive"], "connect-src",
+        "Effective directive in report does not match");
+    assert_equals(
+        x["disposition"], "enforce",
+        "Effective directive in report does not match");
+  });
+}, "Reports match in " + self.location.protocol + " with {{GET[test-name]}}");
+
+done();
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/support/script-src-allow.sub.js b/testing/web-platform/tests/content-security-policy/inside-worker/support/script-src-allow.sub.js
new file mode 100644
index 0000000000..7c66953154
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/support/script-src-allow.sub.js
@@ -0,0 +1,24 @@
+importScripts("{{location[server]}}/resources/testharness.js");
+
+test(t => {
+  importScripts("https://{{hosts[][www]}}:{{ports[https][1]}}" +
+                "/content-security-policy/support/testharness-helper.js");
+}, "Cross-origin `importScripts()` not blocked in " + self.location.protocol +
+     " withour CSP");
+
+test(t => {
+  assert_equals(2, eval("1+1"));
+  assert_equals(2, (new Function("return 1+1;"))());
+}, "`eval()` not blocked in " + self.location.protocol +
+    " without CSP");
+
+async_test(t => {
+  self.callback = t.step_func_done();
+
+  setTimeout("self.callback();", 1);
+  setTimeout(t.step_func(_ =>
+      assert_unreached("callback not called.")), 2);
+}, "`setTimeout([string])` not blocked in " + self.location.protocol +
+           " without CSP");
+
+done();
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/support/script-src-self.sub.js b/testing/web-platform/tests/content-security-policy/inside-worker/support/script-src-self.sub.js
new file mode 100644
index 0000000000..aac5b4326d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/support/script-src-self.sub.js
@@ -0,0 +1,71 @@
+importScripts("{{location[server]}}/resources/testharness.js");
+importScripts("{{location[server]}}/content-security-policy/support/testharness-helper.js");
+
+let importscripts_url ="https://{{hosts[][www]}}:{{ports[https][1]}}" +
+    "/content-security-policy/support/var-a.js";
+
+promise_test(async t => {
+  self.a = false;
+  assert_throws_dom("NetworkError",
+                    _ => importScripts(importscripts_url),
+                    "importScripts should throw `NetworkError`");
+  assert_false(self.a);
+  return waitUntilCSPEventForURL(t, importscripts_url);
+}, "Cross-origin `importScripts()` blocked in " + self.location.protocol +
+             " with {{GET[test-name]}}");
+
+promise_test(t => {
+  assert_throws_js(EvalError,
+                   _ => eval("1 + 1"),
+                   "`eval()` should throw 'EvalError'.");
+
+  assert_throws_js(EvalError,
+                   _ => new Function("1 + 1"),
+                   "`new Function()` should throw 'EvalError'.");
+  return Promise.all([
+    waitUntilCSPEventForEval(t, 19),
+    waitUntilCSPEventForEval(t, 23),
+  ]);
+}, "`eval()` blocked in " + self.location.protocol +
+             " with {{GET[test-name]}}");
+
+promise_test(t => {
+  self.setTimeoutTest = t;
+  let result = setTimeout("(self.setTimeoutTest.unreached_func(" +
+                          "'setTimeout([string]) should not execute.'))()", 1);
+  assert_equals(result, 0);
+  return waitUntilCSPEventForEval(t, 34);
+}, "`setTimeout([string])` blocked in " + self.location.protocol +
+             " with {{GET[test-name]}}");
+
+promise_test(async t => {
+  let report_url = "{{location[server]}}/reporting/resources/report.py" +
+      "?op=retrieve_report&reportID={{GET[id]}}&min_count=4";
+
+  let response = await fetch(report_url);
+  assert_equals(response.status, 200, "Fetching reports failed");
+
+  let response_json = await response.json();
+  let reports = response_json.map(x => x["csp-report"]);
+
+  assert_array_equals(
+      reports.map(x => x["blocked-uri"]).sort(),
+      [ importscripts_url, "eval", "eval", "eval" ].sort(),
+      "Reports do not match");
+  assert_array_equals(
+      reports.map(x => x["violated-directive"]).sort(),
+      [ "script-src-elem", "script-src", "script-src", "script-src" ].sort(),
+      "Violated directive in report does not match");
+  assert_array_equals(
+      reports.map(x => x["effective-directive"]).sort(),
+      [ "script-src-elem", "script-src", "script-src", "script-src" ].sort(),
+      "Effective directive in report does not match");
+  reports.forEach(x => {
+    assert_equals(
+        x["disposition"], "enforce",
+        "Disposition in report does not match");
+  });
+}, "Reports are sent for " + self.location.protocol +
+                  " with {{GET[test-name]}}");
+
+done();
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html
new file mode 100644
index 0000000000..8fd094e955
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html
@@ -0,0 +1,48 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Video element src attribute must match src list - positive test</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self'">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>Video element src attribute must match src list - positive test</h1>
+    <div id='log'></div>
+
+  <script>
+    var src_test = async_test("In-policy async video src");
+    var source_test = async_test("In-policy async video source element");
+    var t_spv = async_test("Should not fire policy violation events");
+    var test_count = 2;
+    window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event"));
+
+    function media_loaded(t) {
+      t.done();
+      if (--test_count <= 0) {
+        t_spv.done();
+      }
+    }
+
+    function media_error_handler(t) {
+      t.step( function () {
+          assert_unreached("Media error handler should be triggered for non-allowed domain.");
+      });
+      t.done();
+    }
+  </script>
+
+    <video id="videoObject" width="320" height="240" controls
+           onloadeddata="media_loaded(source_test)">
+        <source id="videoSourceObject"
+                type="video/ogg"
+                onerror="media_error_handler(source_test)"
+                src="/media/A4.ogv">
+    </video>
+    <video id="videoObject2" width="320" height="240" controls
+           onerror="media_error_handler(src_test)"
+           onloadeddata="media_loaded(src_test)"
+           src="/media/A4.ogv">
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.sub.html
new file mode 100644
index 0000000000..8312defb2e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.sub.html
@@ -0,0 +1,57 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Video element src attribute must match src list - negative test</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>Video element src attribute must match src list - negative test</h1>
+    <div id='log'></div>
+
+  <script>
+      var src_test = async_test("Disallowed async video src");
+      var source_test = async_test("Disallowed async video source element");
+      var t_spv = async_test("Test that securitypolicyviolation events are fired");
+      var test_count = 2;
+      window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) {
+          assert_equals(e.violatedDirective, "media-src");
+          assert_equals(e.blockedURI, mediaURL);
+          if (--test_count <= 0) {
+              t_spv.done();
+          }
+      }));
+
+      // we assume tests are run from 'hostname' and 'www.hostname' or 'www2.hostname' is a valid alias
+      var mediaURL = location.protocol + "//{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv";
+
+    function media_loaded(t) {
+      t.step( function () {
+          assert_unreached("Media error handler should be triggered for non-allowed domain.");
+      });
+      t.done();
+    }
+
+    function media_error_handler(t) {
+      t.done();
+    }
+  </script>
+
+    <video id="videoObject" width="320" height="240" controls
+           onloadeddata="media_loaded(source_test)">
+        <source id="videoSourceObject"
+                type="video/ogg"
+                onerror="media_error_handler(source_test)">
+    </video>
+    <video id="videoObject2" width="320" height="240" controls
+           onerror="media_error_handler(src_test)"
+           onloadeddata="media_loaded(src_test)">
+
+    <script>
+        document.getElementById("videoSourceObject").src = mediaURL;
+        document.getElementById("videoObject2").src = mediaURL;
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html
new file mode 100644
index 0000000000..0486c8738d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html
@@ -0,0 +1,48 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Audio element src attribute must match src list - positive test</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>Audio element src attribute must match src list - positive test</h1>
+    <div id='log'></div>
+
+  <script>
+    var src_test = async_test("In-policy audio src");
+    var source_test = async_test("In-policy audio source element");
+    var t_spv = async_test("Should not fire policy violation events");
+    var test_count = 2;
+    window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event"));
+
+    function media_loaded(t) {
+      t.done();
+      if (--test_count <= 0) {
+        t_spv.done();
+      }
+    }
+
+    function media_error_handler(t) {
+      t.step( function () {
+          assert_unreached("Media error handler should be triggered for non-allowed domain.");
+      });
+      t.done();
+    }
+  </script>
+
+    <audio id="audioObject" width="320" height="240" controls
+           onloadeddata="media_loaded(source_test)">
+        <source id="audioSourceObject"
+                type="audio/ogg"
+                onerror="media_error_handler(source_test)"
+                src="/media/sound_5.oga">
+    </audio>
+    <audio id="audioObject2" width="320" height="240" controls
+           onerror="media_error_handler(src_test)"
+           onloadeddata="media_loaded(src_test)"
+           src="/media/sound_5.oga">
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.sub.html
new file mode 100644
index 0000000000..e1626eec5a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.sub.html
@@ -0,0 +1,57 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Audio element src attribute must match src list - negative test</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>Audio element src attribute must match src list - negative test</h1>
+    <div id='log'></div>
+
+  <script>
+      var src_test = async_test("Disallaowed audio src");
+      var source_test = async_test("Disallowed audio source element");
+      var t_spv = async_test("Test that securitypolicyviolation events are fired");
+      var test_count = 2;
+      window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) {
+          assert_equals(e.violatedDirective, "media-src");
+          assert_equals(e.blockedURI, mediaURL);
+          if (--test_count <= 0) {
+              t_spv.done();
+          }
+      }));
+
+      // we assume tests are run from 'hostname' and 'www.hostname' or 'www2.hostname' is a valid alias
+      var mediaURL = location.protocol + "//{{domains[www2]}}:{{ports[http][0]}}/media/sound_5.oga";
+
+    function media_loaded(t) {
+      t.step( function () {
+          assert_unreached("Media error handler should be triggered for non-allowed domain.");
+      });
+      t.done();
+    }
+
+    function media_error_handler(t) {
+      t.done();
+    }
+  </script>
+
+    <audio id="audioObject" width="320" height="240" controls
+           onloadeddata="media_loaded(source_test)">
+        <source id="audioSourceObject"
+                type="audio/ogg"
+                onerror="media_error_handler(source_test)">
+    </audio>
+    <audio id="audioObject2" width="320" height="240" controls
+           onerror="media_error_handler(src_test)"
+           onloadeddata="media_loaded(src_test)">
+
+    <script>
+        document.getElementById("audioSourceObject").src = mediaURL;
+        document.getElementById("audioObject2").src = mediaURL;
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.sub.html
new file mode 100644
index 0000000000..46489e2668
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.sub.html
@@ -0,0 +1,53 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Video track src attribute must match src list - positive test</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self' {{domains[www]}}:{{ports[http][0]}};">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>Video track src attribute must match src list - positive test</h1>
+    <div id='log'></div>
+
+  <script>
+    var source_test = async_test("In-policy track element");
+
+    var trackURL = location.protocol + "//{{domains[www]}}:{{ports[http][0]}}/media/foo.vtt";
+
+    var t_spv = async_test("Should not fire policy violation events");
+    var test_count = 1;
+    window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event"));
+
+    function media_loaded(t) {
+      t.done();
+      if (--test_count <= 0) {
+        t_spv.done();
+      }
+    }
+
+    function media_error_handler(t) {
+      t.step( function () {
+          assert_unreached("Error handler called for allowed track source.");
+      });
+      t.done();
+    }
+  </script>
+
+    <video id="videoObject" width="320" height="240" controls
+           onloadeddata="media_loaded(source_test)" crossorigin>
+        <source id="audioSourceObject"
+                type="audio/ogg"
+                src="/media/A4.ogv">
+        <track id="trackObject"
+               kind="subtitles"
+               srclang="en"
+               label="English"
+               onerror="media_error_handler(source_test)">
+    </video>
+    <script>
+        document.getElementById("trackObject").src = trackURL;
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.sub.html
new file mode 100644
index 0000000000..431a58608a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.sub.html
@@ -0,0 +1,72 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Video track src attribute must match src list - negative test</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>Video track src attribute must match src list - negative test</h1>
+    <div id='log'></div>
+
+  <script>
+    var source_test =
+        async_test("Disallowed track element onerror handler fires.");
+
+    var trackURL = location.protocol + "//{{domains[www]}}:{{ports[http][0]}}/media/foo.vtt";
+
+    var t_spv = async_test("Test that securitypolicyviolation events are fired");
+    var test_count = 1;
+    window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) {
+          assert_equals(e.violatedDirective, "media-src");
+          assert_equals(e.blockedURI, trackURL);
+          if (--test_count <= 0) {
+              t_spv.done();
+          }
+      }));
+
+
+    function media_loaded(t) {
+     t.step( function () {
+          assert_unreached("Disllowed track source loaded.");
+      });
+      t.done();
+    }
+
+    function media_error_handler(t) {
+      t.done();
+    }
+  </script>
+
+    <video id="videoObject" width="320" height="240" controls
+           onerror="media_error_handler(source_test)"
+           crossorigin>
+        <source id="audioSourceObject"
+                type="audio/ogg"
+                src="/media/A4.ogv">
+        <track default
+               id="trackObject"
+               kind="subtitles"
+               srclang="en"
+               label="English"
+               onerror="media_error_handler(source_test)"
+               onload="media_loaded(source_test)"
+               onloadeddata="media_loaded(source_test)">
+    </video>
+    <script>
+        document.getElementById("trackObject").src = trackURL;
+        source_test.step(function() {
+            source_test.set_status(source_test.FAIL);
+        });
+
+        setTimeout(function() {
+          if(source_test.phase != source_test.phases.COMPLETE) {
+            source_test.step( function () { assert_unreached("Onerror event never fired for track element."); });
+            source_test.done();
+          }
+        }, 2 * 1000);
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-blocked.sub.html
new file mode 100644
index 0000000000..b2b57dec64
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-blocked.sub.html
@@ -0,0 +1,101 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Media element src attribute must match src list - 'none' negative test</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'none'; connect-src 'self';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='/common/get-host-info.sub.js'></script>
+</head>
+<body>
+    <h1>Media element src attribute must match src list - 'none' negative test</h1>
+    <div id='log'></div>
+
+  <script>
+    const otherOrigin = get_host_info().OTHER_ORIGIN;
+    const audioUrl = otherOrigin + "/media/sound_5.oga";
+    const videoUrl = otherOrigin + "/media/A4.ogv";
+
+    // Asynchronously returns the next `securitypolicyviolation` event.
+    async function nextViolation() {
+      return await new Promise((resolve) => {
+        window.addEventListener("securitypolicyviolation", resolve, {
+          once: true,
+        });
+      });
+    }
+
+    promise_test(t => new Promise((resolve, reject) => {
+      const violationPromise = nextViolation();
+
+      const video = document.createElement("video");
+      video.type = "video/ogg";
+      video.src = videoUrl;
+      video.onloadeddata = reject;
+      video.onerror = () => { resolve(violationPromise); };
+
+      document.body.appendChild(video);
+    }).then((violation) => {
+      assert_equals(violation.violatedDirective, "media-src", "directive");
+      assert_equals(violation.blockedURI, videoUrl, "blocked URI");
+    }), "Disallowed async video src");
+
+    promise_test(t => new Promise((resolve, reject) => {
+      const violationPromise = nextViolation();
+
+      const video = document.createElement("video");
+      video.oncanplay = reject;
+      video.onloadedmetadata = reject;
+      video.onloadeddata = reject;
+
+      const source = document.createElement("source");
+      source.type = "video/ogg";
+      source.src = videoUrl;
+      source.onerror = () => { resolve(violationPromise); };
+
+      video.appendChild(source);
+      document.body.appendChild(video);
+    }).then((violation) => {
+      assert_equals(violation.violatedDirective, "media-src", "directive");
+      assert_equals(violation.blockedURI, videoUrl, "blocked URI");
+    }), "Disallowed async video source element");
+
+    promise_test(t => new Promise((resolve, reject) => {
+      const violationPromise = nextViolation();
+
+      const audio = document.createElement("audio");
+      audio.type = "audio/ogg";
+      audio.src = audioUrl;
+      audio.oncanplay = reject;
+      audio.onloadedmetadata = reject;
+      audio.onloadeddata = reject;
+      audio.onerror = () => { resolve(violationPromise); };
+
+      document.body.appendChild(audio);
+    }).then((violation) => {
+      assert_equals(violation.violatedDirective, "media-src", "directive");
+      assert_equals(violation.blockedURI, audioUrl, "blocked URI");
+    }), "Disallowed audio src");
+
+    promise_test(t => new Promise((resolve, reject) => {
+      const violationPromise = nextViolation();
+
+      const audio = document.createElement("audio");
+      audio.oncanplay = reject;
+      audio.onloadedmetadata = reject;
+      audio.onloadeddata = reject;
+
+      const source = document.createElement("source");
+      source.type = "audio/ogg";
+      source.src = audioUrl;
+      source.onerror = () => { resolve(violationPromise); };
+
+      audio.appendChild(source);
+      document.body.appendChild(audio);
+    }).then((violation) => {
+      assert_equals(violation.violatedDirective, "media-src", "directive");
+      assert_equals(violation.blockedURI, audioUrl, "blocked URI");
+    }), "Disallowed audio source element");
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html
new file mode 100644
index 0000000000..a0708bf5ed
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html
@@ -0,0 +1,71 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Video element src attribute must match src list - positive test</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src http://{{domains[www2]}}:{{ports[http][0]}}/ 'self'; connect-src 'self';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>Video element in media-src list - redirect test</h1>
+    <div id='log'></div>
+
+  <p>This test tests a buggy interaction in Chrome 46.  Two hosts (self and www2) are both allowed
+    as media-src, but only one (self) is allowed for connect-src.  If a video src starts on
+    an allowed host (self), and is redirected to another allowed media-src host, it should succeed. But a bug
+    causes the redirect to be done in a fetch context to which connect-src is being applied instead, so
+    the load is blocked. (This test passes in Firefox 45, modulo an event listener not firing.)</p>
+
+  <script>
+    var src_test = async_test("In-policy async video src");
+    var src_redir_test = async_test("in-policy async video src w/redir")
+    var source_test = async_test("In-policy async video source element");
+    var source_redir_test = async_test("In-policy async video source element w/redir");
+
+    var t_spv = async_test("Should not fire policy violation events");
+    var test_count = 4;
+    window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event"));
+
+    function media_loaded(t) {
+      t.done();
+      if (--test_count <= 0) {
+        t_spv.done();
+      }
+    }
+
+    function media_error_handler(t) {
+      t.step( function () {
+          assert_unreached("Media error handler shouldn't be triggered for allowed domain.");
+      });
+      t.done();
+    }
+  </script>
+
+    <video id="videoObject" width="320" height="240" controls
+           onloadeddata="media_loaded(source_test)">
+        <source id="videoSourceObject"
+                type="video/ogg"
+                onerror="media_error_handler(source_test)"
+                src="http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv">
+    </video>
+
+    <video id="videoObject2" width="320" height="240" controls
+           onerror="media_error_handler(src_test)"
+           onloadeddata="media_loaded(src_test)"
+           src="http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv">
+
+    <video id="videoObject3" width="320" height="240" controls
+           onloadeddata="media_loaded(source_redir_test)">
+        <source id="videoSourceObject"
+                type="video/ogg"
+                onerror="media_error_handler(source_test)"
+                src="/common/redirect.py?location=http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv">
+    </video>
+
+    <video id="videoObject2" width="320" height="240" controls
+           onerror="media_error_handler(src_redir_test)"
+           onloadeddata="media_loaded(src_redir_test)"
+           src="/common/redirect.py?location=http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv">
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/meta/combine-header-and-meta-policies.sub.html b/testing/web-platform/tests/content-security-policy/meta/combine-header-and-meta-policies.sub.html
new file mode 100644
index 0000000000..70bfeb6b3b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/meta/combine-header-and-meta-policies.sub.html
@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+    <title>combine-header-and-meta-policies</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE", "violated-directive=img-src", "violated-directive=style-src-elem"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing multiple policies:
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'
+Content-Security-Policy: img-src 'none'
+-->
+</head>
+
+<body>
+<p>Test passes if both style and image are blocked and a report is generated for the
+    style block from the header-supplied policy.</p>
+
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        var img = document.createElement('img');
+        img.src = '../support/fail.png';
+        img.onerror = function() {
+            log("TEST COMPLETE");
+        };
+        img.onload = function() {
+            log("FAIL");
+        };
+        document.body.appendChild(img);
+
+    </script>
+    <style>
+        body {
+            background-color: blue;
+        }
+
+    </style>
+    <script>
+        var el = document.querySelector('body');
+        test(function() {
+            assert_equals(window.getComputedStyle(el).color, "rgb(0, 0, 0)")
+        });
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/meta/combine-header-and-meta-policies.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/meta/combine-header-and-meta-policies.sub.html.sub.headers
new file mode 100644
index 0000000000..062d823228
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/meta/combine-header-and-meta-policies.sub.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self';
diff --git a/testing/web-platform/tests/content-security-policy/meta/meta-img-src.html b/testing/web-platform/tests/content-security-policy/meta/meta-img-src.html
new file mode 100644
index 0000000000..bc7ffd66a7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/meta/meta-img-src.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta id="meta_csp" http-equiv="Content-Security-Policy" content="img-src 'none'">
+    <title>meta-img-src</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
+</head>
+
+<body>
+<p>Test passes if the image is blocked.</p>
+
+    <script>
+    function testImgSrc() {
+        var img = document.createElement('img');
+        img.src = '../support/fail.png';
+        img.onerror = function() {
+            log("PASS");
+        };
+        img.onload = function() {
+            log("FAIL");
+        };
+        document.body.appendChild(img);
+    }
+    testImgSrc();
+    log("TEST COMPLETE");
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/meta/meta-modified.html b/testing/web-platform/tests/content-security-policy/meta/meta-modified.html
new file mode 100644
index 0000000000..d03115f31b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/meta/meta-modified.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta id="meta_csp" http-equiv="Content-Security-Policy" content="img-src 'none'">
+    <title>meta-modified</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS", "PASS","TEST COMPLETE"]'></script>
+</head>
+
+<body>
+<p>Test passes if the image is blocked both before and after policy modification.</p>
+
+    <script>
+    function testImgSrc() {
+        var img = document.createElement('img');
+        img.src = '../support/fail.png';
+        img.onerror = function() {
+            log("PASS");
+        };
+        img.onload = function() {
+            log("FAIL");
+        };
+        document.body.appendChild(img);
+    }
+    testImgSrc();
+    document.getElementById("meta_csp").setAttribute("content", "img-src *");
+    testImgSrc();
+    log("TEST COMPLETE");
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/meta/meta-outside-head.sub.html b/testing/web-platform/tests/content-security-policy/meta/meta-outside-head.sub.html
new file mode 100644
index 0000000000..7a706c2fc5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/meta/meta-outside-head.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>meta-outside-head</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src='../support/alertAssert.sub.js?alerts=["PASS (1/1)"]'></script>
+    <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-abc'; connect-src 'self';
+-->
+</head>
+
+<body>
+    <script nonce='abc'>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("Fail");
+        });
+    </script>
+
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self'">
+    <p>This test checks that Content Security Policy delivered via a meta element is not enforced if the element is outside the document&apos;s head.</p>
+    <script nonce='abc'>
+        var aa = "PASS (1/1)";
+    </script>
+    <script src="../meta/support/metaHelper.js"></script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/meta/meta-outside-head.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/meta/meta-outside-head.sub.html.sub.headers
new file mode 100644
index 0000000000..8e90073147
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/meta/meta-outside-head.sub.html.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-abc'; connect-src 'self';
diff --git a/testing/web-platform/tests/content-security-policy/meta/sandbox-iframe.html b/testing/web-platform/tests/content-security-policy/meta/sandbox-iframe.html
new file mode 100644
index 0000000000..d353cafae1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/meta/sandbox-iframe.html
@@ -0,0 +1,54 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="base-uri {{location[scheme]}}://{{domains[]}}:{{ports[http][0]}}/base/">
+
+    <title>base-uri works correctly inside a sandboxed iframe.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body>
+    <h1>self is derived correctly inside inside a sandboxed iframe.</h1>
+    <div id='log'></div>
+
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            assert_unreached('No CSP violation report should have been fired.');
+        });
+
+        async_test(function(t) {
+            var i = document.createElement('iframe');
+            i.sandbox = 'allow-scripts';
+            i.style.display = 'none';
+            i.srcdoc = `
+              <meta http-equiv="Content-Security-Policy" content="img-src 'self'">
+              <body>
+              <script>
+
+              var img = document.createElement('img');
+              img.src = '../support/fail.png';
+              img.onerror = function() {
+                top.postMessage('FAIL', '*');
+              };
+              img.onload = function() {
+                top.postMessage('PASS', '*');
+              };
+              document.body.appendChild(img);
+              </sc` + `ript></body>`;
+
+            window.addEventListener('message', t.step_func(function(e) {
+              if (e.source === i.contentWindow) {
+                assert_equals(e.data, 'PASS');
+                t.done();
+              }
+            }));
+
+            document.body.appendChild(i);
+        }, 'img-src \'self\' works when specified in a meta tag.');
+   </script>
+
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/meta/support/metaHelper.js b/testing/web-platform/tests/content-security-policy/meta/support/metaHelper.js
new file mode 100644
index 0000000000..9191a39c73
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/meta/support/metaHelper.js
@@ -0,0 +1,5 @@
+if (typeof aa != 'undefined') {
+  alert_assert(aa);
+} else {
+  alert_assert("Failed - allowed inline script blocked by meta policy outside head.");
+}
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html
new file mode 100644
index 0000000000..658897fb1b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+
+<a name="anchor"></a>
+
+<script>
+  var t = async_test("Test that anchor navigation is allowed regardless of the `navigate-to` directive");
+
+  window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have triggered any violation"));
+
+  try {
+    window.location.hash = "anchor";
+    t.done();
+  } catch(ex) {}
+</script>
+
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html.headers b/testing/web-platform/tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html.headers
new file mode 100644
index 0000000000..739a2ce175
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: navigate-to 'none'
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html
new file mode 100644
index 0000000000..7b4b455d8d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child can navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child, which has the policy `navigate-to 'self'`)");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+</script>
+
+<iframe srcdoc="<iframe src='support/navigate_parent.sub.html?csp=navigate-to%20%27self%27'>">
+
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html.headers b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html.headers
new file mode 100644
index 0000000000..aced1c6d05
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: navigate-to 'self' support/navigate_parent.sub.html
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html
new file mode 100644
index 0000000000..4e50617e3c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child can't navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child which has the policy `navigate-to 'none'`)");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
+<iframe srcdoc="<iframe src='support/navigate_parent.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}'>"></iframe>
+
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html.headers b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html.headers
new file mode 100644
index 0000000000..9cb770bcc1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: navigate-to 'self'
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub.html
new file mode 100644
index 0000000000..f58407ac6d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that form-action overrides navigate-to when present.");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+</script>
+<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27%3B%20form-action%20%27self%27%3B&action=post_message_to_frame_owner.html&report_id={{uuid()}}">
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub.html
new file mode 100644
index 0000000000..0ddc8820f9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that form-action overrides navigate-to when present.");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+</script>
+<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27%3B%20form-action%20%27self%27%3B&action=post_message_to_frame_owner.html&report_id={{uuid()}}">
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub.html
new file mode 100644
index 0000000000..927ebb4d36
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that form-action overrides navigate-to when present.");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'form-action');
+  });
+</script>
+<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27%3B%20form-action%20%27none%27%3B&action=post_message_to_frame_owner.html&report_id={{uuid()}}"">
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub.html
new file mode 100644
index 0000000000..56688fa418
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that form-action overrides navigate-to when present.");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'form-action');
+  });
+</script>
+<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27%3B%20form-action%20%27none%27%3B&action=post_message_to_frame_owner.html&report_id={{uuid()}}">
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-allowed.html
new file mode 100644
index 0000000000..aa38d898ab
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-allowed.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+</script>
+<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&action=post_message_to_frame_owner.html"></iframe>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-blocked.sub.html
new file mode 100644
index 0000000000..72db7b8d1d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-blocked.sub.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
+<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}&action=post_message_to_frame_owner.html"></iframe>
+
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-cross-origin-allowed.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-cross-origin-allowed.sub.html
new file mode 100644
index 0000000000..4d0ddc30f1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-cross-origin-allowed.sub.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+</script>
+<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}&action=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub.html
new file mode 100644
index 0000000000..be5f70c8b1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
+<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&action=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe>
+
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-redirected-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-redirected-allowed.html
new file mode 100644
index 0000000000..129b719c22
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-redirected-allowed.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+</script>
+<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&action=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dpost_message_to_frame_owner.html"></iframe>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-redirected-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-redirected-blocked.sub.html
new file mode 100644
index 0000000000..d60b8a7aa8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-redirected-blocked.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
+
+<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&action=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dhttp%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe>
+
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/href-location-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-allowed.html
new file mode 100644
index 0000000000..16e11e0c65
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-allowed.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+
+  window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&target=post_message_to_frame_owner.html", "_blank");
+</script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/href-location-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-blocked.sub.html
new file mode 100644
index 0000000000..721f055c71
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-blocked.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+
+  window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}&target=post_message_to_frame_owner.html", "_blank");
+</script>
+
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html
new file mode 100644
index 0000000000..a9396fc406
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+
+  window.open("support/href_location_navigation.sub.html?csp=navigate-to%20http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html", "_blank");
+</script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html
new file mode 100644
index 0000000000..cd0cd9106d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+
+  window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html", "_blank");
+</script>
+
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/href-location-redirected-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-redirected-allowed.html
new file mode 100644
index 0000000000..4dbfa7aef9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-redirected-allowed.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+
+  window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&target=redirect_to_post_message_to_frame_owner.py", "_blank");
+</script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub.html
new file mode 100644
index 0000000000..5d8fafb313
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+
+  window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dhttp%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html", "_blank");
+</script>
+
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-allowed.html
new file mode 100644
index 0000000000..977b85dfb2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-allowed.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+</script>
+<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27self%27&target=post_message_to_frame_owner.html">
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-blocked.sub.html
new file mode 100644
index 0000000000..29686fcaef
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-blocked.sub.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
+<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}&target=post_message_to_frame_owner.html"></iframe>
+
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html
new file mode 100644
index 0000000000..4381bcb08d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+</script>
+<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html">
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html
new file mode 100644
index 0000000000..f2b106c577
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
+
+<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe>
+
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-allowed.html
new file mode 100644
index 0000000000..87dea95b1d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-allowed.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+</script>
+<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27self%27&target=redirect_to_post_message_to_frame_owner.py">
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html
new file mode 100644
index 0000000000..9b9205a526
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
+<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dhttp%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe>
+
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-allowed.html
new file mode 100644
index 0000000000..eeaefc496e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-allowed.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+</script>
+<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27self%27&target=post_message_to_frame_owner.html">
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-blocked.sub.html
new file mode 100644
index 0000000000..1292c9ba5f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-blocked.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
+
+<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}&target=post_message_to_frame_owner.html"></iframe>
+
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub.html
new file mode 100644
index 0000000000..39e887eaad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+</script>
+<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html">
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html
new file mode 100644
index 0000000000..d7ccd33620
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
+
+<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe>
+
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-redirected-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-redirected-allowed.html
new file mode 100644
index 0000000000..de756bce8b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-redirected-allowed.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+</script>
+<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27self%27&target=redirect_to_post_message_to_frame_owner.py">
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html
new file mode 100644
index 0000000000..0734473ee6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
+
+<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dhttp%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe>
+
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html
new file mode 100644
index 0000000000..47a661157c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the parent can navigate the child because the relevant policy belongs to the navigation initiator (in this case the parent, which has the policy `navigate-to 'self'`)");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+  window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have triggered a policy violation"));
+
+  var i = document.createElement('iframe');
+  var src_changed = false;
+  i.onload = function() {
+    if (src_changed) return;
+    src_changed = true;
+    i.src = "support/post_message_to_frame_owner.html";
+  }
+  i.src = "support/wait_for_navigation.html?csp=navigate-to%20%none%27";
+  document.body.appendChild(i);
+</script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html.headers b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html.headers
new file mode 100644
index 0000000000..9cb770bcc1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: navigate-to 'self'
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html
new file mode 100644
index 0000000000..c662da95fa
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the parent can't navigate the child because the relevant policy belongs to the navigation initiator (in this case the parent, which has the policy `navigate-to support/wait_for_navigation.html;`)");
+  window.onmessage = t.unreached_func("Should not have received a message as the navigation should not have been successful");
+  window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+    assert_equals(e.violatedDirective, 'navigate-to');
+  }));
+
+  var i = document.createElement('iframe');
+  var src_changed = false;
+  i.onload = function() {
+    if (src_changed) return;
+    src_changed = true;
+    i.src = "support/post_message_to_frame_owner.html";
+  }
+  i.src = "support/wait_for_navigation.html?csp=navigate-to%20%27self%27";
+  document.body.appendChild(i);
+</script>
+
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20support%2Fwait_for_navigation.html'></script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html.sub.headers
new file mode 100644
index 0000000000..36238fa78a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: parent-navigates-child-blocked={{$id:uuid()}}; Path=/content-security-policy/navigate-to/
+Content-Security-Policy: navigate-to support/wait_for_navigation.html; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.sub.html
new file mode 100644
index 0000000000..a09057e715
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.sub.html
@@ -0,0 +1,48 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<!-- This tests that a navigation initiator that has been replaced by the time
+     the navigation it initiates is blocked, will not receive the SPV event.
+
+     An iframe will navigate another iframe and the navigate itself.
+     The second iframe's navigation response will be delayed by the server but will
+     eventually be blocked by the CSP of the first iframe.
+     By the time this happens the first iframe should be an entirely different
+     document and it should not receive a SPV event -->
+<script>
+  var t = async_test("Test that no spv event is raised");
+  window.onmessage = t.step_func(function(e) {
+    if (e.data == "end_test") t.done();
+    else assert_unreached("Should not have raised a spv event");
+  });
+
+  var frames_loaded_count = 0;
+  var frame_loaded = function() {
+    if (++frames_loaded_count == 2) {
+      // both child frame have loaded we can start the
+      // test now, send a message to iframe1 so it knows to start
+      document.getElementById('iframe1').contentWindow.postMessage('start_test', '*');
+    }
+  }
+  var i1 = document.createElement('iframe');
+  i1.src = "support/spv-test-iframe1.sub.html?report_id={{$id:uuid()}}";
+  i1.id = "iframe1";
+  i1.name = "iframe1";
+  i1.onload = frame_loaded;
+  document.body.appendChild(i1);
+
+  var i2 = document.createElement('iframe');
+  i2.src = "support/spv-test-iframe2.sub.html";
+  i2.id = "iframe2";
+  i2.name = "iframe2";
+  i2.onload = frame_loaded;
+  document.body.appendChild(i2);
+</script>
+
+<script async defer src='../support/checkReport.sub.js?reportExists=false&reportID={{$id}}'></script>
+
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/delayed_frame.py b/testing/web-platform/tests/content-security-policy/navigate-to/support/delayed_frame.py
new file mode 100644
index 0000000000..06bcb9b680
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/delayed_frame.py
@@ -0,0 +1,12 @@
+import time
+def main(request, response):
+    time.sleep(1)
+    headers = [(b"Content-Type", b"text/html")]
+    return headers, u'''
+<!DOCTYPE html>
+<head>
+</head>
+<body>
+    DELAYED FRAME
+</body
+'''
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html
new file mode 100644
index 0000000000..a4121944ea
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+
+  <script>
+    window.addEventListener('securitypolicyviolation', function(e) {
+      top.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*');
+    });
+  </script>
+</head>
+
+<body>
+<form action='{{GET[action]}}' target='_self' id='form'>
+  <input type="text" name="dummy">
+  <div id="form-div"></div>
+</form>
+
+<script>
+ try {
+  url = new URL("{{GET[action]}}", location.href);
+  for (var p of url.searchParams) {
+    var elem = document.createElement('input');
+    elem.type = 'text';
+    elem.name = p[0];
+    elem.value = p[1];
+    document.getElementById('form-div').appendChild(elem);
+  }
+ } catch(ex) {}
+
+ document.getElementById('form').submit();
+</script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html.sub.headers
new file mode 100644
index 0000000000..a42cfe2d95
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html.sub.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: {{GET[csp]}}; report-uri /reporting/resources/report.py?op=put&reportID={{GET[report_id]}}
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html
new file mode 100644
index 0000000000..15b1365cc2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  window.addEventListener('securitypolicyviolation', function(e) {
+    opener.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*');
+  });
+
+  try {
+    location.href = "{{GET[target]}}";
+  } catch(ex) {}
+</script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html.sub.headers
new file mode 100644
index 0000000000..a42cfe2d95
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html.sub.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: {{GET[csp]}}; report-uri /reporting/resources/report.py?op=put&reportID={{GET[report_id]}}
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html
new file mode 100644
index 0000000000..2434271211
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<a href="{{GET[target]}}" id="link">dummy link</a>
+<script>
+  window.addEventListener('securitypolicyviolation', function(e) {
+    top.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*');
+  });
+
+  document.getElementById('link').click();
+</script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html.sub.headers
new file mode 100644
index 0000000000..a42cfe2d95
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html.sub.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: {{GET[csp]}}; report-uri /reporting/resources/report.py?op=put&reportID={{GET[report_id]}}
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html
new file mode 100644
index 0000000000..64bae27fed
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+
+  <script>
+    window.addEventListener('securitypolicyviolation', function(e) {
+      top.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*');
+    });
+  </script>
+
+  <meta http-equiv="refresh" content="0; url={{GET[target]}}">
+</head>
+
+<body>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html.sub.headers
new file mode 100644
index 0000000000..a42cfe2d95
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html.sub.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: {{GET[csp]}}; report-uri /reporting/resources/report.py?op=put&reportID={{GET[report_id]}}
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/navigate_parent.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/navigate_parent.sub.html
new file mode 100644
index 0000000000..a84c9c64ca
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/navigate_parent.sub.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+
+  <script>
+    window.addEventListener('securitypolicyviolation', function(e) {
+      top.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*');
+    });
+  </script>
+</head>
+
+<body>
+<a href="post_message_to_frame_owner.html" id="link" target="_parent">dummy link</a>
+<script>
+  document.getElementById('link').click();
+</script>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/navigate_parent.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigate-to/support/navigate_parent.sub.html.sub.headers
new file mode 100644
index 0000000000..a42cfe2d95
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/navigate_parent.sub.html.sub.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: {{GET[csp]}}; report-uri /reporting/resources/report.py?op=put&reportID={{GET[report_id]}}
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/post_message_to_frame_owner.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/post_message_to_frame_owner.html
new file mode 100644
index 0000000000..c25e49d146
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/post_message_to_frame_owner.html
@@ -0,0 +1,6 @@
+<script>
+  if (window.opener)
+    window.opener.postMessage({result: 'success'}, '*');
+  else
+    top.postMessage({result: 'success'}, '*');
+</script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/redirect_to_post_message_to_frame_owner.py b/testing/web-platform/tests/content-security-policy/navigate-to/support/redirect_to_post_message_to_frame_owner.py
new file mode 100644
index 0000000000..0f6f6eca7b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/redirect_to_post_message_to_frame_owner.py
@@ -0,0 +1,6 @@
+def main(request, response):
+    response.status = 302
+    if b"location" in request.GET:
+        response.headers.set(b"Location", request.GET[b"location"])
+    else:
+        response.headers.set(b"Location", b"post_message_to_frame_owner.html")
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html
new file mode 100644
index 0000000000..9e26c02be3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<head>
+  <script>
+    window.onmessage = function(e) {
+      if (e.data == "start_test") {
+        document.getElementById('link').click();
+        location.href = "{{location[server]}}/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html";
+      }
+    }
+    window.addEventListener('securitypolicyviolation', function(e) {
+      top.postMessage({iframe: 'iframe1', violatedDirective: e.violatedDirective}, '*');
+    });
+  </script>
+</head>
+
+<body>
+  <a href="{{location[server]}}/content-security-policy/navigate-to/support/delayed_frame.py" id="link" target="iframe2">dummy link</a>
+  IFRAME 1
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html.sub.headers
new file mode 100644
index 0000000000..9d83b92d96
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html.sub.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: navigate-to {{location[server]}}/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html 'unsafe-allow-redirects'; report-uri /reporting/resources/report.py?op=put&reportID={{GET[report_id]}}
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe2.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe2.sub.html
new file mode 100644
index 0000000000..1329683c88
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe2.sub.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<head>
+</head>
+<body>
+  <script>
+    window.addEventListener('securitypolicyviolation', function(e) {
+      top.postMessage({iframe: 'iframe1', violatedDirective: e.violatedDirective}, '*');
+    });
+    setTimeout(function() {
+      top.postMessage("end_test", "*");
+    }, 4000);
+  </script>
+  IFRAME 2
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html
new file mode 100644
index 0000000000..09dbf6863d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<head>
+  <script>
+    window.addEventListener('securitypolicyviolation', function(e) {
+      top.postMessage({iframe: 'iframe3', violatedDirective: e.violatedDirective}, '*');
+    });
+  </script>
+</head>
+
+<body>
+  IFRAME 3
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/wait_for_navigation.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/wait_for_navigation.html
new file mode 100644
index 0000000000..2450ff1c0a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/wait_for_navigation.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+
+  <script>
+    window.addEventListener('securitypolicyviolation', function(e) {
+      top.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*');
+    });
+  </script>
+</head>
+
+<body>
+</body>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/wait_for_navigation.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigate-to/support/wait_for_navigation.html.sub.headers
new file mode 100644
index 0000000000..d3c635b9a0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/wait_for_navigation.html.sub.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: {{GET[csp]}}
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html
new file mode 100644
index 0000000000..192477296b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+
+  // the iframe will navigate to:
+  //    [www2]/..../redirect.py (which is not in the navigate-to source list) which will in turn navigate to
+  //    [www1]/..../post_message_to_frame_owner.html which is not exactly in
+  // the list but the check should be reduced to an origin check since there has been a redirect.
+  // Because of 'unsafe-allow-redirects' only the second one is checked since the first is a redirect
+
+  var i = document.createElement('iframe');
+  i.src = "../support/link_click_navigation.sub.html" +
+    "?csp=" + encodeURIComponent("navigate-to {{location[scheme]}}://{{domains[www1]}}:{{location[port]}}/some-path/ 'unsafe-allow-redirects'") +
+    "&target=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/common/redirect.py?location=" +
+                                     encodeURIComponent("{{location[scheme]}}://{{domains[www1]}}:{{location[port]}}/content-security-policy/navigate-to/support/post_message_to_frame_owner.html"));
+  document.body.appendChild(i);
+</script>
+
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub.html
new file mode 100644
index 0000000000..74fe8f2e7a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+
+  // the iframe will navigate to:
+  //    [www2]/..../redirect.py (which is not in the navigate-to source list) which will in turn navigate to
+  //    [www1]/..../post_message_to_frame_owner.html which is in the list
+  // because of 'unsafe-allow-redirects' only the second one is checked since the first is a redirect
+
+  var i = document.createElement('iframe');
+  i.src = "../support/link_click_navigation.sub.html" +
+    "?csp=" + encodeURIComponent("navigate-to {{location[scheme]}}://{{domains[www1]}}:{{location[port]}} 'unsafe-allow-redirects'") +
+    "&target=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/common/redirect.py?location=" +
+                                     encodeURIComponent("{{location[scheme]}}://{{domains[www1]}}:{{location[port]}}/content-security-policy/navigate-to/support/post_message_to_frame_owner.html"));
+  document.body.appendChild(i);
+</script>
+
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html
new file mode 100644
index 0000000000..86e54b3d93
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is blocked");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+
+  // the iframe will navigate to:
+  //    [www2]/..../redirect.py (which is not in the navigate-to source list) which will in turn navigate to
+  //    [www2]/..../post_message_to_frame_owner.html which is also not in the list
+  // because of 'unsafe-allow-redirects' only the second one is checked since the first is a redirect
+
+  var i = document.createElement('iframe');
+  i.src = "../support/link_click_navigation.sub.html" +
+    "?csp=" + encodeURIComponent("navigate-to {{location[scheme]}}://{{domains[www1]}}:{{location[port]}} 'unsafe-allow-redirects'") +
+    "&target=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/common/redirect.py?location=" +
+                                     encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/content-security-policy/navigate-to/support/post_message_to_frame_owner.html"));
+  document.body.appendChild(i);
+</script>
+
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html b/testing/web-platform/tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html
new file mode 100644
index 0000000000..21c4fb33ce
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<script>
+  var window_url = encodeURIComponent("javascript:'<iframe src=/content-security-policy/support/fail.js />'");
+  var report_cookie_name = encodeURIComponent("javascript-url-navigation-inherits-csp");
+  window.open("support/test_csp_self_window.sub.html?window_url=" + window_url + "&report_cookie_name=" + report_cookie_name);
+  setTimeout(function() {
+    var s = document.createElement('script');
+    s.async = true;
+    s.defer = true;
+    s.src = "../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-src%20%27none%27";
+    document.body.appendChild(s);
+  }, 2000);
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/support/frame-with-csp.sub.html b/testing/web-platform/tests/content-security-policy/navigation/support/frame-with-csp.sub.html
new file mode 100644
index 0000000000..b4d5b82e46
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/support/frame-with-csp.sub.html
@@ -0,0 +1,2 @@
+<meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}">
+CHILD FRAME
diff --git a/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html b/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html
new file mode 100644
index 0000000000..2f7b685a75
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<span id="escape">{{GET[window_url]}}</span>
+
+<script>
+  var window_url = document.getElementById("escape").textContent;
+  window.open(window_url, "_self");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers
new file mode 100644
index 0000000000..5024a99bc9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: {{GET[report_cookie_name]}}={{$id:uuid()}}; Path=/content-security-policy/navigation/
+Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; report-uri  /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html
new file mode 100644
index 0000000000..e95e71c59b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<iframe src="support/frame-with-csp.sub.html?csp=script-src%20%27unsafe-inline%27"></iframe>
+<div onclick="frames[0].location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'" id="special_div"></div>
+<script>
+  var t = async_test("Should have executed the javascript url");
+  frames[0].addEventListener('load', () => {
+    window.onmessage = t.step_func(function(e) {
+      if (e.data == "executed")
+        t.done();
+    });
+    window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have raised a violation event"));
+    document.getElementById('special_div').click();
+  });
+</script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html
new file mode 100644
index 0000000000..3a0641170e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<head>
+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-abc'">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<iframe src="support/frame-with-csp.sub.html?csp=script-src%20'self'%20'unsafe-inline'"></iframe>
+<script nonce='abc'>
+  var t = async_test("Should not have executed the javascript url");
+  const iframe = document.querySelector("iframe");
+  iframe.addEventListener('load', () => {
+    window.onmessage = t.step_func(function(e) {
+      if (e.data == "executed")
+        assert_true(false, "Javascript url executed");
+    });
+    window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+      assert_equals(e.blockedURI, 'inline');
+    }));
+    iframe.contentWindow.location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'
+  });
+</script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html
new file mode 100644
index 0000000000..8aa8884914
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<head>
+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-abc'">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<iframe src="support/frame-with-csp.sub.html"></iframe>
+<div onclick="frames[0].location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'" id="special_div"></div>
+<script nonce='abc'>
+  var t = async_test("Should not have executed the javascript url");
+  frames[0].addEventListener('load', () => {
+    window.onmessage = t.step_func(function(e) {
+      if (e.data == "executed")
+        assert_true(false, "Javascript url executed");
+    });
+    window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+      assert_equals(e.blockedURI, 'inline');
+      assert_equals(e.violatedDirective, 'script-src-attr');
+    }));
+    document.getElementById('special_div').click();
+  });
+</script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-frame-src.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-frame-src.html
new file mode 100644
index 0000000000..0475856f53
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-frame-src.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="frame-src 'none'">
+
+<body>
+
+<script>
+  var t = async_test("<iframe src='javascript:...'> not blocked by 'frame-src'");
+
+  var i = document.createElement('iframe');
+  i.src = "javascript:window.top.t.done();";
+
+  document.body.appendChild(i);
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-script-src.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-script-src.html
new file mode 100644
index 0000000000..70dea1f985
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-script-src.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">
+
+<body>
+
+<script nonce="abc">
+  function assert_csp_event_for_element(test, element) {
+    assert_equals(typeof SecurityPolicyViolationEvent, "function", "These tests require 'SecurityPolicyViolationEvent'.");
+    document.addEventListener("securitypolicyviolation", test.step_func(e => {
+      if (e.target != element)
+        return;
+      assert_equals(e.blockedURI, "inline");
+      assert_equals(e.effectiveDirective, "script-src-elem");
+      assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fail' doesn't appear in the child document.");
+      element.remove();
+      test.done();
+    }));
+  }
+
+  function navigate_to_javascript_onload(test, iframe) {
+    iframe.addEventListener("load", test.step_func(e => {
+      assert_equals(typeof SecurityPolicyViolationEvent, "function");
+      iframe.contentDocument.addEventListener(
+        "securitypolicyviolation",
+        test.unreached_func("The CSP event should be fired in the embedding document, not in the embedee.")
+      );
+
+      iframe.src = "javascript:'Fail.'";
+    }));
+  }
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+    i.src = "javascript:'Fail.'";
+
+    assert_csp_event_for_element(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe src='javascript:'> blocked without 'unsafe-inline'.");
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+
+    assert_csp_event_for_element(t, i);
+    navigate_to_javascript_onload(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'.");
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+    i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'unsafe-inline'");
+
+    assert_csp_event_for_element(t, i);
+    navigate_to_javascript_onload(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document");
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+    i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'none'");
+
+    assert_csp_event_for_element(t, i);
+    navigate_to_javascript_onload(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/nonce-hiding/nonce-hiding-move-document.html b/testing/web-platform/tests/content-security-policy/nonce-hiding/nonce-hiding-move-document.html
new file mode 100644
index 0000000000..49de893ba0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/nonce-hiding/nonce-hiding-move-document.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<meta http-equiv="Content-Security-Policy" content="style-src 'self' 'nonce-allowme';">
+<link rel="help" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1831328">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<title>Nonce isn't lost on document move</title>
+<style type="text/css" nonce="allowme">
+  p {
+    color: red;
+  }
+</style>
+<p>What color is this?</p>
+<script>
+test(function() {
+  const doc = document.implementation.createDocument("http://www.w3.org/1999/xhtml","html");
+  const style = document.createElement("style");
+  style.setAttribute("nonce", "allowme");
+  style.textContent = "p { color: lime }";
+
+  doc.documentElement.appendChild(style);
+  document.body.appendChild(style);
+  assert_equals(style.nonce, "allowme", "Nonce should not have been lost");
+  assert_equals(getComputedStyle(document.querySelector("p")).color, "rgb(0, 255, 0)", "Style should apply");
+})
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/nonce-hiding/nonces.html b/testing/web-platform/tests/content-security-policy/nonce-hiding/nonces.html
new file mode 100644
index 0000000000..7ee10a7b29
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/nonce-hiding/nonces.html
@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div id=log></div>
+<script>
+  const namespace_url= {
+    "HTML": "http://www.w3.org/1999/xhtml",
+    "SVG": "http://www.w3.org/2000/svg",
+  }
+  const test_cases = [
+    ["meh"    , "HTML"],
+    ["div"    , "HTML"],
+    ["script" , "HTML"],
+    ["meh"    , "SVG"],
+    ["svg"    , "SVG"],
+    ["script" , "SVG"],
+  ];
+
+  test_cases.forEach(([localName, namespace]) => {
+    test(t => {
+      const element = document.createElementNS(namespace_url[namespace], localName);
+      t.add_cleanup(() => element.remove());
+      assert_equals(element.nonce, "", "Initial IDL attribute value");
+      assert_equals(element.getAttribute("nonce"), null, "Initial content attribute");
+
+      element.setAttribute("nonce", "x");
+      assert_equals(element.nonce, "x", "IDL attribute is modified after content attribute set");
+      assert_equals(element.getAttribute("nonce"), "x", "Content attribute is modified after content attribute set");
+
+      document.body.appendChild(element);
+      assert_equals(element.nonce, "x", "IDL attribute is unchanged after element insertion");
+      assert_equals(element.getAttribute("nonce"), "", "Content attribute is changed after element insertion");
+    }, `Basic nonce tests for ${localName} in ${namespace} namespace`);
+
+    test(t => {
+      const element = document.createElementNS(namespace_url[namespace], localName);
+      t.add_cleanup(() => element.remove());
+      element.setAttribute("nonce", "x");
+      assert_equals(element.nonce, "x", "IDL attribute is modified after content attribute set");
+
+      element.removeAttribute("nonce");
+      assert_equals(element.nonce, "", "IDL attribute is empty after content attribute removal");
+    }, `Ensure that removal of content attribute does not affect IDL attribute for ${localName} in ${namespace} namespace`);
+
+    test(t => {
+      const element = document.createElementNS(namespace_url[namespace], localName);
+      t.add_cleanup(() => element.remove());
+      assert_equals(element.nonce, "");
+      assert_equals(element.getAttribute("nonce"), null);
+
+      element.setAttribute("nonce", "");
+      assert_equals(element.nonce, "");
+      assert_equals(element.getAttribute("nonce"), "");
+
+      document.body.appendChild(element);
+      assert_equals(element.nonce, "");
+      assert_equals(element.getAttribute("nonce"), "");
+
+      element.removeAttribute("nonce");
+      assert_equals(element.nonce, "");
+      assert_equals(element.getAttribute("nonce"), null);
+    }, `Test empty nonces for ${localName} in ${namespace} namespace`);
+  });
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/nonce-hiding/nonces.html.headers b/testing/web-platform/tests/content-security-policy/nonce-hiding/nonces.html.headers
new file mode 100644
index 0000000000..daf482b5ab
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/nonce-hiding/nonces.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: img-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.sub.html b/testing/web-platform/tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.sub.html
new file mode 100644
index 0000000000..f8e5b946f0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.sub.html
@@ -0,0 +1,131 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="content-security-policy" content="script-src 'nonce-abc'; img-src 'none'">
+
+<body>
+<!-- Basics -->
+<script nonce="abc" id="testScript">
+  document.currentScript.setAttribute('executed', 'yay');
+</script>
+
+<script nonce="abc">
+    var script = document.querySelector('#testScript');
+
+    test(t => {
+      // Query Selector
+      assert_equals(document.querySelector('body [nonce]'), script);
+      assert_equals(document.querySelector('body [nonce=""]'), null);
+      assert_equals(document.querySelector('body [nonce=abc]'), script);
+
+      assert_equals(script.getAttribute('nonce'), 'abc');
+      assert_equals(script.nonce, 'abc');
+    }, "Reading 'nonce' content attribute and IDL attribute.");
+
+    // Clone node.
+    test(t => {
+      script.setAttribute('executed', 'boo');
+      var s2 = script.cloneNode();
+      assert_equals(s2.nonce, 'abc', 'IDL attribute');
+      assert_equals(s2.getAttribute('nonce'), 'abc');
+    }, "Cloned node retains nonce.");
+
+    async_test(t => {
+      var s2 = script.cloneNode();
+      document.head.appendChild(s2);
+      assert_equals(s2.nonce, 'abc');
+      assert_equals(s2.getAttribute('nonce'), 'abc');
+      window.addEventListener('load', t.step_func_done(_ => {
+        // The cloned script won't execute, as its 'already started' flag is set.
+        assert_equals(s2.getAttribute('executed'), 'boo');
+      }));
+    }, "Cloned node retains nonce when inserted.");
+
+    // Set the content attribute to 'foo'
+    test(t => {
+      script.setAttribute('nonce', 'foo');
+      assert_equals(script.getAttribute('nonce'), 'foo');
+      assert_equals(script.nonce, 'foo');
+    }, "Writing 'nonce' content attribute.");
+
+    // Set the IDL attribute to 'bar'
+    test(t => {
+      script.nonce = 'bar';
+      assert_equals(script.nonce, 'bar');
+      assert_equals(script.getAttribute('nonce'), 'foo');
+    }, "Writing 'nonce' IDL attribute.");
+
+    // Fragment parser.
+    var documentWriteTest = async_test("Document-written script executes.");
+    document.write(`<script nonce='abc'>
+      documentWriteTest.done();
+      test(t => {
+        var script = document.currentScript;
+        assert_equals(script.getAttribute('nonce'), 'abc');
+        assert_equals(script.nonce, 'abc');
+      }, "Document-written script's nonce value.");
+    </scr` + `ipt>`);
+
+    // Create node.
+    async_test(t => {
+      var s = document.createElement('script');
+      s.innerText = script.innerText;
+      s.nonce = 'abc';
+      assert_equals(s.nonce, 'abc');
+      assert_equals(s.getAttribute('nonce'), null);
+      document.head.appendChild(s);
+      assert_equals(s.nonce, 'abc');
+      assert_equals(s.getAttribute('nonce'), null);
+
+      window.addEventListener('load', t.step_func_done(_ => {
+        assert_equals(s.getAttribute('executed'), 'yay');
+      }));
+    }, "createElement.nonce.");
+
+    async_test(t => {
+      var s = document.createElement('script');
+      s.innerText = script.innerText;
+      s.nonce = 'zyx';
+      s.setAttribute('nonce', 'abc');
+      assert_equals(s.nonce, 'abc');
+      document.head.appendChild(s);
+      assert_equals(s.nonce, 'abc');
+      assert_equals(s.getAttribute('nonce'), 'abc');
+
+      window.addEventListener('load', t.step_func_done(_ => {
+        assert_equals(s.getAttribute('executed'), 'yay');
+      }));
+    }, "setAttribute('nonce') overwrites '.nonce' upon insertion.");
+
+    // Create node.
+    async_test(t => {
+      var s = document.createElement('script');
+      s.innerText = script.innerText;
+      s.setAttribute('nonce', 'abc');
+      assert_equals(s.getAttribute('nonce'), 'abc', "Pre-insertion content");
+      assert_equals(s.nonce, 'abc', "Pre-insertion IDL");
+      document.head.appendChild(s);
+      assert_equals(s.nonce, 'abc', "Post-insertion IDL");
+      assert_equals(s.getAttribute('nonce'), 'abc', "Post-insertion content");
+
+      window.addEventListener('load', t.step_func_done(_ => {
+        assert_equals(s.getAttribute('executed'), 'yay');
+      }));
+    }, "createElement.setAttribute.");
+</script>
+
+<!-- CSS Leakage -->
+<style>
+    #cssTest { display: block; }
+    #cssTest[nonce=abc] { background: url(/security/resources/abe.png); }
+</style>
+<script nonce="abc" id="cssTest">
+    test(t => {
+      const script = document.querySelector('#cssTest');
+      t.add_cleanup(() => script.remove());
+      var style = getComputedStyle(script);
+      assert_equals(style['display'], 'block');
+      assert_equals(style['background-image'], "url(\"http://{{domains[]}}:{{ports[http][0]}}/security/resources/abe.png\")");
+    }, "Nonces leak via CSS side-channels.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/nonce-hiding/script-nonces-hidden.html b/testing/web-platform/tests/content-security-policy/nonce-hiding/script-nonces-hidden.html
new file mode 100644
index 0000000000..d9718d904c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/nonce-hiding/script-nonces-hidden.html
@@ -0,0 +1,172 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js" nonce="abc"></script>
+<script src="/resources/testharnessreport.js" nonce="abc"></script>
+
+<!-- `Content-Security-Policy: script-src 'nonce-abc'; img-src 'none'` delivered via headers -->
+
+<body>
+<!-- Basics -->
+<script nonce="abc" id="testScript">
+  document.currentScript.setAttribute('executed', 'yay');
+</script>
+
+<script nonce="abc">
+    var script = document.querySelector('#testScript');
+
+    test(t => {
+      // Query Selector
+      assert_equals(document.querySelector('body [nonce]'), script);
+      assert_equals(document.querySelector('body [nonce=""]'), script);
+      assert_equals(document.querySelector('body [nonce=abc]'), null);
+
+      assert_equals(script.getAttribute('nonce'), '');
+      assert_equals(script.nonce, 'abc');
+    }, "Reading 'nonce' content attribute and IDL attribute.");
+
+    // Clone node.
+    test(t => {
+      script.setAttribute('executed', 'boo');
+      var s2 = script.cloneNode();
+      assert_equals(s2.nonce, 'abc', 'IDL attribute');
+      assert_equals(s2.getAttribute('nonce'), '');
+    }, "Cloned node retains nonce.");
+
+    async_test(t => {
+      var s2 = script.cloneNode();
+      document.head.appendChild(s2);
+      assert_equals(s2.nonce, 'abc');
+      assert_equals(s2.getAttribute('nonce'), '');
+
+      window.addEventListener('load', t.step_func_done(_ => {
+        // The cloned script won't execute, as its 'already started' flag is set.
+        assert_equals(s2.getAttribute('executed'), 'boo');
+      }));
+    }, "Cloned node retains nonce when inserted.");
+
+    // Set the content attribute to 'foo'
+    test(t => {
+      script.setAttribute('nonce', 'foo');
+      assert_equals(script.getAttribute('nonce'), 'foo');
+      assert_equals(script.nonce, 'foo');
+    }, "Writing 'nonce' content attribute.");
+
+    // Set the IDL attribute to 'bar'
+    test(t => {
+      script.nonce = 'bar';
+      assert_equals(script.nonce, 'bar');
+      assert_equals(script.getAttribute('nonce'), 'foo');
+    }, "Writing 'nonce' IDL attribute.");
+
+    // Fragment parser.
+    var documentWriteTest = async_test("Document-written script executes.");
+    document.write(`<script nonce='abc'>
+      documentWriteTest.done();
+      test(t => {
+        var script = document.currentScript;
+        assert_equals(script.getAttribute('nonce'), '');
+        assert_equals(script.nonce, 'abc');
+      }, "Document-written script's nonce value.");
+    </scr` + `ipt>`);
+
+    // Create node.
+    async_test(t => {
+      var s = document.createElement('script');
+      s.innerText = script.innerText;
+      s.nonce = 'abc';
+      assert_equals(s.nonce, 'abc');
+      assert_equals(s.getAttribute('nonce'), null);
+      document.head.appendChild(s);
+      assert_equals(s.nonce, 'abc');
+      assert_equals(s.getAttribute('nonce'), null);
+
+      window.addEventListener('load', t.step_func_done(_ => {
+        assert_equals(s.getAttribute('executed'), 'yay');
+      }));
+    }, "createElement.nonce.");
+
+    async_test(t => {
+      var s = document.createElement('script');
+      s.innerText = script.innerText;
+      s.nonce = 'zyx';
+      s.setAttribute('nonce', 'abc');
+      assert_equals(s.nonce, 'abc');
+      document.head.appendChild(s);
+      assert_equals(s.nonce, 'abc');
+      assert_equals(s.getAttribute('nonce'), '');
+
+      window.addEventListener('load', t.step_func_done(_ => {
+        assert_equals(s.getAttribute('executed'), 'yay');
+      }));
+    }, "setAttribute('nonce') overwrites '.nonce' upon insertion.");
+
+    // Create node.
+    async_test(t => {
+      var s = document.createElement('script');
+      s.innerText = script.innerText;
+      s.setAttribute('nonce', 'abc');
+      assert_equals(s.getAttribute('nonce'), 'abc', "Pre-insertion content");
+      assert_equals(s.nonce, 'abc', "Pre-insertion IDL");
+      document.head.appendChild(s);
+      assert_equals(s.nonce, 'abc', "Post-insertion IDL");
+      assert_equals(s.getAttribute('nonce'), '', "Post-insertion content");
+
+      window.addEventListener('load', t.step_func_done(_ => {
+        assert_equals(s.getAttribute('executed'), 'yay');
+      }));
+    }, "createElement.setAttribute.");
+</script>
+
+<!-- Custom Element -->
+<script nonce="abc">
+  var eventList = [];
+  class NonceElement extends HTMLElement {
+    static get observedAttributes() {
+      return ['nonce'];
+    }
+
+    constructor() {
+      super();
+    }
+
+    attributeChangedCallback(name, oldValue, newValue) {
+      eventList.push({
+        type: "AttributeChanged",
+        name: name,
+        oldValue: oldValue,
+        newValue: newValue
+      });
+    }
+
+    connectedCallback() {
+      eventList.push({
+        type: "Connected",
+      });
+    }
+  }
+
+  customElements.define("nonce-element", NonceElement);
+</script>
+<nonce-element nonce="abc"></nonce-element>
+<script nonce="abc">
+  test(t => {
+    assert_object_equals(eventList[0], { type: "AttributeChanged", name: "nonce", oldValue: null, newValue: "abc" }, "AttributeChanged 1");
+    assert_object_equals(eventList[1], { type: "Connected" }, "Connected");
+    assert_object_equals(eventList[2], { type: "AttributeChanged", name: "nonce", oldValue: "abc", newValue: "" }, "AttributeChanged 2");
+    assert_equals(eventList.length, 3);
+  }, "Custom elements expose the correct events.");
+</script>
+
+<!-- CSS Leakage -->
+<style>
+    #cssTest { display: block; }
+    #cssTest[nonce=abc] { background: url(/security/resources/abe.png); }
+</style>
+<script nonce="abc" id="cssTest">
+    test(t => {
+      const script = document.querySelector('#cssTest');
+      t.add_cleanup(() => script.remove());
+      var style = getComputedStyle(script);
+      assert_equals(style['display'], 'block');
+      assert_equals(style['background-image'], 'none');
+    }, "Nonces don't leak via CSS side-channels.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/nonce-hiding/script-nonces-hidden.html.headers b/testing/web-platform/tests/content-security-policy/nonce-hiding/script-nonces-hidden.html.headers
new file mode 100644
index 0000000000..ad8d0b54f3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/nonce-hiding/script-nonces-hidden.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'nonce-abc'; img-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.sub.html b/testing/web-platform/tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.sub.html
new file mode 100644
index 0000000000..870fef316e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.sub.html
@@ -0,0 +1,100 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="content-security-policy" content="script-src 'nonce-abc'; img-src 'none'">
+
+<body>
+<!-- Basics -->
+<svg xmlns="http://www.w3.org/2000/svg">
+  <script nonce="abc" id="testScript">
+    document.currentScript.setAttribute('executed', 'yay');
+  </script>
+</svg>
+
+<script nonce="abc">
+    var script = document.querySelector('#testScript');
+
+    test(t => {
+      // Query Selector
+      assert_equals(document.querySelector('[nonce]'), script);
+      assert_equals(document.querySelector('[nonce=""]'), null);
+      assert_equals(document.querySelector('[nonce=abc]'), script);
+
+      assert_equals(script.getAttribute('nonce'), 'abc');
+      assert_equals(script.nonce, 'abc');
+    }, "Reading 'nonce' content attribute and IDL attribute.");
+
+    // Clone node.
+    test(t => {
+      script.setAttribute('executed', 'boo');
+      var s2 = script.cloneNode();
+      assert_equals(s2.nonce, 'abc', 'IDL attribute');
+      assert_equals(s2.getAttribute('nonce'), 'abc');
+    }, "Cloned node retains nonce.");
+
+    async_test(t => {
+      var s2 = script.cloneNode();
+      document.head.appendChild(s2);
+      assert_equals(s2.nonce, 'abc');
+      assert_equals(s2.getAttribute('nonce'), 'abc');
+
+      window.addEventListener('load', t.step_func_done(_ => {
+        // The cloned script won't execute, as its 'already started' flag is set.
+        assert_equals(s2.getAttribute('executed'), 'boo');
+      }));
+    }, "Cloned node retains nonce when inserted.");
+
+    // Set the content attribute to 'foo'
+    test(t => {
+      script.setAttribute('nonce', 'foo');
+      assert_equals(script.getAttribute('nonce'), 'foo');
+      assert_equals(script.nonce, 'foo');
+    }, "Writing 'nonce' content attribute.");
+
+    // Set the IDL attribute to 'bar'
+    test(t => {
+      script.nonce = 'bar';
+      assert_equals(script.nonce, 'bar');
+      assert_equals(script.getAttribute('nonce'), 'foo');
+    }, "Writing 'nonce' IDL attribute.");
+
+    // Fragment parser.
+    var documentWriteTest = async_test("Document-written script executes.");
+    document.write(`<svg xmlns="http://www.w3.org/2000/svg"><script nonce='abc'>
+      documentWriteTest.done();
+      test(t => {
+        var script = document.currentScript;
+        assert_equals(script.getAttribute('nonce'), 'abc');
+        assert_equals(script.nonce, 'abc');
+      }, "Document-written script's nonce value.");
+    </scr` + `ipt></svg>`);
+
+    // Create node.
+    test(t => {
+      var s = document.createElement('svg');
+      var innerScript = document.createElement('innerScript');
+      innerScript.innerText = script.innerText;
+      innerScript.nonce = 'abc';
+      s.appendChild(innerScript);
+      assert_equals(innerScript.nonce, 'abc');
+      assert_equals(innerScript.getAttribute('nonce'), null, 'innerScript.getAttribute nonce');
+      document.body.appendChild(s);
+      assert_equals(innerScript.nonce, 'abc');
+      assert_equals(innerScript.getAttribute('nonce'), null, 'innerScript.getAttribute nonce');
+    }, "createElement.nonce.");
+
+    // Create node.
+    test(t => {
+      var s = document.createElement('svg');
+      var innerScript = document.createElement('script');
+      innerScript.innerText = script.innerText;
+      innerScript.setAttribute('nonce', 'abc');
+      assert_equals(innerScript.getAttribute('nonce'), 'abc', "Pre-insertion content");
+      assert_equals(innerScript.nonce, 'abc', "Pre-insertion IDL");
+      s.appendChild(innerScript);
+      document.body.appendChild(s);
+      assert_equals(innerScript.nonce, 'abc', "Post-insertion IDL");
+      assert_equals(innerScript.getAttribute('nonce'), 'abc', "Post-insertion content");
+    }, "createElement.setAttribute.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.html b/testing/web-platform/tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.html
new file mode 100644
index 0000000000..a50c75b34c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.html
@@ -0,0 +1,98 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js" nonce="abc"></script>
+<script src="/resources/testharnessreport.js" nonce="abc"></script>
+
+<!-- `Content-Security-Policy: script-src 'nonce-abc'; img-src 'none'` delivered via headers -->
+
+<body>
+<!-- Basics -->
+<svg xmlns="http://www.w3.org/2000/svg">
+  <script nonce="abc" id="testScript">
+    document.currentScript.setAttribute('executed', 'yay');
+  </script>
+</svg>
+
+<script nonce="abc">
+    var script = document.querySelector('#testScript');
+
+    test(t => {
+      // Query Selector
+      assert_equals(document.querySelector('body [nonce]'), script);
+      assert_equals(document.querySelector('body [nonce=""]'), script);
+      assert_equals(document.querySelector('body [nonce=abc]'), null);
+
+      assert_equals(script.getAttribute('nonce'), '');
+      assert_equals(script.nonce, 'abc');
+    }, "Reading 'nonce' content attribute and IDL attribute.");
+
+    // Clone node.
+    test(t => {
+      script.setAttribute('executed', 'boo');
+      var s2 = script.cloneNode();
+      assert_equals(s2.nonce, 'abc', 'IDL attribute');
+      assert_equals(s2.getAttribute('nonce'), '');
+    }, "Cloned node retains nonce.");
+
+    async_test(t => {
+      var s2 = script.cloneNode();
+      document.head.appendChild(s2);
+      assert_equals(s2.nonce, 'abc');
+      assert_equals(s2.getAttribute('nonce'), '');
+
+      window.addEventListener('load', t.step_func_done(_ => {
+        // The cloned script won't execute, as its 'already started' flag is set.
+        assert_equals(s2.getAttribute('executed'), 'boo');
+      }));
+    }, "Cloned node retains nonce when inserted.");
+
+    // Set the content attribute to 'foo'
+    test(t => {
+      script.setAttribute('nonce', 'foo');
+      assert_equals(script.getAttribute('nonce'), 'foo');
+      assert_equals(script.nonce, 'foo');
+    }, "Writing 'nonce' content attribute.");
+
+    // Set the IDL attribute to 'bar'
+    test(t => {
+      script.nonce = 'bar';
+      assert_equals(script.nonce, 'bar');
+      assert_equals(script.getAttribute('nonce'), 'foo');
+    }, "Writing 'nonce' IDL attribute.");
+
+    // Fragment parser.
+    var documentWriteTest = async_test("Document-written script executes.");
+    document.write(`<svg xmlns="http://www.w3.org/2000/svg"><script nonce='abc'>
+      documentWriteTest.done();
+      test(t => {
+        var script = document.currentScript;
+        assert_equals(script.getAttribute('nonce'), '');
+        assert_equals(script.nonce, 'abc');
+      }, "Document-written script's nonce value.");
+    </scr` + `ipt></svg>`);
+
+    // Create node.
+    test(t => {
+      var s = document.createElement('svg');
+      var innerScript = document.createElement('script');
+      innerScript.innerText = script.innerText;
+      innerScript.nonce = 'abc';
+      s.appendChild(innerScript);
+      document.body.appendChild(s);
+      assert_equals(innerScript.nonce, 'abc');
+      assert_equals(innerScript.getAttribute('nonce'), null);
+    }, "createElement.nonce.");
+
+    // Create node.
+    test(t => {
+      var s = document.createElement('svg');
+      var innerScript = document.createElement('script');
+      innerScript.innerText = script.innerText;
+      innerScript.setAttribute('nonce', 'abc');
+      assert_equals(innerScript.getAttribute('nonce'), 'abc', "Pre-insertion content");
+      assert_equals(innerScript.nonce, 'abc', "Pre-insertion IDL");
+      s.appendChild(innerScript);
+      document.body.appendChild(s);
+      assert_equals(innerScript.nonce, 'abc', "Post-insertion IDL");
+      assert_equals(innerScript.getAttribute('nonce'), '', "Post-insertion content");
+    }, "createElement.setAttribute.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.html.headers b/testing/web-platform/tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.html.headers
new file mode 100644
index 0000000000..ad8d0b54f3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'nonce-abc'; img-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-allowed.html b/testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-allowed.html
new file mode 100644
index 0000000000..faa963cb35
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-allowed.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}} -->
+</head>
+
+<body>
+    <object type="application/x-webkit-test-netscape"></object>
+
+    <!-- we rely on the report because we can't rely on the onload event for
+         "allowed" tests as it is not fired for object and embed -->
+    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-allowed.html.sub.headers b/testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-allowed.html.sub.headers
new file mode 100644
index 0000000000..071eb96fc0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-allowed.html.sub.headers
@@ -0,0 +1,2 @@
+Set-Cookie: object-src-no-url-allowed={{$id:uuid()}}; Path=/content-security-policy/object-src/
+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-blocked.html b/testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-blocked.html
new file mode 100644
index 0000000000..cb7292976a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-blocked.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="object-src 'none'; script-src 'self' 'unsafe-inline';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script>
+       var t = async_test("Should block the object and fire a spv");
+       window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+         assert_equals(e.violatedDirective, "object-src");
+       }));
+    </script>
+
+    <object type="application/x-webkit-test-netscape"></object>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-url-allowed.html b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-allowed.html
new file mode 100644
index 0000000000..07c53ceb1b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-allowed.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!--
+      Content-Security-Policy:
+        object-src 'self';
+        script-src 'self' 'unsafe-inline';
+        report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+    -->
+</head>
+
+<body>
+    <object type="image/png" data="/content-security-policy/support/pass.png"></object>
+    <!--
+      We rely on the report because we can't rely on the onload event for
+      "allowed" tests as it is not fired for object and embed
+    -->
+    <script src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-url-allowed.html.sub.headers b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-allowed.html.sub.headers
new file mode 100644
index 0000000000..58ddd21445
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-allowed.html.sub.headers
@@ -0,0 +1,2 @@
+Set-Cookie: object-src-url-allowed={{$id:uuid()}}; Path=/content-security-policy/object-src/
+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-url-blocked.html b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-blocked.html
new file mode 100644
index 0000000000..25ddb5eec9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-blocked.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy"
+          content="object-src 'none'; script-src 'self' 'unsafe-inline';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script>
+      const t = async_test("Should block the object and fire a spv");
+      const expected = 3;
+      let count = 0;
+      window.addEventListener('securitypolicyviolation', t.step_func(e => {
+        count++;
+        assert_equals(e.violatedDirective, "object-src");
+        if (count == expected) {
+          t.done();
+        }
+      }));
+
+      function unexpectedObjectLoaded() {
+        t.step(() => {
+          assert_unreached('CSP should block this object from loading');
+        })
+      }
+
+    </script>
+
+    <object data="/content-security-policy/support/fail.png"
+            onload="unexpectedObjectLoaded()"
+            type="image/png">
+    </object>
+
+    <object data="/content-security-policy/support/fail.png"
+            onload="unexpectedObjectLoaded()">
+    </object>
+
+    <object data="application/x-webkit-test-netscape"
+            onload="unexpectedObjectLoaded()">
+    </object>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-url-embed-allowed.html b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-embed-allowed.html
new file mode 100644
index 0000000000..a7cdbc9e9f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-embed-allowed.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!--
+      Content-Security-Policy:
+        object-src 'self';
+        script-src 'self' 'unsafe-inline';
+        report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+    -->
+</head>
+
+<body>
+  <embed height="40" width="40" type="image/png"
+         src="/content-security-policy/support/pass.png"></embed>
+  <!--
+    We rely on the report because we can't rely on the onload event for
+    "allowed" tests as it is not fired for object and embed
+  -->
+  <script src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-url-embed-allowed.html.sub.headers b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-embed-allowed.html.sub.headers
new file mode 100644
index 0000000000..29a3987e30
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-embed-allowed.html.sub.headers
@@ -0,0 +1,2 @@
+Set-Cookie: object-src-url-embed-allowed={{$id:uuid()}}; Path=/content-security-policy/object-src/
+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-url-embed-blocked.html b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-embed-blocked.html
new file mode 100644
index 0000000000..e3f6b2f7ce
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-embed-blocked.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="object-src 'none'; script-src 'self' 'unsafe-inline';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script>
+      var t = async_test("Should block the object and fire a spv");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, "object-src");
+      }));
+    </script>
+
+    <embed height="40" width="40" type="image/png"
+           src="/content-security-policy/support/fail.png"></embed>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-url-redirect-allowed.html b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-redirect-allowed.html
new file mode 100644
index 0000000000..18d796b0e9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-redirect-allowed.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}} -->
+</head>
+
+<body>
+    <object type="image/png" data="/common-redirect.py?location=/content-security-policy/support/pass.png"></object>
+
+    <!-- we rely on the report because we can't rely on the onload event for
+         "allowed" tests as it is not fired for object and embed -->
+    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-url-redirect-allowed.html.sub.headers b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-redirect-allowed.html.sub.headers
new file mode 100644
index 0000000000..10b5543c02
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-redirect-allowed.html.sub.headers
@@ -0,0 +1,2 @@
+Set-Cookie: object-src-url-redirect-allowed={{$id:uuid()}}; Path=/content-security-policy/object-src/
+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-url-redirect-blocked.sub.html b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-redirect-blocked.sub.html
new file mode 100644
index 0000000000..2a8eefee29
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-redirect-blocked.sub.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="object-src 'self'; script-src 'self' 'unsafe-inline';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script>
+      var t = async_test("Should block the object and fire a spv");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, "object-src");
+      }));
+    </script>
+
+    <object type="image/png" data="/common/redirect.py?location=http://{{domains[www1]}}/content-security-policy/support/fail.png"></object>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/parsing/invalid-directive.html b/testing/web-platform/tests/content-security-policy/parsing/invalid-directive.html
new file mode 100644
index 0000000000..d96141ee1a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/parsing/invalid-directive.html
@@ -0,0 +1,22 @@
+<meta http-equiv="content-security-policy" content="img-src 'none'; aaa;">
+<title>Parsing: Unknown directive is ignored</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+  promise_test(async t => {
+    img = document.createElement('img');
+    img.src = "../support/fail.png";
+    return Promise.all([
+      new Promise((resolve, reject) => {
+        img.onerror = resolve;
+        img.onload = reject;
+      }),
+      new Promise(resolve => {
+        window.addEventListener('securitypolicyviolation', e => {
+          if (e.blockedURI.endsWith("/support/fail.png"))
+            resolve();
+        });
+      })
+    ]);
+  }, "Even if an unknown directive is specified, img-src is honored.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/plugin-types/plugin-types-ignored.html b/testing/web-platform/tests/content-security-policy/plugin-types/plugin-types-ignored.html
new file mode 100644
index 0000000000..cf27cdfc54
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/plugin-types/plugin-types-ignored.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+  <!-- Test that the old CSP directive 'plugin-types' has no effect anymore -->
+  <object type="application/pdf"></object>
+  <!-- we rely on the report because we can't rely on the onload event for
+         "allowed" tests as it is not fired for object and embed -->
+   <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/plugin-types/plugin-types-ignored.html.sub.headers b/testing/web-platform/tests/content-security-policy/plugin-types/plugin-types-ignored.html.sub.headers
new file mode 100644
index 0000000000..5508935fff
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/plugin-types/plugin-types-ignored.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: plugin-types-ignored={{$id:uuid()}}; Path=/content-security-policy/plugin-types/
+Content-Security-Policy: plugin-types application/x-shockwave-flash; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html
new file mode 100644
index 0000000000..ffdebe0eb3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html
@@ -0,0 +1,56 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test that reports using the report-api service are sent when there's a violation</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <meta http-equiv="content-security-policy" content="script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group">
+</head>
+<body>
+  <script>
+    var t1 = async_test("Test that image does not load");
+    async_test(function(t2) {
+    window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+        assert_equals(e.violatedDirective, "img-src");
+        t2.done();
+      }));
+    }, "Event is fired");
+
+    async_test(function(t3) {
+      var observer = new ReportingObserver(function(reports, observer) {
+        t3.step(function() {
+          assert_equals(reports.length, 1);
+
+          // Ensure that the contents of the report are valid.
+          var base_url = "{{location[scheme]}}://{{location[host]}}/content-security-policy/"
+          var document_url = base_url + "reporting-api/report-to-directive-allowed-in-meta.https.sub.html";
+          assert_equals(reports[0].type, "csp-violation");
+          assert_equals(reports[0].url, document_url);
+          assert_equals(reports[0].body.documentURL, document_url);
+          assert_equals(reports[0].body.referrer, "");
+          assert_equals(reports[0].body.blockedURL,
+                        base_url + "support/fail.png");
+          assert_equals(reports[0].body.effectiveDirective, "img-src");
+          assert_equals(reports[0].body.originalPolicy,
+                        "script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group");
+          assert_equals(reports[0].body.sourceFile, document_url);
+          assert_equals(reports[0].body.sample, "");
+          assert_equals(reports[0].body.disposition, "enforce");
+          assert_equals(reports[0].body.statusCode, 200);
+          assert_equals(reports[0].body.lineNumber, 54);
+          assert_equals(reports[0].body.columnNumber, 0);
+        });
+
+        t3.done();
+      });
+      observer.observe();
+    }, "Report is observable to ReportingObserver");
+  </script>
+  <img src='/content-security-policy/support/fail.png'
+       onload='t1.unreached_func("The image should not have loaded");'
+       onerror='t1.done();'>
+
+  <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=img-src%20%27none%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html.sub.headers
new file mode 100644
index 0000000000..6f3ff61a03
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-to-directive-allowed-in-meta={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}"
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html
new file mode 100644
index 0000000000..cb3842854c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test that reports using the report-api service are not sent when there's not validation</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    var t1 = async_test("Test that image loads");
+    window.addEventListener("securitypolicyviolation",
+         t1.unreached_func("Should not have triggered a violation event"));
+  </script>
+  <img src='/content-security-policy/support/pass.png'
+       onload='t1.done();'
+       onerror='t1.unreached_func("The image should have loaded");'>
+
+  <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html.sub.headers
new file mode 100644
index 0000000000..65b5afc5c8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: reporting-api-doesnt-send-reports-without-violation={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}"
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'self'; report-to csp-group
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html
new file mode 100644
index 0000000000..302025669d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test that report-only policies still work with report-to</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    var t1 = async_test("Test that image does not load");
+    async_test(function(t2) {
+    window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+        assert_equals(e.violatedDirective, "img-src");
+        t2.done();
+      }));
+    }, "Event is fired");
+  </script>
+  <img src='/content-security-policy/support/fail.png'
+       onload='t1.done();'
+       onerror='t1.unreached_func("The image should have loaded");'>
+
+  <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=img-src%20%27none%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers
new file mode 100644
index 0000000000..d1365ac3f7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: reporting-api-report-only-sends-reports-on-violation={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}"
+Content-Security-Policy-Report-Only: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html
new file mode 100644
index 0000000000..82f0e6e7a7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test that report-to ignores tokens after the first one</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    var t1 = async_test("Test that image does not load");
+    async_test(function(t2) {
+    window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+        assert_equals(e.violatedDirective, "img-src");
+        t2.done();
+      }));
+    }, "Event is fired");
+  </script>
+  <img src='/content-security-policy/support/fail.png'
+       onload='t1.unreached_func("The image should not have loaded");'
+       onerror='t1.done();'>
+  <!-- The second token of the report-to directive should be ignored, since the directive only supports one token. So we should not have any reports sent to this endpoint. -->
+  <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.sub.headers
new file mode 100644
index 0000000000..4de556aeef
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: reporting-api-report-to-only-sends-reports-to-first-endpoint={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group csp-group-2
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{uuid()}}", csp-group-2="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}"
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html
new file mode 100644
index 0000000000..ab62f47fb4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test that report-to overrides report-uri. This tests report-uri before report-to in the policy</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    var t1 = async_test("Test that image does not load");
+    async_test(function(t2) {
+    window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+        assert_equals(e.violatedDirective, "img-src");
+        t2.done();
+      }));
+    }, "Event is fired");
+  </script>
+  <img src='/content-security-policy/support/fail.png'
+       onload='t1.unreached_func("The image should not have loaded");'
+       onerror='t1.done();'>
+  <!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint -->
+  <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers
new file mode 100644
index 0000000000..dfd3a4ed5a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: reporting-api-report-to-overrides-report-uri-1={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-uri "/reporting/resources/report.py?op=put&reportID={{$id}}"; report-to csp-group
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{uuid()}}"
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html
new file mode 100644
index 0000000000..eadbb54f43
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test that report-to overrides report-uri. This tests report-uri after report-to in the policy</title>  <meta name=timeout content=long>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    var t1 = async_test("Test that image does not load");
+    async_test(function(t2) {
+    window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+        assert_equals(e.violatedDirective, "img-src");
+        t2.done();
+      }));
+    }, "Event is fired");
+  </script>
+  <img src='/content-security-policy/support/fail.png'
+       onload='t1.unreached_func("The image should not have loaded");'
+       onerror='t1.done();'>
+  <!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint -->
+  <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.sub.headers
new file mode 100644
index 0000000000..87dfcf8789
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: reporting-api-report-to-overrides-report-uri-2={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group; report-uri "/reporting/resources/report.py?op=put&reportID={{$id}}"
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{uuid()}}"
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html
new file mode 100644
index 0000000000..94f14d94e4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html
@@ -0,0 +1,55 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test that reports using the report-api service are sent when there's a violation</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    var t1 = async_test("Test that image does not load");
+    async_test(function(t2) {
+    window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+        assert_equals(e.violatedDirective, "img-src");
+        t2.done();
+      }));
+    }, "Event is fired");
+
+    async_test(function(t3) {
+      var observer = new ReportingObserver(function(reports, observer) {
+        t3.step(function() {
+          assert_equals(reports.length, 1);
+
+          // Ensure that the contents of the report are valid.
+          var base_url = "{{location[scheme]}}://{{location[host]}}/content-security-policy/"
+          var document_url = base_url + "reporting-api/reporting-api-sends-reports-on-violation.https.sub.html";
+          assert_equals(reports[0].type, "csp-violation");
+          assert_equals(reports[0].url, document_url);
+          assert_equals(reports[0].body.documentURL, document_url);
+          assert_equals(reports[0].body.referrer, "");
+          assert_equals(reports[0].body.blockedURL,
+                        base_url + "support/fail.png");
+          assert_equals(reports[0].body.effectiveDirective, "img-src");
+          assert_equals(reports[0].body.originalPolicy,
+                        "script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group");
+          assert_equals(reports[0].body.sourceFile, document_url);
+          assert_equals(reports[0].body.sample, "");
+          assert_equals(reports[0].body.disposition, "enforce");
+          assert_equals(reports[0].body.statusCode, 200);
+          assert_equals(reports[0].body.lineNumber, 53);
+          assert_equals(reports[0].body.columnNumber, 0);
+        });
+
+        t3.done();
+      });
+      observer.observe();
+    }, "Report is observable to ReportingObserver");
+  </script>
+  <img src='/content-security-policy/support/fail.png'
+       onload='t1.unreached_func("The image should not have loaded");'
+       onerror='t1.done();'>
+
+  <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=img-src%20%27none%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.sub.headers
new file mode 100644
index 0000000000..e6e488d4aa
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: reporting-api-sends-reports-on-violation={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}"
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html
new file mode 100644
index 0000000000..672c46e1aa
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html
@@ -0,0 +1,17 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test that reports using the report-api service are sent when there's a frame-ancestors violation</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <iframe src="https://{{hosts[alt][]}}:{{ports[https][0]}}/content-security-policy/reporting-api/support/non-embeddable-frame.html?id={{$id:uuid()}}"></iframe>
+
+  <!-- Check that a report is sent to the child's reporting endpoint -->
+  <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=frame-ancestors%20%27none%27&reportID={{$id}}'></script>
+
+  <!-- Check that no report is sent to the parent's reporting endpoint -->
+  <script async defer src='../support/checkReport.sub.js?reportExists=false&testName=No%20report%20to%20parent.'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html.sub.headers
new file mode 100644
index 0000000000..bf4e24e77e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: reporting-api-works-on-frame-ancestors={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}"
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html
new file mode 100644
index 0000000000..b83a05ce4b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test that reports using the report-api service are sent when there's a violation</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    async_test(function(t2) {
+      window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.html");
+        assert_equals(e.violatedDirective, "frame-src");
+        t2.done();
+      }));
+    }, "Event is fired");
+  </script>
+  <iframe src="../support/fail.html"></iframe>
+
+  <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=frame-src%20%27none%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html.sub.headers
new file mode 100644
index 0000000000..f85c8d26e4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: reporting-api-works-on-frame-src={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}"
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; frame-src 'none'; report-to csp-group
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html b/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html
new file mode 100644
index 0000000000..94e1707e85
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html
@@ -0,0 +1 @@
+FAIL
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html.sub.headers
new file mode 100644
index 0000000000..26d794e1d3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Report-To: { "group": "csp-group", "max_age": 10886400, "endpoints": [{ "url": "https://{{hosts[alt][]}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{GET[id]}}" }] }
+Content-Security-Policy: frame-ancestors 'none'; report-to csp-group
diff --git a/testing/web-platform/tests/content-security-policy/reporting/multiple-report-policies.html b/testing/web-platform/tests/content-security-policy/reporting/multiple-report-policies.html
new file mode 100644
index 0000000000..c28e9ae44a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/multiple-report-policies.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>When multiple report-uri endpoints for multiple policies are specified, each gets a report</title>
+    <!-- CSP headers
+Content-Security-Policy-Report-Only: img-src http://* https://*; default-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+
+Content-Security-Policy-Report-Only: img-src http://*; default-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+-->
+</head>
+<body>
+    <img src="ftp://blah.test" />
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20http%3A%2F%2F%2A%20https%3A%2F%2F%2A&testName=1-Violation%20report%20status%20OK'></script>
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20http%3A%2F%2F%2A&reportCookieName=multiple-report-policies-2&testName=2-Violation%20report%20status%20OK'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/multiple-report-policies.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/multiple-report-policies.html.sub.headers
new file mode 100644
index 0000000000..485b6832e7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/multiple-report-policies.html.sub.headers
@@ -0,0 +1,8 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: multiple-report-policies={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy-Report-Only: img-src http://* https://*; default-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+Set-Cookie: multiple-report-policies-2={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy-Report-Only: img-src http://*; default-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/post-redirect-stacktrace.https.html b/testing/web-platform/tests/content-security-policy/reporting/post-redirect-stacktrace.https.html
new file mode 100644
index 0000000000..9815cdfa19
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/post-redirect-stacktrace.https.html
@@ -0,0 +1,107 @@
+<!DOCTYPE html>
+<head>
+  <title>Check for post-redirect leak from StackTrace.</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/common/get-host-info.sub.js"></script>
+  <script src="/common/utils.js"></script>
+</head>
+<body>
+<script>
+
+const CROSS_ORIGIN = get_host_info().HTTPS_REMOTE_ORIGIN;
+const CROSS_SITE = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+const blank_path = "/common/blank.html"
+const redirect = url =>
+  `/content-security-policy/reporting/support/redirect-throw-function.sub.py?token=${token()}`;
+
+const script_path = "/content-security-policy/reporting/support/throw-function.js"
+const script_ref = "#ref"
+const script_attribute = "?secret=1234";
+
+promise_setup(async () => {
+  await new Promise(r => window.addEventListener("DOMContentLoaded", r));
+});
+
+let loadScript = origin => {
+  let script = document.createElement("script");
+  script.src = origin +
+    redirect(origin + script_path + script_attribute + script_ref);
+  let script_loaded = new Promise(r => script.onload = r);
+  document.head.appendChild(script);
+  return script_loaded;
+}
+
+// Note: .stack properties on errors are unspecified, but are present in most
+// browsers, most of the time. https://github.com/tc39/proposal-error-stacks
+// tracks standardizing them. Tests will pass automatically if the .stack
+// property isn't present.
+let getStack = async (origin) => {
+  await loadScript(origin);
+  try {
+    throw_function();
+  } catch (error) {
+    if (error.stack)
+      return error.stack.toString();
+  }
+  return "";
+};
+
+promise_test(async test => {
+  let data = await getStack(CROSS_ORIGIN);
+  assert_false(data.includes(script_ref), "Ref not leaked");
+  assert_false(data.includes(script_attribute), "Attribute not leaked");
+  assert_false(data.includes(script_path), "Path not leaked");
+}, "StackTrace do not leak cross-origin post-redirect URL");
+
+promise_test(async test => {
+  let data = await getStack(CROSS_SITE);
+  assert_false(data.includes(script_ref), "Ref not leaked");
+  assert_false(data.includes(script_attribute), "Attribute not leaked");
+  assert_false(data.includes(script_path), "Path not leaked");
+}, "StackTrace do not leak cross-site post-redirect URL");
+
+let getCspReport = async (origin) => {
+  // A promise to a future CSP violation.
+  let violation = new Promise(resolve => {
+    const observer = new ReportingObserver(reports => {
+      observer.disconnect();
+      resolve(JSON.stringify(reports));
+    });
+    observer.observe();
+  });
+
+  // This will be blocked by CSP:
+  let script = document.createElement("script");
+  script.src = origin +
+    redirect(origin + script_path + script_attribute + script_ref);
+  script.onload = () => { load_image(); };
+  document.head.appendChild(script);
+
+  return await violation;
+};
+
+// This block is needed to reproduce https://crbug.com/1074316. Without, the
+// next test passes. There is no 'source-file' found in report.
+// TODO(arthursonzogni): Investigate more. Find why this has side effects.
+promise_setup(async test => {
+  await getCspReport(CROSS_ORIGIN);
+}, "prewarm the cache");
+
+promise_test(async test => {
+  let data = await getCspReport(CROSS_ORIGIN);
+  assert_false(data.includes(script_ref), "Ref not leaked");
+  assert_false(data.includes(script_attribute), "Attribute not leaked");
+  assert_false(data.includes(script_path), "Path not leaked");
+}, "CSP report do not leak cross-origin post-redirect URL");
+
+promise_test(async test => {
+  let data = await getCspReport(CROSS_SITE);
+  assert_false(data.includes(script_ref), "Ref not leaked");
+  assert_false(data.includes(script_attribute), "Attribute not leaked");
+  assert_false(data.includes(script_path), "Path not leaked");
+}, "CSP report do not leak cross-site post-redirect URL");
+
+</script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/post-redirect-stacktrace.https.html.headers b/testing/web-platform/tests/content-security-policy/reporting/post-redirect-stacktrace.https.html.headers
new file mode 100644
index 0000000000..644ed867f3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/post-redirect-stacktrace.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy-Report-Only: img-src 'none'; report-uri /endpoint
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-and-enforce.html b/testing/web-platform/tests/content-security-policy/reporting/report-and-enforce.html
new file mode 100644
index 0000000000..01f60800ed
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-and-enforce.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>Reporting and enforcing policies can be different</title>
+    <!-- CSP headers
+Content-Security-Policy: img-src 'none'; style-src *; script-src 'self' 'unsafe-inline'
+
+Content-Security-Policy-Report-Only: img-src *; style-src 'none'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+-->
+</head>
+<body>
+    <script>
+        var img_test = async_test("The image should be blocked");
+        var sheet_test = async_test("The stylesheet should load");
+        <!-- This image should be blocked, but should not generate a report-->
+        var i = document.createElement('img');
+        i.onerror = img_test.step_func_done();
+        i.onload = img_test.unreached_func("Should not have loaded the img");
+        i.src = "../support/fail.png";
+        document.body.appendChild(i);
+        <!-- This font should be loaded but should generate a report-->
+        var s = document.createElement('link');
+        s.onerror = sheet_test.unreached_func("Should have loaded the font");
+        s.onload = sheet_test.step_func_done();
+        s.type = "text/css";
+        s.rel="stylesheet";
+        s.href = "../support/fonts.css";
+        document.body.appendChild(s);
+    </script>
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=style-src%20%27none%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-and-enforce.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-and-enforce.html.sub.headers
new file mode 100644
index 0000000000..4d7e6f191a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-and-enforce.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-and-enforce={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy: img-src 'none'; style-src *; script-src 'self' 'unsafe-inline'
+Content-Security-Policy-Report-Only: img-src *; style-src 'none'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-blocked-data-uri.html b/testing/web-platform/tests/content-security-policy/reporting/report-blocked-data-uri.html
new file mode 100644
index 0000000000..681694f691
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-blocked-data-uri.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>Data-uri images are reported correctly</title>
+    <!-- CSP headers
+Content-Security-Policy: img-src 'none'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+-->
+</head>
+<body>
+    <img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==">
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-blocked-data-uri.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-blocked-data-uri.html.sub.headers
new file mode 100644
index 0000000000..22c0494019
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-blocked-data-uri.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-blocked-data-uri={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy: img-src 'none'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html b/testing/web-platform/tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html
new file mode 100644
index 0000000000..a2966dbafb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>Cross-origin images are reported correctly</title>
+    <!-- CSP headers
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
+Content-Security-Policy-Report-Only: img-src 'none'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID=$id
+-->
+</head>
+<body>
+  <img src="http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/pass.png">
+  <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html.sub.headers
new file mode 100644
index 0000000000..02ebafeefe
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-blocked-uri-cross-origin={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
+Content-Security-Policy-Report-Only: img-src 'none'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-blocked-uri.html b/testing/web-platform/tests/content-security-policy/reporting/report-blocked-uri.html
new file mode 100644
index 0000000000..1cfff902a2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-blocked-uri.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>Blocked relative images are reported correctly</title>
+    <!-- CSP headers
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
+Content-Security-Policy-Report-Only: img-src 'none'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+-->
+</head>
+<body>
+    <img src="../support/pass.png">
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-blocked-uri.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-blocked-uri.html.sub.headers
new file mode 100644
index 0000000000..8fb2f58aba
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-blocked-uri.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-blocked-uri={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
+Content-Security-Policy-Report-Only: img-src 'none'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-clips-sample.https.html b/testing/web-platform/tests/content-security-policy/reporting/report-clips-sample.https.html
new file mode 100644
index 0000000000..696a27ba75
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-clips-sample.https.html
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/content-security-policy/support/testharness-helper.js"></script>
+  <meta http-equiv="Content-Security-Policy"
+        content="require-trusted-types-for 'script'; trusted-types default">
+</head>
+<body>
+  <script>
+  promise_test(t => {
+    let evil = false;
+    assert_throws_js(EvalError, _ => {
+      eval("evil = '1234567890123456789012345678901234567890';");
+    });
+    assert_false(evil);
+    return waitUntilCSPEventForTrustedTypes(t).then(t.step_func_done(e => {
+      assert_equals(e.sample, "eval|evil = '12345678901234567890123456789012");
+    }));
+  }, "Unsafe eval violation sample is clipped to 40 characters.");
+
+  promise_test(t => {
+    assert_throws_js(EvalError, _ => {
+      new Function("a", "b", "return '1234567890123456789012345678901234567890';");
+    });
+    return waitUntilCSPEventForTrustedTypes(t).then(t.step_func_done(e => {
+      assert_equals(e.sample.replace(/\n/g, ""),
+                    "Function|(a,b) {return '12345678901234567890123");
+    }));
+  }, "Function constructor - the other kind of eval - is clipped.");
+
+  promise_test(t => {
+    const a = document.createElement("a");
+    assert_throws_js(TypeError, _ => {
+      a.innerHTML = "1234567890123456789012345678901234567890xxxx";
+    });
+    assert_equals(a.innerHTML, "");
+    return waitUntilCSPEventForTrustedTypes(t).then(t.step_func_done(e => {
+      assert_equals(e.sample, "Element innerHTML|1234567890123456789012345678901234567890");
+    }));
+  }, "Trusted Types violation sample is clipped to 40 characters excluded the sink name.");
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html b/testing/web-platform/tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html
new file mode 100644
index 0000000000..b8203e9d30
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Cookies are not sent on cross origin violation reports</title>
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- CSP headers
+         Content-Security-Policy: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri http://{{domains[www1]}}:{{ports[http][0]}}/reporting/resources/report.py?op=put&reportID=$id
+         -->
+</head>
+<body>
+<script>
+  promise_test(function(test) {
+    const path = encodeURIComponent("{{domains[www1]}}:{{ports[http][0]}}/");
+    return fetch(
+      "/cookies/resources/set-cookie.py?name=cspViolationReportCookie1&path=" + path,
+      {mode: 'no-cors', credentials: 'include'})
+    .then(() => {
+      test.add_cleanup(() => {
+        return fetch("/cookies/resources/set.py?cspViolationReportCookie1=; path=" + path + "; expires=Thu, 01 Jan 1970 00:00:01 GMT");
+      });
+
+      // This image will generate a CSP violation report.
+      const img = new Image();
+      img.onerror = test.step_func_done();
+      img.onload = test.unreached_func("Should not have loaded the image");
+
+      img.src = "../support/fail.png";
+      document.body.appendChild(img);
+    });
+  }, "Image should not load");
+</script>
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27&noCookies=true'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html.sub.headers
new file mode 100644
index 0000000000..f65bd9ebf3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-cross-origin-no-cookies={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri http://{{domains[www1]}}:{{ports[http][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-frame-ancestors-with-x-frame-options.sub.html b/testing/web-platform/tests/content-security-policy/reporting/report-frame-ancestors-with-x-frame-options.sub.html
new file mode 100644
index 0000000000..0c58a5efd5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-frame-ancestors-with-x-frame-options.sub.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>Reporting works with report-only frame-ancestors even if frame is blocked by X-Frame-Options</title>
+</head>
+<body>
+    <iframe src="./support/not-embeddable-frame.py?reportID={{$id:uuid()}}&reportOnly=true&xFrameOptions=DENY"></iframe>
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-ancestors&reportID={{$id}}'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-frame-ancestors.sub.html b/testing/web-platform/tests/content-security-policy/reporting/report-frame-ancestors.sub.html
new file mode 100644
index 0000000000..cd7bbcb973
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-frame-ancestors.sub.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>Reporting works with frame-ancestors</title>
+</head>
+<body>
+    <iframe src="./support/not-embeddable-frame.py?reportID={{$id:uuid()}}"></iframe>
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-ancestors&reportID={{$id}}'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-multiple-violations-01.html b/testing/web-platform/tests/content-security-policy/reporting/report-multiple-violations-01.html
new file mode 100644
index 0000000000..e64269c2de
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-multiple-violations-01.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>Test multiple violations cause multiple reports</title>
+    <!-- CSP headers
+         Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+         -->
+</head>
+<body>
+    <img src="../support/pass.png">
+    <img src="../support/pass2.png">
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27&reportCount=2'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-multiple-violations-01.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-multiple-violations-01.html.sub.headers
new file mode 100644
index 0000000000..f86f84b8b2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-multiple-violations-01.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-multiple-violations-01={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-multiple-violations-02.html b/testing/web-platform/tests/content-security-policy/reporting/report-multiple-violations-02.html
new file mode 100644
index 0000000000..cc64f151a3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-multiple-violations-02.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>This tests that multiple violations on a page trigger multiple reports
+        if and only if the violations are distinct.</title>
+    <!-- CSP headers
+         Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+         -->
+</head>
+<body>
+  <script>
+    for (var i = 0; i<5; i++)
+      setTimeout("document.body.innerHTML += ('<p>PASS: setTimeout #" + i + " executed.');", 0);
+  </script>
+  <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27unsafe-inline%27%20%27self%27&reportCount=1'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-multiple-violations-02.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-multiple-violations-02.html.sub.headers
new file mode 100644
index 0000000000..e94e0dfa60
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-multiple-violations-02.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-multiple-violations-02={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-only-in-meta.sub.html b/testing/web-platform/tests/content-security-policy/reporting/report-only-in-meta.sub.html
new file mode 100644
index 0000000000..4df9865d2c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-only-in-meta.sub.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Report-only policy not allowed in meta tag</title>
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- CSP headers
+         Content-Security-Policy: script-src 'unsafe-inline' 'self'
+         -->
+    <!-- since we try to set the report-uri in the meta tag, we have to set the cookie with the reportID in here instead of in the headers file -->
+    <meta http-equiv="Content-Security-Policy-Report-Only" content="img-src 'none'; report-uri /reporting/resources/report.py?op=put&reportID={{$id:uuid()}}">
+</head>
+<body>
+  <script>
+    var test = async_test("Image should load");
+
+    <!-- Set cookie for checking if the report exists
+      -->
+    fetch(
+      "support/set-cookie.py?name=report-only-in-meta&value={{$id}}&path=" + encodeURIComponent("/content-security-policy/reporting/"),
+      {mode: 'no-cors', credentials: 'include'})
+    .then(() => {
+      const img = new Image();
+      img.onload = test.step_func_done();
+      img.onerror = test.unreached_func("Should have loaded the image");
+
+      img.src = "../support/pass.png";
+      document.body.appendChild(img);
+
+      <!-- this needs to be done after setting the cookie so we do it here -->
+      const script = document.createElement('script');
+      script.async = true;
+      script.defer = true;
+      script.src = '../support/checkReport.sub.js?reportExists=false'
+      document.body.appendChild(script);
+
+      // Immediately declare a test so that the harness does not infer
+      // completion if the image loads before the script.
+      var checkReportTest = async_test("checkReport tests loaded");
+      script.onload = checkReportTest.step_func_done();
+      script.onerror = checkReportTest.unreached_func();
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-only-in-meta.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-only-in-meta.sub.html.sub.headers
new file mode 100644
index 0000000000..b56292b470
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-only-in-meta.sub.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'unsafe-inline' 'self'
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-only-unsafe-eval.html b/testing/web-platform/tests/content-security-policy/reporting/report-only-unsafe-eval.html
new file mode 100644
index 0000000000..757db4f37b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-only-unsafe-eval.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script nonce='abc' src="/resources/testharness.js"></script>
+    <script nonce='abc' src="/resources/testharnessreport.js"></script>
+    <!-- CSP headers
+Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'nonce-abc'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+-->
+</head>
+<body>
+    <script nonce='abc'>
+      var t = async_test("Eval is allowed because the CSP is report-only");
+
+      var t_spv = async_test("SPV event is still raised");
+      t_spv.step_timeout(t_spv.unreached_func("SPV event has not been received"), 3000);
+      document.addEventListener('securitypolicyviolation', t_spv.step_func(e => {
+        assert_equals(e.violatedDirective, "script-src");
+        assert_equals(e.blockedURI, "eval");
+        t_spv.done();
+      }));
+
+      try {
+        eval("t.done()");
+      } catch {
+        t.step(t.unreached_func("The eval should have executed succesfully"));
+        t_spv.step(t_spv.unreached_func("The eval execution should have triggered a securitypolicyviolation event"));
+      }
+    </script>
+    <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27unsafe-inline%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-only-unsafe-eval.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-only-unsafe-eval.html.sub.headers
new file mode 100644
index 0000000000..5ca4a65261
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-only-unsafe-eval.html.sub.headers
@@ -0,0 +1,4 @@
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: report-only-unsafe-eval={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'nonce-abc'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub.html
new file mode 100644
index 0000000000..67db730631
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<script async defer src='../support/checkReport.sub.js?reportField=blocked-uri&reportValue={{location[scheme]}}%3A%2F%2F{{location[host]}}/common/redirect.py%3Flocation%3Dhttp%253A%252F%252F{{hosts[][]}}%253A{{ports[http][0]}}%252Fcontent-security-policy%252Fsupport%252Ffail.html%253Ft%253D1'></script>
+<iframe src='{{location[scheme]}}://{{location[host]}}/common/redirect.py?location=http%3A%2F%2F{{hosts[][]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fsupport%2Ffail.html%3Ft%3D1' style='display: none;'>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub.html.sub.headers
new file mode 100644
index 0000000000..50b5438c4b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-original-url-on-mixed-content-frame={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy: block-all-mixed-content; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-original-url.sub.html b/testing/web-platform/tests/content-security-policy/reporting/report-original-url.sub.html
new file mode 100644
index 0000000000..f95f7e3e6b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-original-url.sub.html
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <!-- CSP headers
+       Content-Security-Policy: img-src {{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}; script-src 'unsafe-inline' 'self'; report-uri /reporting/resources/report.py?op=put&reportID=$id
+       -->
+</head>
+<body>
+<script>
+function createListener(expectedURL, test) {
+    var listener = test.step_func(e => {
+        if (e.blockedURI == expectedURL) {
+            document.removeEventListener('securitypolicyviolation', listener);
+            test.done();
+        }
+    });
+    document.addEventListener('securitypolicyviolation', listener);
+}
+
+async_test(t => {
+    var i = document.createElement('img');
+    createListener("{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png?t=1", t);
+    i.src = "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png?t=1";
+}, "Direct block, same-origin = full URL in report");
+
+async_test(t => {
+    var i = document.createElement('img');
+    createListener("{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png?t=2", t);
+    i.src = "{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png?t=2";
+}, "Direct block, cross-origin = full URL in report");
+
+async_test(t => {
+    var i = document.createElement('img');
+    var url = "{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/common/redirect.py?location=" + encodeURIComponent("{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png?t=3");
+    createListener(url, t);
+    i.src = url;
+}, "Block after redirect, same-origin = original URL in report");
+
+async_test(t => {
+    var i = document.createElement('img');
+    var url = "{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/common/redirect.py?location=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png?t=4");
+    createListener(url, t);
+    i.src = url;
+}, "Block after redirect, cross-origin = original URL in report");
+</script>
+
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src {{location[scheme]}}%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-original-url.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-original-url.sub.html.sub.headers
new file mode 100644
index 0000000000..b695417aef
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-original-url.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-original-url={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy: img-src {{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}; script-src 'unsafe-inline' 'self'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-preload-and-consume.https.html b/testing/web-platform/tests/content-security-policy/reporting/report-preload-and-consume.https.html
new file mode 100644
index 0000000000..771434f673
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-preload-and-consume.https.html
@@ -0,0 +1,24 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test that reports are sent with credentials to same-origin endpoints</title>
+  <script src="/common/utils.js"></script>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='/reporting/resources/report-helper.js'></script>
+</head>
+<body>
+  <script>
+    const endpoint = '/reporting/resources/report.py';
+
+    promise_test(async t => {
+        const uid = token();
+        const win = window.open(`./support/preload-csp-report.https.sub.html?uid=${uid}`);
+        t.add_cleanup(() => win.close());
+        const reports = await pollReports(endpoint, uid);
+        const failures = reports.filter(r => r['csp-report']['blocked-uri'].endsWith('fail.png'));
+        assert_equals(failures.length, 2);
+    }, "Reporting endpoints received credentials.");
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-same-origin-with-cookies.html b/testing/web-platform/tests/content-security-policy/reporting/report-same-origin-with-cookies.html
new file mode 100644
index 0000000000..aa2ec6bd9d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-same-origin-with-cookies.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>Cookies are sent on same origin violation reports</title>
+    <!-- CSP headers
+         Content-Security-Policy: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+         -->
+</head>
+<body>
+<script>
+  var test = async_test("Image should not load");
+  fetch(
+    "/cookies/resources/set-cookie.py?name=cspViolationReportCookie2&path=" + encodeURIComponent("/"),
+    {mode: 'no-cors', credentials: 'include'})
+  .then(() => {
+    test.add_cleanup(() => {
+      document.cookie = "cspViolationReportCookie2=; path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT";
+    });
+
+    // This image will generate a CSP violation report.
+    const img = new Image();
+    img.onerror = test.step_func_done();
+    img.onload = test.unreached_func("Should not have loaded the image");
+
+    img.src = "../support/fail.png";
+    document.body.appendChild(img);
+  });
+</script>
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27&cookiePresent=cspViolationReportCookie2'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-same-origin-with-cookies.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-same-origin-with-cookies.html.sub.headers
new file mode 100644
index 0000000000..23fb823730
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-same-origin-with-cookies.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-same-origin-with-cookies={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-strips-fragment.html b/testing/web-platform/tests/content-security-policy/reporting/report-strips-fragment.html
new file mode 100644
index 0000000000..4ecfa845ec
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-strips-fragment.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/content-security-policy/support/testharness-helper.js"></script>
+  <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+</head>
+<body>
+  <script>
+  async_test(t => {
+    waitUntilCSPEventForURL(t, "https://evil.com/img.png")
+      .then(t.step_func_done(e => {
+        var u = new URL(e.documentURI);
+        assert_equals(u.hash, "");
+      }));
+
+    window.location.hash = "should-not-appear-in-report";
+
+    var i = document.createElement("img");
+    i.src = "https://evil.com/img.png#boo";
+  }, "Reported document URI does not contain fragments.");
+  </script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-uri-effective-directive.html b/testing/web-platform/tests/content-security-policy/reporting/report-uri-effective-directive.html
new file mode 100644
index 0000000000..0143d1bc82
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-uri-effective-directive.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>Violation report is sent if violation occurs.</title>
+    <!-- CSP headers
+         Content-Security-Policy: default-src 'self'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+         -->
+</head>
+<body>
+    <script>
+        // This script block will trigger a violation report.
+        alert('FAIL');
+    </script>
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-uri-effective-directive.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-uri-effective-directive.html.sub.headers
new file mode 100644
index 0000000000..9b8c3d0fdb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-uri-effective-directive.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-uri-effective-directive={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy: default-src 'self'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-uri-from-child-frame.html b/testing/web-platform/tests/content-security-policy/reporting/report-uri-from-child-frame.html
new file mode 100644
index 0000000000..1be496194b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-uri-from-child-frame.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>Reporting works in child iframes.</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'">
+</head>
+<body>
+    <script nonce="abc">
+      window.onmessage = function(e) {
+        if (e.data == 'cookie set') {
+          var s = document.createElement('script');
+          s.async = true;
+          s.defer = true;
+          s.src = '../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27%20%27nonce-abc%27&reportCookieName=generate-csp-report';
+          document.body.appendChild(s);
+        }
+      }
+    </script>
+    <iframe src="support/generate-csp-report.html"/>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-uri-from-inline-javascript.html b/testing/web-platform/tests/content-security-policy/reporting/report-uri-from-inline-javascript.html
new file mode 100644
index 0000000000..1cb5a2c659
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-uri-from-inline-javascript.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>Violation report is sent from inline javascript.</title>
+    <!-- CSP headers
+         Content-Security-Policy: img-src 'none'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+         -->
+</head>
+<body>
+    <script>
+        // This script block will trigger a violation report.
+        var i = document.createElement('img');
+        i.src = '/security/resources/abe.png';
+        document.body.appendChild(i);
+    </script>
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-uri-from-inline-javascript.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-uri-from-inline-javascript.html.sub.headers
new file mode 100644
index 0000000000..fd2913a39b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-uri-from-inline-javascript.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-uri-from-inline-javascript={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy: img-src 'none'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-uri-from-javascript.html b/testing/web-platform/tests/content-security-policy/reporting/report-uri-from-javascript.html
new file mode 100644
index 0000000000..d535811125
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-uri-from-javascript.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>Violation report is sent from javascript resource.</title>
+    <!-- CSP headers
+         Content-Security-Policy: img-src 'none'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+         -->
+</head>
+<body>
+    <script src="../support/inject-image.js"></script>
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-uri-from-javascript.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-uri-from-javascript.html.sub.headers
new file mode 100644
index 0000000000..faa23708e5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-uri-from-javascript.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-uri-from-javascript={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy: img-src 'none'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-uri-multiple-reversed.html b/testing/web-platform/tests/content-security-policy/reporting/report-uri-multiple-reversed.html
new file mode 100644
index 0000000000..5bbdc01a53
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-uri-multiple-reversed.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>Content-Security-Policy-Report-Only violation report is sent even when resource is blocked by actual policy.</title>
+    <!-- CSP headers
+         Content-Security-Policy-Report-Only: img-src http://*; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+         Content-Security-Policy: img-src http://*
+         -->
+</head>
+<body>
+    <img src="ftp://blah.test" />
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20http%3A%2F%2F%2A'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-uri-multiple-reversed.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-uri-multiple-reversed.html.sub.headers
new file mode 100644
index 0000000000..172c36dee0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-uri-multiple-reversed.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-uri-multiple-reversed={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy-Report-Only: img-src http://*; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+Content-Security-Policy: img-src http://*
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-uri-multiple.html b/testing/web-platform/tests/content-security-policy/reporting/report-uri-multiple.html
new file mode 100644
index 0000000000..190c9ee31e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-uri-multiple.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>Content-Security-Policy-Report-Only violation report is sent even when resource is blocked by actual policy.</title>
+    <!-- CSP headers
+         Content-Security-Policy: img-src http://*
+         Content-Security-Policy-Report-Only: img-src http://*; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+      -->
+</head>
+<body>
+    <img src="ftp://blah.test" />
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20http%3A%2F%2F%2A'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-uri-multiple.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-uri-multiple.html.sub.headers
new file mode 100644
index 0000000000..cf1073823d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-uri-multiple.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-uri-multiple={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy: img-src http://*
+Content-Security-Policy-Report-Only: img-src http://*; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-uri-scheme-relative.html b/testing/web-platform/tests/content-security-policy/reporting/report-uri-scheme-relative.html
new file mode 100644
index 0000000000..406238ead7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-uri-scheme-relative.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>Relative scheme URIs are accepted as the report-uri.</title>
+    <!-- CSP headers
+         Content-Security-Policy: script-src 'self'; report-uri //{{location[host]}}/reporting/resources/report.py?op=put&reportID={{$id}}
+         -->
+</head>
+<body>
+  <script>
+    // This script block will trigger a violation report.
+    alert('FAIL');
+  </script>
+  <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-uri-scheme-relative.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-uri-scheme-relative.html.sub.headers
new file mode 100644
index 0000000000..97e302a4b7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-uri-scheme-relative.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-uri-scheme-relative={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy: script-src 'self'; report-uri //{{location[host]}}/reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/support/generate-csp-report.html b/testing/web-platform/tests/content-security-policy/reporting/support/generate-csp-report.html
new file mode 100644
index 0000000000..c2024c0a1b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/support/generate-csp-report.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<body>
+    <script nonce='abc'>
+      top.postMessage('cookie set', '*');
+    </script>
+    <script>
+        // This script block will trigger a violation report.
+        alert('FAIL');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/reporting/support/generate-csp-report.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/support/generate-csp-report.html.sub.headers
new file mode 100644
index 0000000000..7993b3e286
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/support/generate-csp-report.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generate-csp-report={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy: script-src 'self' 'nonce-abc'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/support/not-embeddable-frame.py b/testing/web-platform/tests/content-security-policy/reporting/support/not-embeddable-frame.py
new file mode 100644
index 0000000000..9e65b42435
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/support/not-embeddable-frame.py
@@ -0,0 +1,10 @@
+def main(request, response):
+    headers = []
+    if request.GET.first(b'xFrameOptions', None):
+        headers.append((b'X-Frame-Options', request.GET[b'xFrameOptions']))
+
+    csp_header = b'Content-Security-Policy-Report-Only' \
+        if request.GET.first(b'reportOnly', None) == b'true' else b'Content-Security-Policy'
+    headers.append((csp_header, b"frame-ancestors 'none'; report-uri /reporting/resources/report.py?op=put&reportID=" + request.GET[b'reportID']))
+
+    return headers, b'{}'
diff --git a/testing/web-platform/tests/content-security-policy/reporting/support/preload-csp-report.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting/support/preload-csp-report.https.sub.html
new file mode 100644
index 0000000000..6b79414edd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/support/preload-csp-report.https.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<body>
+<!-- This image will cause a CSP violation, which will trigger an immediate report -->
+<script>
+    const href = "/reporting/resources/fail.png";
+
+    window.addEventListener('load', async () => {
+        // Trigger a CSP error.
+        await new Promise(resolve => {
+            const link = document.createElement('link');
+            link.rel = 'preload';
+            link.href = href;
+            link.as = 'image';
+            document.head.appendChild(link);
+            link.addEventListener('error', resolve);
+        });
+
+        // Trigger a second CSP error by consuming.
+        await new Promise(resolve => {
+            const img = document.createElement('img');
+            img.src = href;
+            img.addEventListener('error', resolve);
+            document.body.appendChild(img);
+        });
+    });
+</script>
+</body>
+</html>
+
diff --git a/testing/web-platform/tests/content-security-policy/reporting/support/preload-csp-report.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/support/preload-csp-report.https.sub.html.sub.headers
new file mode 100644
index 0000000000..bb0506b41d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/support/preload-csp-report.https.sub.html.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: img-src none; report-uri /reporting/resources/report.py?op=put&reportID={{GET[uid]}}
diff --git a/testing/web-platform/tests/content-security-policy/reporting/support/redirect-throw-function.sub.py b/testing/web-platform/tests/content-security-policy/reporting/support/redirect-throw-function.sub.py
new file mode 100644
index 0000000000..1bc89abf71
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/support/redirect-throw-function.sub.py
@@ -0,0 +1,10 @@
+import re
+
+from wptserve.utils import isomorphic_encode
+
+def main(request, response):
+    response.status = 302
+    location = re.sub(b'redirect-throw-function.*',
+                      b'throw-function.js?secret=1234#ref',
+                      isomorphic_encode(request.url))
+    response.headers.set(b"Location", location)
diff --git a/testing/web-platform/tests/content-security-policy/reporting/support/set-cookie.py b/testing/web-platform/tests/content-security-policy/reporting/support/set-cookie.py
new file mode 100644
index 0000000000..e720c5c2cb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/support/set-cookie.py
@@ -0,0 +1,33 @@
+from datetime import date
+
+def main(request, response):
+    """
+    Returns cookie name and path from query params in a Set-Cookie header.
+
+    e.g.
+
+    > GET /cookies/resources/set-cookie.py?name=match-slash&path=%2F HTTP/1.1
+    > Host: localhost:8000
+    > User-Agent: curl/7.43.0
+    > Accept: */*
+    >
+    < HTTP/1.1 200 OK
+    < Content-Type: application/json
+    < Set-Cookie: match-slash=1; Path=/; Expires=09 Jun 2021 10:18:14 GMT
+    < Server: BaseHTTP/0.3 Python/2.7.12
+    < Date: Tue, 04 Oct 2016 18:16:06 GMT
+    < Content-Length: 80
+    """
+
+    name = request.GET[b'name']
+    path = request.GET[b'path']
+    value = request.GET.first(b'value', b"1")
+    expiry_year = date.today().year + 1
+    cookie = b"%s=%s; Path=%s; Expires=09 Jun %d 10:18:14 GMT" % (name, value, path, expiry_year)
+
+    headers = [
+        (b"Content-Type", b"application/json"),
+        (b"Set-Cookie", cookie)
+    ]
+    body = b"{}"
+    return headers, body
diff --git a/testing/web-platform/tests/content-security-policy/reporting/support/throw-function.js b/testing/web-platform/tests/content-security-policy/reporting/support/throw-function.js
new file mode 100644
index 0000000000..d0e9d203dd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/reporting/support/throw-function.js
@@ -0,0 +1,9 @@
+function throw_function() {
+  throw new Error("an error");
+}
+
+function load_image() {
+  let img = document.createElement('img');
+  document.body.append(img);
+  img.src = "/xhr/resources/img.jpg"
+}
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-any-directive.sub.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-any-directive.sub.html
new file mode 100644
index 0000000000..c1954641b1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-any-directive.sub.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/content-security-policy/support/testharness-helper.js"></script>
+<script src="/content-security-policy/support/prefetch-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'unsafe-inline'; img-src http://{{domains[www2]}}:{{ports[http][0]}}"/>
+
+<script>
+  const { OTHER_ORIGIN, REMOTE_ORIGIN } = get_host_info();
+
+  promise_test(async (t) => {
+    const url = new URL("/common/dummy.xml", location.href);
+    assert_true(await try_to_prefetch(url, t));
+  }, "Prefetch should succeed when restricted by default-src but allowed by " +
+     "other directive");
+
+  promise_test(async (t) => {
+    const url = new URL("/common/dummy.xml", REMOTE_ORIGIN);
+    assert_false(await try_to_prefetch(url, t));
+  }, "Prefetch should fail when restricted by default-src and different " +
+     "origin allowed by other directive");
+
+  promise_test(async (t) => {
+    const url = new URL("/common/dummy.xml", OTHER_ORIGIN);
+    assert_true(await try_to_prefetch(url, t));
+  }, "Prefetch should succeed when restricted by default-src but origin " +
+     "allowed by other directive");
+</script>
+</head>
+<body></body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-default.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-default.html
new file mode 100644
index 0000000000..fa31e941eb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-default.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+  <head>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='/common/utils.js'></script>
+    <script src='/content-security-policy/support/testharness-helper.js'></script>
+    <script src='/content-security-policy/support/prefetch-helper.js'></script>
+
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'">
+    <script>
+      promise_test(async t => {
+        assert_true(await try_to_prefetch("/common/dummy.xml", t));
+      }, 'Prefetch should succeed when allowed by default-src');
+    </script>
+  </head>
+
+  <body>
+  </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-no-default.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-no-default.html
new file mode 100644
index 0000000000..195c927a8d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-no-default.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+  <head>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='/common/utils.js'></script>
+    <script src='/content-security-policy/support/testharness-helper.js'></script>
+    <script src='/content-security-policy/support/prefetch-helper.js'></script>
+
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; img-src 'self'; connect-src 'self'; object-src 'self'; font-src 'self'; child-src 'self';">
+    <script>
+      promise_test(async t => {
+        assert_true(await try_to_prefetch("/common/dummy.xml", t));
+      }, 'Prefetch should succeed when there is no default-src');
+    </script>
+  </head>
+
+  <body>
+  </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-with-conflicting-permissive-policies.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-with-conflicting-permissive-policies.html
new file mode 100644
index 0000000000..fe7cce0efb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-with-conflicting-permissive-policies.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='/common/utils.js'></script>
+  <script src='/content-security-policy/support/testharness-helper.js'></script>
+  <script src='/content-security-policy/support/prefetch-helper.js'></script>
+  <!-- These policies are for test-harness itself-->
+  <meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'; img-src *; connect-src 'none'">
+  <meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'; img-src 'none'; connect-src *">
+  <script>
+    promise_test(async t => {
+      assert_true(await try_to_prefetch("/common/dummy.xml", t));
+    }, 'Prefetch should succeed when a directive in a policy is permissive, ' +
+       'even if a subsequent policy overrides that.');
+  </script>
+  </head>
+<body>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default-multiple-policies.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default-multiple-policies.html
new file mode 100644
index 0000000000..b53b021e6d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default-multiple-policies.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+  <head>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='/common/utils.js'></script>
+    <script src='/content-security-policy/support/testharness-helper.js'></script>
+    <script src='/content-security-policy/support/prefetch-helper.js'></script>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'">
+    <script>
+      promise_test(async t => {
+        assert_false(await try_to_prefetch("/common/dummy.xml", t));
+      }, 'Prefetch should fail when restricted by default-src');
+    </script>
+  </head>
+
+  <body>
+  </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default.html
new file mode 100644
index 0000000000..6780c80e8a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='/common/utils.js'></script>
+  <script src='/content-security-policy/support/testharness-helper.js'></script>
+  <script src='/content-security-policy/support/prefetch-helper.js'></script>
+  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-inline'">
+  <script>
+    promise_test(async t => {
+      assert_false(await try_to_prefetch("/common/dummy.xml", t));
+    }, 'Prefetch should fail when restricted by default-src');
+  </script>
+</head>
+<body>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-generate-directives.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-generate-directives.html
new file mode 100644
index 0000000000..b08d885c1e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-generate-directives.html
@@ -0,0 +1,90 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src='/resources/testharness.js'></script>
+<script src='/resources/testharnessreport.js'></script>
+<script src='/common/utils.js'></script>
+<script src='/content-security-policy/support/testharness-helper.js'></script>
+<script>
+
+const directives = {
+  'script-src': true,
+  'img-src': true,
+  'connect-src': true,
+  'object-src': true,
+  'font-src': true,
+  'manifest-src': true,
+  'media-src': true,
+  'style-src': true,
+  'child-src': true,
+  'frame-src': true,
+  'worker-src': true,
+  'base-uri': false,
+};
+
+function prefetch_with_csp_in_a_popup(byDirective, t) {
+  // Allow inline scripts so that we can run the postMessage script...
+  if (byDirective["script-src"] === "*")
+    byDirective["script-src"] = "* 'unsafe-inline'";
+  else
+    byDirective["script-src"] = "'unsafe-inline'";
+
+  const url = new URL('/content-security-policy/support/prefetch-with-csp.html', location.href);
+  const csp = Object.entries(byDirective).map(([key, value]) => `${key} ${value}`).join(";");
+  url.searchParams.set("pipe", `header(Content-Security-Policy, ${csp})`);
+  const uid = token();
+  url.searchParams.set("uid", uid);
+  const bc = new BroadcastChannel(uid);
+  const popup = window.open(url.href);
+  t.add_cleanup(() => popup.close());
+  return new Promise(resolve => {
+    bc.addEventListener("message", ({data}) => {
+      resolve(data);
+    });
+  });
+}
+
+for (const directive in directives) {
+  promise_test(async t => {
+    const byDirective = Object.fromEntries(Object.keys(directives).map(d => [d, "'none'"]));
+    byDirective[directive] = "*";
+    byDirective["default-src"] = "'none'";
+    const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t);
+    assert_equals(prefetch_ok, directives[directive], directive);
+  }, `Test that ${directive} enabled with everything else disabled allows prefetching`);
+
+  promise_test(async t => {
+    const byDirective = {
+      "default-src": "'none'",
+      [directive]: "*",
+    };
+    const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t);
+    assert_equals(prefetch_ok, directives[directive], directive);
+  }, `Test that ${directive} enabled with default-src disabled allows prefetching`);
+}
+
+promise_test(async t => {
+    const byDirective = {
+      "default-src": "'none'",
+      "script-src-elem": "* 'unsafe-inline'",
+      "script-src": "'none'",
+    };
+    const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t);
+    assert_true(prefetch_ok);
+  }, `Test that permissive script-src-elem supersedes script-src`);
+
+promise_test(async t => {
+  const byDirective = {
+    "default-src": "'none'",
+    "script-src-elem": "'unsafe-inline'",
+    "script-src": "*",
+  };
+  const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t);
+  assert_true(prefetch_ok);
+}, `Test that permissive script-src supersedes script-src-elem`);
+
+</script>
+</head>
+<body>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-ignores-prefetch-src.sub.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-ignores-prefetch-src.sub.html
new file mode 100644
index 0000000000..f9350bd657
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-ignores-prefetch-src.sub.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src='/common/utils.js'></script>
+<script src='/content-security-policy/support/testharness-helper.js'></script>
+<script src="/content-security-policy/support/prefetch-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'unsafe-inline'; prefetch-src http://{{domains[www2]}}:{{ports[http][0]}}"/>
+
+<script>
+  promise_test(async (t) => {
+    assert_false(await
+      try_to_prefetch('http://{{domains[www2]}}:{{ports[http][0]}}/common/dummy.xml',
+      t));
+  }, "Prefetch should fail when restricted by default-src and allowed by " +
+     "unsupported prefetch-src directive (prefetch-src should be ignored)");
+</script>
+</head>
+<body></body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-no-csp.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-no-csp.html
new file mode 100644
index 0000000000..87f2937b84
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-no-csp.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='/common/utils.js'></script>
+  <script src='/content-security-policy/support/testharness-helper.js'></script>
+  <script src='/content-security-policy/support/prefetch-helper.js'></script>
+  <script>
+    promise_test(async t => {
+      assert_true(await try_to_prefetch("/common/dummy.xml", t));
+    }, 'Prefetch succeeds when no CSP');
+  </script>
+</head>
+<body>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/iframe-inside-csp.sub.html b/testing/web-platform/tests/content-security-policy/sandbox/iframe-inside-csp.sub.html
new file mode 100644
index 0000000000..cd402bdba0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/iframe-inside-csp.sub.html
@@ -0,0 +1,18 @@
+<html>
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'self'; connect-src 'self';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS (1/2): Script can execute","PASS (2/2): Eval works"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+<body>
+  <script>
+    window.onmessage = function(e) {
+      log(e.data);
+    }
+  </script>
+  <iframe src="support/sandboxed-eval.sub.html"></iframe>
+</body>
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/meta-element.sub.html b/testing/web-platform/tests/content-security-policy/sandbox/meta-element.sub.html
new file mode 100644
index 0000000000..cd8da8f14c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/meta-element.sub.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta content="sandbox allow-scripts" http-equiv="Content-Security-Policy">
+<body>
+<iframe id="iframe"></iframe>
+<script>
+// According to
+// https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-content-security-policy
+// `sandbox` directives must be ignored when delivered via `<meta>`.
+test(() => {
+  assert_equals(location.origin, "{{location[scheme]}}://{{location[host]}}");
+}, "Document shouldn't be sandboxed by <meta>");
+
+// Note: sandbox directive for workers are not yet specified.
+// https://github.com/w3c/webappsec-csp/issues/279
+// Anyway workers shouldn't be affected by sandbox directives in `<meta>`.
+async_test(t => {
+  const worker = new Worker("support/post-origin-on-load-worker.js");
+  worker.onerror = t.unreached_func("Worker construction failed");
+  worker.onmessage = t.step_func_done(e => {
+    assert_equals(e.data, "{{location[scheme]}}://{{location[host]}}");
+  });
+}, "Worker shouldn't be sandboxed by inheriting <meta>");
+
+parent.async_test(t => {
+  // Although <iframe about:blank> should inherit parent's CSP,
+  // sandbox directives in <meta> should be ignored in the first place,
+  // so workers created from such <iframe>s shouldn't also be sandboxed.
+  const iframeDocument = document.querySelector("#iframe").contentDocument;
+  const script = iframeDocument.createElement("script");
+  script.innerText = `
+    const worker = new Worker("support/post-origin-on-load-worker.js");
+    worker.onerror = () => parent.postMessage("onerror", "*");
+    worker.onmessage = (e) => parent.postMessage(e.data, "*");
+  `;
+  iframeDocument.body.appendChild(script);
+
+  // Receive message from <iframe>.
+  onmessage = t.step_func_done(e => {
+    assert_equals(e.data, "{{location[scheme]}}://{{location[host]}}");
+  });
+}, "Worker shouldn't be sandboxed when created <iframe> inheriting parent's CSP with sandbox <meta>");
+</script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/sandbox-allow-scripts-subframe.sub.html b/testing/web-platform/tests/content-security-policy/sandbox/sandbox-allow-scripts-subframe.sub.html
new file mode 100644
index 0000000000..1d6db3cde7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/sandbox-allow-scripts-subframe.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["Message"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+       window.onmessage = function(e) {
+           log(e.data);
+       }
+    </script>
+
+    <iframe src="support/sandboxed-data-iframe.sub.html?sandbox=allow-scripts"></iframe>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/sandbox-allow-scripts.sub.html b/testing/web-platform/tests/content-security-policy/sandbox/sandbox-allow-scripts.sub.html
new file mode 100644
index 0000000000..e58402e4ba
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/sandbox-allow-scripts.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["Message"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+       window.onmessage = function(e) {
+           log(e.data);
+       }
+    </script>
+
+    <iframe src="support/sandboxed-post-message-to-parent.html?sandbox=allow-scripts"></iframe>
+</body>
+
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/sandbox-empty-subframe.sub.html b/testing/web-platform/tests/content-security-policy/sandbox/sandbox-empty-subframe.sub.html
new file mode 100644
index 0000000000..3396e566b8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/sandbox-empty-subframe.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS2"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+       window.onmessage = function(e) {
+           log(e.data);
+       }
+    </script>
+
+    <iframe src="support/sandboxed-data-iframe.sub.html?sandbox="
+            onload="log('PASS2')"></iframe>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/sandbox-empty.sub.html b/testing/web-platform/tests/content-security-policy/sandbox/sandbox-empty.sub.html
new file mode 100644
index 0000000000..4703471020
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/sandbox-empty.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS2"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <p>This test passes if it does alert pass.</p>
+
+    <script>
+       window.onmessage = function(e) {
+           log(e.data);
+       }
+    </script>
+
+    <iframe src="support/sandboxed-post-message-to-parent.sub.html?sandbox="
+            onload="log('PASS2')"></iframe>
+</body>
+
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/service-worker-sandbox.https.html b/testing/web-platform/tests/content-security-policy/sandbox/service-worker-sandbox.https.html
new file mode 100644
index 0000000000..8b7d72e0ef
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/service-worker-sandbox.https.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script>
+<body>
+<script>
+let frame = null;
+let worker = null;
+const scope = 'support/empty.html';
+const script = 'support/sandboxed-service-worker.js';
+
+// Currently, sandbox directives for workers are not specified
+// https://github.com/w3c/webappsec-csp/issues/279
+// and thus this test asserts that the origin of ServiceWorker is not sandboxed.
+
+// Global setup: this must be the first promise_test.
+promise_test(async (t) => {
+  const registration =
+      await service_worker_unregister_and_register(t, script, scope);
+  worker = registration.installing;
+  await wait_for_state(t, worker, 'activated');
+  frame = await with_iframe(scope);
+
+  // Global cleanup: the final promise_test.
+  promise_test(() => {
+    if (frame)
+      frame.remove();
+     return registration.unregister();
+  }, 'global cleanup');
+}, 'global setup');
+
+promise_test(async (t) => {
+  const r = await frame.contentWindow.fetch('/get-origin', {mode: 'cors'});
+  const j = await r.json();
+  assert_equals(j.origin, location.origin, 'Origin should not be sandboxed');
+}, 'Origin of service worker');
+
+promise_test(async (t) => {
+  const r = await frame.contentWindow.fetch('/get-origin',
+                                            {mode: 'same-origin'});
+  const j = await r.json();
+  assert_equals(j.origin, location.origin, 'Origin should not be opaque');
+}, 'Response generated by service worker can be fetched as same-origin');
+
+// Because the origin of service worker should be `location.origin`,
+// fetches from service worker to `location.origin` should be successful.
+for (const mode of ['same-origin', 'cors']) {
+  for (const hasACAOrigin of [true, false]) {
+    promise_test(async (t) => {
+      const final_url = new URL('/fetch/api/resources/', location);
+      final_url.pathname += hasACAOrigin ? 'cors-top.txt' : 'top.txt';
+      final_url.searchParams.set('hash', Math.random());
+
+      const url = new URL('/fetch', location);
+      url.searchParams.set('url', final_url);
+      url.searchParams.set('hash', Math.random());
+      const r = await frame.contentWindow.fetch(url, {mode});
+      const text = await r.text();
+      assert_equals(text, 'top');
+    }, 'Origin used in fetch on service worker (mode: ' +
+       mode +
+       (hasACAOrigin ? ', with ACAOrigin' : '') +
+       ')');
+  }
+}
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/shared-worker-sandbox.html b/testing/web-platform/tests/content-security-policy/sandbox/shared-worker-sandbox.html
new file mode 100644
index 0000000000..86b39b9ad4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/shared-worker-sandbox.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+// Currently, sandbox directives for workers are not specified
+// https://github.com/w3c/webappsec-csp/issues/279
+// and thus this test asserts that the origin of SharedWorker is not sandboxed.
+async_test(t => {
+  const worker = new SharedWorker("support/sandboxed-shared-worker.js?" + Math.random());
+  worker.onerror = t.unreached_func("SharedWorker construction failed");
+  worker.port.onmessage = t.step_func_done(e => {
+    assert_equals(e.data, location.origin, "Origin should not be sandboxed");
+  });
+}, "sandbox directive for SharedWorker");
+</script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/empty.html b/testing/web-platform/tests/content-security-policy/sandbox/support/empty.html
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/support/empty.html
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/post-origin-on-load-worker.js b/testing/web-platform/tests/content-security-policy/sandbox/support/post-origin-on-load-worker.js
new file mode 100644
index 0000000000..21ce5748ab
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/support/post-origin-on-load-worker.js
@@ -0,0 +1 @@
+postMessage(self.origin);
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html
new file mode 100644
index 0000000000..fafd4dc770
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html
@@ -0,0 +1 @@
+<iframe src="data:text/html,&lt;script&gt;window.top.postMessage(&apos;Message&apos;,&apos;*&apos;);&lt;/script&gt;"></iframe>
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html.sub.headers
new file mode 100644
index 0000000000..a7ea308208
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: sandbox {{GET[sandbox]}};
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html
new file mode 100644
index 0000000000..9480e521de
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html
@@ -0,0 +1,4 @@
+<script>
+  window.parent.postMessage('PASS (1/2): Script can execute', '*');
+  eval("window.parent.postMessage('PASS (2/2): Eval works', '*')");
+</script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html.sub.headers
new file mode 100644
index 0000000000..c7e4e7cc5b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: sandbox allow-scripts
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-message-to-parent.html b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-message-to-parent.html
new file mode 100644
index 0000000000..ef4b1a0b95
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-message-to-parent.html
@@ -0,0 +1,3 @@
+<script>
+  window.top.postMessage("Message", "*");
+</script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html
new file mode 100644
index 0000000000..ebbb54d36d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html
@@ -0,0 +1,3 @@
+<script>
+  window.opener.postMessage(window.testProperty, "*");
+</script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html.sub.headers b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html.sub.headers
new file mode 100644
index 0000000000..a7ea308208
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: sandbox {{GET[sandbox]}};
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-service-worker.js b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-service-worker.js
new file mode 100644
index 0000000000..d4971266f5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-service-worker.js
@@ -0,0 +1,14 @@
+self.addEventListener('fetch', function(event) {
+    const url = new URL(event.request.url);
+    if (url.pathname.indexOf('get-origin') != -1) {
+      event.respondWith(new Promise(function(resolve) {
+        resolve(new Response(JSON.stringify({
+            origin: self.origin
+          })));
+        }));
+    }
+    else if (url.pathname.indexOf('fetch') != -1) {
+      event.respondWith(fetch(url.searchParams.get('url'),
+                              {mode: event.request.mode}));
+    }
+  });
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-service-worker.js.headers b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-service-worker.js.headers
new file mode 100644
index 0000000000..1efcf8c226
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-service-worker.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: sandbox allow-scripts
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-shared-worker.js b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-shared-worker.js
new file mode 100644
index 0000000000..eb85eb41b4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-shared-worker.js
@@ -0,0 +1,3 @@
+self.onconnect = e => {
+  e.ports[0].postMessage(self.origin);
+};
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-shared-worker.js.headers b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-shared-worker.js.headers
new file mode 100644
index 0000000000..1efcf8c226
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-shared-worker.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: sandbox allow-scripts
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/unsandboxed-post-property-to-opener.html b/testing/web-platform/tests/content-security-policy/sandbox/support/unsandboxed-post-property-to-opener.html
new file mode 100644
index 0000000000..ebbb54d36d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/support/unsandboxed-post-property-to-opener.html
@@ -0,0 +1,3 @@
+<script>
+  window.opener.postMessage(window.testProperty, "*");
+</script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/window-reuse-sandboxed.html b/testing/web-platform/tests/content-security-policy/sandbox/window-reuse-sandboxed.html
new file mode 100644
index 0000000000..a7a080daf7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/window-reuse-sandboxed.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script>
+      var t = async_test("Window object should not be reused");
+
+      window.onmessage = t.step_func_done(function(e) {
+        assert_equals(e.data, undefined);
+      });
+
+      w = window.open("support/sandboxed-post-property-to-opener.html?sandbox=allow-scripts","","width=400,height=400");
+      w.testProperty = "test";
+    </script>
+</body>
+
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/window-reuse-unsandboxed.html b/testing/web-platform/tests/content-security-policy/sandbox/window-reuse-unsandboxed.html
new file mode 100644
index 0000000000..dd69c41354
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/window-reuse-unsandboxed.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script>
+      var t = async_test("Window object should be reused");
+
+      window.onmessage = t.step_func_done(function(e) {
+        assert_equals(e.data, "test");
+      });
+
+      w = window.open("support/unsandboxed-post-property-to-opener.html","","width=400,height=400");
+      w.testProperty = "test";
+    </script>
+</body>
+
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked.html b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked.html
new file mode 100644
index 0000000000..d4c19c5466
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-inline';
+    script-src 'nonce-abc';">
+    <script nonce='abc' src="/resources/testharness.js"></script>
+    <script nonce='abc' src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var t = async_test("Should not fire a security policy violation event");
+      window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event"));
+    </script>
+
+    <img src="../support/pass.png" onload="t.done()">
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html
new file mode 100644
index 0000000000..199726e212
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-attr 'none';
+    script-src 'unsafe-inline' 'self';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script>
+      var t = async_test("Should fire a security policy violation event");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, 'script-src-attr');
+        assert_equals(e.blockedURI, 'inline');
+      }));
+    </script>
+
+    <img src="../support/pass.png" onload="t.unreached_func('Should not have executed the inline handler')">
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html
new file mode 100644
index 0000000000..c21898377e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'self' 'unsafe-inline';
+    script-src-attr 'none';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script>
+      var t = async_test("Should fire a security policy violation for the attribute");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, 'script-src-attr');
+        assert_equals(e.blockedURI, 'inline');
+      }));
+
+      var t1 = async_test("Should execute the inline script block");
+    </script>
+
+    <script>
+      t1.done();
+    </script>
+
+    <img src="../support/pass.png" onload="t.unreached_func('should not have run this event handler')">
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked.html b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked.html
new file mode 100644
index 0000000000..c7954613c7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc' 'nonce-def';
+    script-src 'nonce-abc';">
+    <script nonce='abc' src="/resources/testharness.js"></script>
+    <script nonce='abc' src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var t = async_test("Should not fire a security policy violation event");
+      window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event"));
+    </script>
+
+    <script nonce='def'>
+      t.done();
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html
new file mode 100644
index 0000000000..4a85c15376
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc' 'self';
+    script-src-attr 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var t = async_test("Should fire a security policy violation for the attribute");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, 'script-src-elem');
+        assert_equals(e.blockedURI, 'inline');
+      }));
+
+      var t1 = async_test("Should execute the inline script attribute");
+    </script>
+
+    <script>
+      t.step_func(function() {
+        assert_unreached("Should not have executed the inline script block");
+      })
+    </script>
+
+    <img src="../support/pass.png" onload="t1.done()">
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed.html b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed.html
new file mode 100644
index 0000000000..ac4726f9f4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc';
+    script-src 'nonce-abc' 'nonce-def';">
+    <script nonce='abc' src="/resources/testharness.js"></script>
+    <script nonce='abc' src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var t = async_test("Should fire a spv event");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, 'script-src-elem');
+        assert_equals(e.blockedURI, 'inline');
+      }));
+
+    </script>
+
+    <script nonce='def'>
+      t.step_func(function() {
+        assert_unreached("Should not have executed the inline block");
+      });
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src-attr-elem/strict-dynamic-elem-allowed-src-blocked.html b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/strict-dynamic-elem-allowed-src-blocked.html
new file mode 100644
index 0000000000..b654377823
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/strict-dynamic-elem-allowed-src-blocked.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'strict-dynamic' 'nonce-abc';
+    script-src 'nonce-abc';">
+    <script nonce='abc' src="/resources/testharness.js"></script>
+    <script nonce='abc' src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var t = async_test("Should not fire a security policy violation event");
+      window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event"));
+
+      var s = document.createElement('script');
+      s.src = 'support/t_done.js';
+      document.head.appendChild(s);
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src-attr-elem/strict-dynamic-elem-blocked-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/strict-dynamic-elem-blocked-src-allowed.sub.html
new file mode 100644
index 0000000000..04394dc33a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/strict-dynamic-elem-blocked-src-allowed.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'strict-dynamic' 'nonce-abc';
+    script-src-elem 'nonce-abc';">
+    <script nonce='abc' src="/resources/testharness.js"></script>
+    <script nonce='abc' src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var t = async_test("Should fire a security policy violation event");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, "script-src-elem");
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/script-src-attr-elem/support/t_fail.js");
+      }));
+
+      var s = document.createElement('script');
+      s.src = 'support/t_fail.js';
+      document.head.appendChild(s);
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src-attr-elem/support/t_done.js b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/support/t_done.js
new file mode 100644
index 0000000000..e31eb1d959
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/support/t_done.js
@@ -0,0 +1 @@
+t.done();
diff --git a/testing/web-platform/tests/content-security-policy/script-src-attr-elem/support/t_fail.js b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/support/t_fail.js
new file mode 100644
index 0000000000..fa48d6e2c5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src-attr-elem/support/t_fail.js
@@ -0,0 +1,3 @@
+t.step(function() {
+  assert_unreached("Should not loaded the script");
+});
diff --git a/testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js
new file mode 100644
index 0000000000..9bfe201711
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js
@@ -0,0 +1,4 @@
+var dataScriptRan = false;
+
+var t_spv = async_test("Test that no report violation event was raised");
+window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have raised any securitypolicyviolation event"));
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js
new file mode 100644
index 0000000000..ff159db33c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js
@@ -0,0 +1,5 @@
+test(function () {
+            assert_true(dataScriptRan, "data script ran");
+        }, "Verify that data: as script src runs with this policy");
+
+t_spv.done();
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js b/testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js
new file mode 100644
index 0000000000..02c8c8cdd4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js
@@ -0,0 +1,28 @@
+(function () {
+  var t_spv = async_test("Test that securitypolicyviolation event is fired");
+  var test_count = 2;
+
+  window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+   assert_equals(e.violatedDirective, "script-src-elem");
+   if (--test_count <= 0) {
+    t_spv.done();
+   }
+  }));
+
+
+  var dmTest = async_test("DOM manipulation inline tests");
+  var attachPoint = document.getElementById('attachHere');
+  var inlineScript = document.createElement('script');
+  var scriptText = document.createTextNode('dmTest.step(function() {assert_unreached("Unsafe inline script ran - createTextNode.")});');
+
+  inlineScript.appendChild(scriptText);
+  attachPoint.appendChild(inlineScript);
+
+  document.getElementById('emptyScript').innerHTML = 'dmTest.step(function() {assert_unreached("Unsafe inline script ran - innerHTML.")});';
+  document.getElementById('emptyDiv').outerHTML = '<script id=outerHTMLScript>dmTest.step(function() {assert_unreached("Unsafe inline script ran - outerHTML.")});</script>';
+
+  document.write('<script>dmTest.step(function() {assert_unreached("Unsafe inline script ran - document.write")});</script>');
+  document.writeln('<script>dmTest.step(function() {assert_unreached("Unsafe inline script ran - document.writeln")});</script>');
+
+  dmTest.done();
+})();
diff --git a/testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js b/testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js
new file mode 100644
index 0000000000..8cd092147c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js
@@ -0,0 +1,21 @@
+(function ()
+{
+ var workerSource = document.getElementById('inlineWorker');
+ var blob = new Blob([workerSource.textContent]);
+
+ // can I create a new script tag like this? ack...
+ var url = window.URL.createObjectURL(blob);
+
+ try {
+   var worker = new Worker(url);
+ }
+ catch (e) {
+   done();
+ }
+
+ worker.addEventListener('message', function(e) {
+   assert_unreached("script ran");
+ }, false);
+
+ worker.postMessage('');
+})();
diff --git a/testing/web-platform/tests/content-security-policy/script-src/crossoriginScript.js b/testing/web-platform/tests/content-security-policy/script-src/crossoriginScript.js
new file mode 100644
index 0000000000..08535fa552
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/crossoriginScript.js
@@ -0,0 +1,3 @@
+// Identical to simpleSourcedScript.js but with a different hash, thanks to
+// this comment!
+window.postMessage(document.currentScript.id, "*");
diff --git a/testing/web-platform/tests/content-security-policy/script-src/crossoriginScript.js.headers b/testing/web-platform/tests/content-security-policy/script-src/crossoriginScript.js.headers
new file mode 100644
index 0000000000..cb762eff80
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/crossoriginScript.js.headers
@@ -0,0 +1 @@
+Access-Control-Allow-Origin: *
diff --git a/testing/web-platform/tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html b/testing/web-platform/tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html
new file mode 100644
index 0000000000..6ee3785dc8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html
@@ -0,0 +1,19 @@
+<html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <!-- Content-Security-Policy-Report-Only: script-src 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}} -->
+</head>
+<body>
+  <script>
+    var t = async_test("Eval is allowed because the CSP is report-only");
+    try {
+      eval("t.done()");
+    } catch {
+      t.step(function() { assert_true(false, "The eval should have execute succesfully"); })
+    }
+  </script>
+
+  <script async defer src="../support/checkReport.sub.js?reportField=blocked-uri&reportValue=eval"></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.sub.headers
new file mode 100644
index 0000000000..09d8adec37
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.sub.headers
@@ -0,0 +1,2 @@
+Set-Cookie: eval-allowed-in-report-only-mode-and-sends-report={{$id:uuid()}}; Path=/content-security-policy/script-src
+Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/script-src/eval-allowed-in-report-only-mode.html b/testing/web-platform/tests/content-security-policy/script-src/eval-allowed-in-report-only-mode.html
new file mode 100644
index 0000000000..eebc8f026f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/eval-allowed-in-report-only-mode.html
@@ -0,0 +1,17 @@
+<html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <!-- Content-Security-Policy-Report-Only: script-src 'unsafe-inline' -->
+</head>
+<body>
+  <script>
+    var t = async_test("Eval is allowed because the CSP is report-only");
+    try {
+      eval("t.done()");
+    } catch {
+      t.step(function() { assert_true(false, "The eval should have execute succesfully"); })
+    }
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/eval-allowed-in-report-only-mode.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/eval-allowed-in-report-only-mode.html.sub.headers
new file mode 100644
index 0000000000..b9b5d81acc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/eval-allowed-in-report-only-mode.html.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy-Report-Only: script-src 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/externalScript.js b/testing/web-platform/tests/content-security-policy/script-src/externalScript.js
new file mode 100644
index 0000000000..2920b03c9b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/externalScript.js
@@ -0,0 +1 @@
+externalRan = true;
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html
new file mode 100644
index 0000000000..0d0f46fda4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html
@@ -0,0 +1,20 @@
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-c6TzhBw/snA+hlDMGOuKLWXIkb2sawA/S1wbSe6FeEM=';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <script nonce="abc">
+      var t1 = async_test("Should convert the script contents to UTF-8 before hashing");
+      window.addEventListener("securitypolicyviolation", t1.unreached_func("Should not have fired a spv"));
+    </script>
+
+    <!-- � (micro sign) has the value of 0xB5 in latin-1 and of 0xC2B5 in utf-8 but the hash value should be the same as the utf-8 computed one -->
+    <script>
+      // � - latin micro sign
+      t1.done();
+    </script>
+</body>
+</html>
+
diff --git a/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html.sub.headers
new file mode 100644
index 0000000000..acc92f4e80
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html.sub.headers
@@ -0,0 +1 @@
+Content-Type: text/html; charset=iso-8859-1
diff --git a/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html
new file mode 100644
index 0000000000..d4a0de41e2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html
@@ -0,0 +1,20 @@
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-hbNM6T3uO5pu4o5YfNnUmwtq5VHHMr7V5ospXtx9bqU=';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <script nonce="abc">
+      var t3 = async_test("Should convert the script contents to UTF-8 before hashing");
+      window.addEventListener("securitypolicyviolation", t3.unreached_func("Should not have fired a spv"));
+    </script>
+
+    <!-- � (latin capital letter g with breve) has the value of 0xAB in latin-3 and of 0xC49E in utf-8 but the hash value should be the same as the utf-8 computed one -->
+    <script>
+      // � - latin capital letter g with breve
+      t3.done();
+    </script>
+</body>
+</html>
+
diff --git a/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html.sub.headers
new file mode 100644
index 0000000000..ae3e03dae1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html.sub.headers
@@ -0,0 +1 @@
+Content-Type: text/html; charset=iso-8859-3
diff --git a/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html
new file mode 100644
index 0000000000..62876f1e43
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html
@@ -0,0 +1,20 @@
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-ST0rpskqtEC0Q0hqbIAZFeE1KBMJeGZGyYaTcTkieG8=';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <script nonce="abc">
+      var t2 = async_test("Should convert the script contents to UTF-8 before hashing");
+      window.addEventListener("securitypolicyviolation", t2.unreached_func("Should not have fired a spv"));
+    </script>
+
+    <!-- � (greek small letter mu) has the value of 0xEC in latin-7 and of 0xCEBC in utf-8 but the hash value should be the same as the utf-8 computed one -->
+    <script>
+      // � - greek small letter mu
+      t2.done();
+    </script>
+</body>
+</html>
+
diff --git a/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html.sub.headers
new file mode 100644
index 0000000000..9550b0de30
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html.sub.headers
@@ -0,0 +1 @@
+Content-Type: text/html; charset=iso-8859-7
diff --git a/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html
new file mode 100644
index 0000000000..8c1db6d203
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html
@@ -0,0 +1,20 @@
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-hbNM6T3uO5pu4o5YfNnUmwtq5VHHMr7V5ospXtx9bqU=';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <script nonce="abc">
+      var t3 = async_test("Should convert the script contents to UTF-8 before hashing");
+      window.addEventListener("securitypolicyviolation", t3.unreached_func("Should not have fired a spv"));
+    </script>
+
+    <!-- � (latin capital letter g with breve) has the value of 0xD0 in latin-9 and of 0xC49E in utf-8 but the hash value should be the same as the utf-8 computed one -->
+    <script>
+      // � - latin capital letter g with breve
+      t3.done();
+    </script>
+</body>
+</html>
+
diff --git a/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html.sub.headers
new file mode 100644
index 0000000000..6382ff86a7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html.sub.headers
@@ -0,0 +1 @@
+Content-Type: text/html; charset=iso-8859-9
diff --git a/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html
new file mode 100644
index 0000000000..58730a72cc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html
@@ -0,0 +1,31 @@
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-YJSaNEZFStZqU2Mp2EttwhcP2aT9lnDvexn+BM2HfKo=';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <script nonce="abc">
+      var t = async_test("Should convert the script contents to UTF-8 before hashing");
+      var count = 0;
+      var script_ran = function() {
+        // if both blocks run the tests is succsssful
+        if (++count == 2) t.done();
+      }
+      window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired a spv"));
+
+      // Insert a script element that contains the U+FFFD replacement character
+      var scr1 = document.createElement('script');
+      scr1.text ="//\uFFFD\nscript_ran();";
+      document.body.appendChild(scr1);
+
+      // Insert a script element that contains a surrogate character but it otherwise
+      // entirely identical to the previously inserted one, the surrogate should be
+      // be converted to U+FFFD when converting to UTF-8 so it should have the
+      // same hash as the one inserted before
+      var scr2 = document.createElement('script');
+      scr2.text ="//\uD801\nscript_ran();";
+      document.body.appendChild(scr2);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html.sub.headers
new file mode 100644
index 0000000000..2d1c08b9e8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html.sub.headers
@@ -0,0 +1 @@
+Content-Type: text/html; charset=utf-8
diff --git a/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html
new file mode 100644
index 0000000000..b770cba246
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html
@@ -0,0 +1,36 @@
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'
+          'sha256-c6TzhBw/snA+hlDMGOuKLWXIkb2sawA/S1wbSe6FeEM='
+          'sha256-ST0rpskqtEC0Q0hqbIAZFeE1KBMJeGZGyYaTcTkieG8='
+          'sha256-hbNM6T3uO5pu4o5YfNnUmwtq5VHHMr7V5ospXtx9bqU=';">
+          <!-- hashes matching the 3 script blocks below -->
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <script nonce="abc">
+      var t1 = async_test("Should convert the script contents to UTF-8 before hashing - latin micro sign");
+      window.addEventListener("securitypolicyviolation", t1.unreached_func("Should not have fired a spv"));
+      var t2 = async_test("Should convert the script contents to UTF-8 before hashing - greek small letter mu");
+      window.addEventListener("securitypolicyviolation", t2.unreached_func("Should not have fired a spv"));
+      var t3 = async_test("Should convert the script contents to UTF-8 before hashing - latin capital letter g with breve");
+      window.addEventListener("securitypolicyviolation", t3.unreached_func("Should not have fired a spv"));
+    </script>
+
+    <!-- the hash values of these script blocks should match the same values
+         of identical script blocks in documents with other encodings -->
+    <script>
+      // µ - latin micro sign
+      t1.done();
+    </script>
+    <script>
+      // μ - greek small letter mu
+      t2.done();
+    </script>
+    <script>
+      // Ğ - latin capital letter g with breve
+      t3.done();
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html.sub.headers
new file mode 100644
index 0000000000..2d1c08b9e8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html.sub.headers
@@ -0,0 +1 @@
+Content-Type: text/html; charset=utf-8
diff --git a/testing/web-platform/tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html b/testing/web-platform/tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html
new file mode 100644
index 0000000000..5a8cdec847
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'">
+    <title>injected-inline-script-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["Pass 1 of 2","Pass 2 of 2"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <script>
+       window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+        });
+    </script>
+    <script src="support/inject-script.js"></script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html b/testing/web-platform/tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html
new file mode 100644
index 0000000000..45b7414890
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'; connect-src 'self';">
+    <title>injected-inline-script-blocked</title>
+    <script nonce='abc' src="/resources/testharness.js"></script>
+    <script nonce='abc' src="/resources/testharnessreport.js"></script>
+    <script nonce='abc' src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem","blocked-uri=inline"]'></script>
+    <script nonce='abc' src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+       window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+            log("blocked-uri=" + e.blockedURI);
+        });
+    </script>
+    <script src="support/inject-script.js"></script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js b/testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js
new file mode 100644
index 0000000000..1f0d7ae715
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js
@@ -0,0 +1,12 @@
+var t_spv = async_test("Should not fire policy violation events");
+window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should have not fired any securitypolicyviolation event"));
+
+var inlineRan = false;
+
+onload = function() {
+  test(function() {
+        assert_true(inlineRan, 'Unsafe inline script ran.')},
+        'Inline script in a script tag should  run with an unsafe-inline directive'
+    );
+  t_spv.done();
+}
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/inlineTests.js b/testing/web-platform/tests/content-security-policy/script-src/inlineTests.js
new file mode 100644
index 0000000000..3c0712b449
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/inlineTests.js
@@ -0,0 +1,22 @@
+var t1 = async_test("Inline script block");
+var t2 = async_test("Inline event handler");
+
+onload = function() {t1.done(); t2.done();};
+
+var t_spv = async_test("Should fire policy violation events");
+var block_event_fired = false;
+var handler_event_fired = false;
+window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) {
+    if (e.violatedDirective == "script-src-elem") {
+      assert_false(block_event_fired);
+      block_event_fired = true;
+    } else if (e.violatedDirective == "script-src-attr") {
+      assert_false(handler_event_fired);
+      handler_event_fired = true;
+    } else {
+      assert_unreached("Unexpected directive broken");
+    }
+    if (block_event_fired && handler_event_fired) {
+      t_spv.done();
+    }
+}));
diff --git a/testing/web-platform/tests/content-security-policy/script-src/javascript-window-open-blocked.html b/testing/web-platform/tests/content-security-policy/script-src/javascript-window-open-blocked.html
new file mode 100644
index 0000000000..ae4d8227ed
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/javascript-window-open-blocked.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Window.open should not open javascript url if not allowed.</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc';">
+    <script nonce='abc' src='/resources/testharness.js'></script>
+    <script nonce='abc' src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script nonce='abc'>
+    var t = async_test("Check that a securitypolicyviolation event is fired");
+    window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+      assert_equals(e.blockedURI, "inline");
+      assert_equals(e.violatedDirective, "script-src-elem");
+    }));
+
+    window.open('javascript:test(function() { assert_unreached("FAIL")});', 'new');
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/javascript-window-open-blocked.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/javascript-window-open-blocked.html.sub.headers
new file mode 100644
index 0000000000..b54c91e74e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/javascript-window-open-blocked.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: javascript-window-open-blocked={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'nonce-abc'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/script-src/nonce-enforce-blocked.html b/testing/web-platform/tests/content-security-policy/script-src/nonce-enforce-blocked.html
new file mode 100644
index 0000000000..25343a5d4d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/nonce-enforce-blocked.html
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">
+<script src="/resources/testharness.js" nonce="abc"></script>
+<script src="/resources/testharnessreport.js" nonce="abc"></script>
+<script nonce="abc">
+    var t = async_test("Unnonced scripts generate reports.");
+    var events = 0;
+    var firstLine = 38;
+    var expectations = {}
+    expectations[firstLine] = true;
+    expectations[firstLine + 3] = true;
+    expectations[firstLine + 6] = true;
+    expectations[firstLine + 9] = true;
+    expectations[firstLine + 12] = true;
+    expectations[firstLine + 15] = true;
+    expectations[firstLine + 18] = true;
+    expectations["/content-security-policy/support/nonce-should-be-blocked.js?1"] = true;
+    expectations["/content-security-policy/support/nonce-should-be-blocked.js?2"] = true;
+    expectations["/content-security-policy/support/nonce-should-be-blocked.js?3"] = true;
+    expectations["/content-security-policy/support/nonce-should-be-blocked.js?4"] = true;
+    expectations["/content-security-policy/support/nonce-should-be-blocked.js?5"] = true;
+
+    document.addEventListener('securitypolicyviolation', t.step_func(e => {
+        if (e.lineNumber) {
+            // Verify that the line is expected, then clear the expectation:
+            assert_true(expectations[e.lineNumber], "Line number: " + e.lineNumber);
+            assert_equals(e.blockedURI, "inline");
+        } else {
+            // Otherwise, verify that the URL is expected, then clear the expectation:
+            var url = new URL(e.blockedURI);
+            assert_true(expectations[url.pathname + url.search], "URL: " + e.blockedURI);
+        }
+        events++;
+        if (events == 12)
+          t.done();
+    }));
+</script>
+<script>
+    t.unreached_func("No nonce, no execution.")();
+</script>
+<script nonce="xyz">
+    t.unreached_func("Bad nonce, no execution.")();
+</script>
+<script <script nonce="abc">
+    t.unreached_func("'<script' attribute, no execution.")();
+</script>
+<script attribute<script nonce="abc">
+    t.unreached_func("'attribute<script', no execution.")();
+</script>
+<script attribute=<script nonce="abc">
+    t.unreached_func("'<script' value, no execution.")();
+</script>
+<script attribute=value<script nonce="abc">
+    t.unreached_func("'value<script', no execution.")();
+</script>
+<script attribute="" attribute=<style nonce="abc">
+    t.unreached_func("Duplicate attribute, no execution.")();
+</script>
+<script src="../support/nonce-should-be-blocked.js?1" <script nonce="abc"></script>
+<script src="../support/nonce-should-be-blocked.js?2" attribute=<script nonce="abc"></script>
+<script src="../support/nonce-should-be-blocked.js?3" <style nonce="abc"></script>
+<script src="../support/nonce-should-be-blocked.js?4" attribute=<style nonce="abc"></script>
+<script src="../support/nonce-should-be-blocked.js?5" attribute=<style nonce="abc"></script>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html
new file mode 100644
index 0000000000..d66253c6a1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Inline script should not run without 'unsafe-inline' script-src directive.</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='inlineTests.js'></script>
+</head>
+<body>
+    <h1>Inline script should not run without 'unsafe-inline' script-src directive, even for script-src 'self'.</h1>
+    <div id='log'></div>
+
+    <script>
+      t1.step(function() {assert_unreached('Unsafe inline script ran.');});
+    </script>
+
+    <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html
new file mode 100644
index 0000000000..7c1c9f29b6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html
@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>data: as script src should not run with a policy that doesn't specify data: as an allowed source</title>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>data: as script src should not run with a policy that doesn't specify data: as an allowed source</h1>
+    <div id='log'></div>
+
+    <script>
+        var dataScriptRan = false;
+        var t_spv = async_test("Test that securitypolicyviolation event is fired");
+
+        window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, "script-src-elem");
+        }));
+    </script>
+
+    <!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+    <script src="data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7"></script>
+
+    <script>
+        test(function () {
+            assert_false(dataScriptRan, "data script ran");
+        }, "Verify that data: as script src doesn't run with this policy");
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html
new file mode 100644
index 0000000000..a1e2f72cdb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html
@@ -0,0 +1,19 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' data:;">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'</h1>
+    <div id='log'></div>
+
+    <script src="10_1_support_1.js"></script>
+
+    <script src="data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7"></script>
+
+    <script src="10_1_support_2.js"></script>
+</body>
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html
new file mode 100644
index 0000000000..a68945cb85
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Inline script should not run without 'unsafe-inline' script-src directive.</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src *;">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='inlineTests.js'></script>
+</head>
+<body>
+    <h1>Inline script should not run without 'unsafe-inline' script-src directive, even for script-src *.</h1>
+    <div id='log'></div>
+
+    <script>
+      t1.step(function() {assert_unreached('Unsafe inline script ran.');});
+    </script>
+
+    <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html
new file mode 100644
index 0000000000..2641c867f6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html
@@ -0,0 +1,21 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src *;">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *</h1>
+    <div id="log"></div>
+
+    <div id=attachHere></div>
+
+    <script id=emptyScript></script>
+
+    <div id=emptyDiv></div>
+
+    <script src="addInlineTestsWithDOMManipulation.js"></script>
+</body>
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html
new file mode 100644
index 0000000000..bf7a6921b4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Positive test case: Inline script should run 'unsafe-inline' script-src directive.</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='inlineSuccessTest.js'></script>
+</head>
+<body>
+    <h1>Positive test case: Inline script should run 'unsafe-inline' script-src directive.</h1>
+    <div id='log'></div>
+
+    <script>
+      inlineRan = true;
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html
new file mode 100644
index 0000000000..d4e2067f96
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html
@@ -0,0 +1,28 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>eval() should not run without 'unsafe-eval' script-src directive.</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>eval() should not run without 'unsafe-eval' script-src directive.</h1>
+    <div id='log'></div>
+
+   	<script>
+        var t_spv = async_test("Test that securitypolicyviolation event is fired");
+
+        window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, "script-src");
+        }));
+
+        var evalRan = false;
+
+        test(function() {assert_throws_js(EvalError, function() { eval('evalRan = true;') })}, "eval() should throw without 'unsafe-eval' keyword source in script-src directive.");
+
+        test(function() {assert_false(evalRan);})
+
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html
new file mode 100644
index 0000000000..0eed7a979a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html
@@ -0,0 +1,33 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</h1>
+    <div id='log'></div>
+
+   	<script>
+        var t1 = async_test("window.setTimeout()");
+        var t2 = async_test("window.setInterval()");
+        var t_spv = async_test("Test that securitypolicyviolation event is fired");
+        var test_count = 2;
+
+        window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, "script-src");
+            if (--test_count <= 0) {
+                t_spv.done();
+            }
+        }));
+
+
+        onload = function() {t1.done(); t2.done()}
+
+        window.setTimeout('t1.step(function() {assert_unreached("window.setTimeout() ran without unsafe-eval.")})',0);
+        window.setInterval('t2.step(function() {assert_unreached("window.setInterval() ran without unsafe-eval.")})',0);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html
new file mode 100644
index 0000000000..217125df58
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html
@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</h1>
+    <div id='log'></div>
+
+   	<script>
+   	    var t_spv = async_test("Test that securitypolicyviolation event is fired");
+
+        window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, "script-src");
+        }));
+
+
+        test(function() {
+            assert_throws_js(
+                EvalError,
+                function() {
+                    var funq = new Function('');
+                    funq();
+        })}, "Unsafe eval ran in Function() constructor.");
+
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html
new file mode 100644
index 0000000000..70b3145727
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Multiple policies with different hashing algorithms still work.</title>
+  <!-- nonces are here just to let all of our scripts run -->
+  <script nonce="abc" src='/resources/testharness.js'></script>
+  <script nonce="abc" src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script nonce="abc">
+    var t = async_test("Test that script executes if allowed by proper hash values");
+    document.addEventListener("securitypolicyviolation", t.unreached_func("Should not have triggered a security event"));
+    var executed = false;
+  </script>
+
+  <!-- test will fail if this script is not allowed to run -->
+  <script>executed = true;</script>
+
+  <script nonce="abc">
+    t.step(function() {
+      assert_true(executed);
+      t.done();
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers
new file mode 100644
index 0000000000..89f99e621f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc';
+Content-Security-Policy: script-src 'sha384-skw7BVxHbmE2umPGMd1kX+ye6qBeHAb875erPoD8ilKv1LkjKR+WFi7N85ORMdhS' 'nonce-abc';
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html
new file mode 100644
index 0000000000..da9e60f874
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Multiple policies some using hashes some not using hashes still work.</title>
+  <!-- nonces are here just to let all of our scripts run -->
+  <script nonce="abc" src='/resources/testharness.js'></script>
+  <script nonce="abc" src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script nonce="abc">
+    var t = async_test("Test that script executes if allowed by proper hash values");
+    document.addEventListener("securitypolicyviolation", t.unreached_func("Should not have triggered a security event"));
+    var executed = false;
+  </script>
+
+  <!-- test will fail if this script is not allowed to run -->
+  <script>executed = true;</script>
+
+  <script nonce="abc">
+    t.step(function() {
+      assert_true(executed);
+      t.done();
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers
new file mode 100644
index 0000000000..83fe7f7005
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc';
+Content-Security-Policy: script-src 'self' 'unsafe-inline';
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html
new file mode 100644
index 0000000000..5a0dfe50e1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="default-src about:; script-src 'self' 'unsafe-inline'; style-src 'self'; connect-src 'self';">
+    <title>script-src-overrides-default-src</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS 1 of 2","PASS 2 of 2"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+    <script>
+       window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+       });
+    </script>
+</head>
+
+<body onload="log(&apos;PASS 2 of 2&apos;)">
+    <script>
+        log('PASS 1 of 2');
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html
new file mode 100644
index 0000000000..3c4e39e825
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>A report-only policy that does not allow a script should not affect an enforcing policy using hashes.</title>
+  <!-- nonces are here just to let all of our scripts run -->
+  <script nonce="abc" src='/resources/testharness.js'></script>
+  <script nonce="abc" src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script nonce="abc">
+    var t_spv = async_test("Should fire securitypolicyviolation event");
+    window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+      assert_equals(e.violatedDirective, "script-src-elem");
+      assert_equals(e.disposition, "report");
+    }));
+    var externalRan = false;
+  </script>
+  <script src='./externalScript.js'
+          integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script>
+  <script nonce="abc">
+    test(function() {
+      assert_true(externalRan, 'External script ran.');
+    }, 'External script in a script tag with matching SRI hash should run.');
+  </script></body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers
new file mode 100644
index 0000000000..7f03464d4d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'nonce-abc'
+Content-Security-Policy-Report-Only: script-src 'nonce-abc';
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html
new file mode 100644
index 0000000000..850f4b2c2e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html
@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>A report-only policy that does not allow a script should not affect an enforcing policy using hashes.</title>
+  <!-- nonces are here just to let all of our scripts run -->
+  <script nonce="abc" src='/resources/testharness.js'></script>
+  <script nonce="abc" src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script nonce="abc">
+    var t = async_test("Test that script executes if allowed by proper hash values");
+    var t_spv = async_test("Test that the securitypolicyviolation event is fired");
+    document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+      assert_equals(e.violatedDirective, "script-src-elem");
+      assert_equals(e.disposition, "report");
+      assert_equals(e.blockedURI, "inline");
+    }));
+    var executed = false;
+  </script>
+
+  <!-- test will fail if this script is not allowed to run -->
+  <script>executed = true;</script>
+
+  <script nonce="abc">
+    t.step(function() {
+      assert_true(executed);
+      t.done();
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers
new file mode 100644
index 0000000000..1237c247a6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'
+Content-Security-Policy-Report-Only: script-src 'nonce-abc';
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-sri_hash.sub.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-sri_hash.sub.html
new file mode 100644
index 0000000000..b59206824d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-sri_hash.sub.html
@@ -0,0 +1,104 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>External scripts with matching SRI hash should be allowed.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: script-src {{domains[www]}}:* 'nonce-dummy' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=' -->
+</head>
+
+<body>
+    <h1>External scripts with matching SRI hash should be allowed.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        var port = "{{ports[http][0]}}";
+        if (location.protocol === "https:")
+          port = "{{ports[https][0]}}";
+        var crossorigin_base = location.protocol + "//{{domains[www]}}:" + port;
+
+        // Test name, src, integrity, expected to run.
+        var test_cases = [
+          [ 'matching integrity',
+            './simpleSourcedScript.js',
+            'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=',
+            true ],
+          [ 'multiple matching integrity',
+            './simpleSourcedScript.js',
+            'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=',
+            true ],
+          [ 'no integrity',
+            './simpleSourcedScript.js',
+            '',
+            false ],
+          [ 'matching plus unsupported integrity',
+            './simpleSourcedScript.js',
+            'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha999-xyz',
+            true ],
+          [ 'mismatched integrity',
+            './simpleSourcedScript.js',
+            'sha256-xyz',
+            false ],
+          [ 'multiple mismatched integrity',
+            './simpleSourcedScript.js',
+            'sha256-xyz sha256-zyx',
+            false ],
+          [ 'partially matching integrity',
+            './simpleSourcedScript.js',
+            'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha256-xyz',
+            false ],
+          [ 'crossorigin no integrity but allowed host',
+            crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js',
+            '',
+            true ],
+          [ 'crossorigin mismatched integrity but allowed host',
+            crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js',
+            'sha256-kKJ5c48yxzaaSBupJSCmY50hkD8xbVgZgLHLtmnkeAo=',
+            true ],
+        ];
+
+        test(_ => {
+          for (item of test_cases) {
+            async_test(t => {
+              var s = document.createElement('script');
+              s.id = item[0].replace(' ', '-');
+              s.src = item[1];
+              s.integrity = item[2];
+              s.setAttribute('crossorigin', 'anonymous');
+
+              if (item[3]) {
+                s.onerror = t.unreached_func("Script should load! " + s.src);
+                window.addEventListener('message', t.step_func(e => {
+                  if (e.data == s.id)
+                    t.done();
+                }));
+              } else {
+                s.onerror = t.step_func_done();
+                window.addEventListener('message', t.step_func(e => {
+                  if (e.data == s.id)
+                    assert_unreached("Script should not execute!");
+                }));
+              }
+
+              document.body.appendChild(s);
+            }, item[0]);
+          }
+        }, "Load all the tests.");
+    </script>
+
+    <script nonce='dummy'>
+        var externalRan = false;
+    </script>
+    <script src='./externalScript.js'
+        integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script>
+    <script nonce='dummy'>
+        test(function() {
+            assert_true(externalRan, 'External script ran.');
+        }, 'External script in a script tag with matching SRI hash should run.');
+    </script>
+
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-sri_hash.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-sri_hash.sub.html.sub.headers
new file mode 100644
index 0000000000..25cd6541ac
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-sri_hash.sub.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src {{domains[www]}}:* 'nonce-dummy' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA='
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html
new file mode 100644
index 0000000000..96ef2496b5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html
@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>Scripts injected via `eval` are allowed with `strict-dynamic` with `unsafe-eval`.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' 'unsafe-eval' -->
+</head>
+
+<body>
+    <h1>Scripts injected via `eval` are allowed with `strict-dynamic` with `unsafe-eval`.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        var evalScriptRan = false;
+        async_test(function(t) {
+            window.addEventListener('securitypolicyviolation', t.unreached_func('No CSP violation report has fired.'));
+            try {
+                eval("evalScriptRan = true;");
+            } catch (e) {
+                assert_unreached("`eval` should be allowed with `strict-dynamic` with `unsafe-eval`.");
+            }
+            assert_true(evalScriptRan);
+            t.done();
+        }, "Script injected via `eval` is allowed with `strict-dynamic` with `unsafe-eval`.");
+    </script>
+</body>
+
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html.headers
new file mode 100644
index 0000000000..dc5f30a03a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' 'unsafe-eval'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html
new file mode 100644
index 0000000000..3041db056f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html
@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>Scripts injected via `new Function()` are allowed with `strict-dynamic` with `unsafe-eval`.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' 'unsafe-eval' -->
+</head>
+
+<body>
+    <h1>Scripts injected via `new Function()` are allowed with `strict-dynamic` with `unsafe-eval`.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        var newFunctionScriptRan = false;
+        async_test(function(t) {
+            window.addEventListener('securitypolicyviolation', t.unreached_func('No CSP violation report has fired.'));
+            try {
+                new Function('newFunctionScriptRan = true;')();
+            } catch (e) {
+                assert_unreached("`new Function()` should be allowed with `strict-dynamic` with `unsafe-eval`.");
+            }
+            assert_true(newFunctionScriptRan);
+            t.done();
+        }, "Script injected via `new Function()` is allowed with `strict-dynamic` with `unsafe-eval`.");
+    </script>
+</body>
+
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html.headers
new file mode 100644
index 0000000000..dc5f30a03a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' 'unsafe-eval'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html
new file mode 100644
index 0000000000..4edef30109
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html
@@ -0,0 +1,32 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>Source expressions are discarded with `strict-dynamic` in the script-src directive.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: script-src 'self' 'strict-dynamic' 'nonce-dummy' -->
+</head>
+
+<body>
+    <h1>Source expressions are discarded with `strict-dynamic` in the script-src directive.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'allowedScript') {
+                    assert_unreached('Allowed scripts without a correct nonce are not permitted with `strict-dynamic`.');
+                }
+            }));
+            window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+                assert_equals(e.effectiveDirective, 'script-src-elem');
+            }));
+        }, 'Allowed scripts without a correct nonce are not permitted with `strict-dynamic`.');
+    </script>
+    <script id='allowedScript' src='simpleSourcedScript.js'></script>
+
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html.headers
new file mode 100644
index 0000000000..8499eb0559
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'self' 'strict-dynamic' 'nonce-dummy'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html
new file mode 100644
index 0000000000..91d12ed7bd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html
@@ -0,0 +1,68 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>A separate policy with more nonces works correctly with `strict-dynamic` in the script-src directive.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served:
+    1) Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
+    2) Content-Security-Policy: script-src 'nonce-dummy' 'nonce-dummy2'
+    -->
+</head>
+
+<body>
+    <h1>A separate policy with more nonces works correctly with `strict-dynamic` in the script-src directive.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'unNonced-appendChild') {
+                    assert_unreached('Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.');
+                }
+            }));
+
+            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
+                if (violation.blockedURI.split('?')[1] !== 'unNonced-appendChild') {
+                    return;
+                }
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
+                t.done();
+            }));
+
+            var e = document.createElement('script');
+            e.id = 'unNonced-appendChild';
+            e.src = 'simpleSourcedScript.js?' + e.id;
+            e.onload = t.unreached_func('OnLoad should not be triggered.');
+            document.body.appendChild(e);
+        }, 'Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'nonced-appendChild') {
+                    t.done();
+                }
+            }));
+
+            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
+                if (violation.blockedURI.split('?')[1] !== 'nonced-appendChild') {
+                    return;
+                }
+                assert_unreached('No CSP violation report has fired.');
+            }));
+
+            var e = document.createElement('script');
+            e.setAttribute('nonce', 'dummy2');
+            e.id = 'nonced-appendChild';
+            e.src = 'simpleSourcedScript.js?' + e.id;
+            e.onerror = t.unreached_func('Error should not be triggered.');
+            document.body.appendChild(e);
+        }, 'Script injected via `appendChild` with a correct nonce is allowed with `strict-dynamic` + a nonce-only double policy.');
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.headers
new file mode 100644
index 0000000000..63d96aaf1e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
+Content-Security-Policy: script-src 'nonce-dummy' 'nonce-dummy2'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html
new file mode 100644
index 0000000000..39126de58f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html
@@ -0,0 +1,61 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>Source expressions in a separate policy are honored with `strict-dynamic` in the script-src directive.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served:
+    1) Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
+    2) Content-Security-Policy: script-src 'self' 'nonce-dummy'
+    -->
+</head>
+
+<body>
+    <h1>Source expressions in a separate policy are honored with `strict-dynamic` in the script-src directive.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'allowed-appendChild') {
+                    t.done();
+                }
+            }));
+            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
+                if (violation.blockedURI.split('?')[1] !== 'allowed-appendChild') {
+                    return;
+                }
+                assert_unreached('Script injected via `appendChild` is permitted with `strict-dynamic` + a nonce+allowed double policy.');
+            }));
+
+            var e = document.createElement('script');
+            e.id = 'allowed-appendChild';
+            e.src = 'simpleSourcedScript.js?' + e.id;
+            e.onerror = t.unreached_func('Error should not be triggered.');
+            document.body.appendChild(e);
+        }, 'Script injected via `appendChild` is permitted with `strict-dynamic` + a nonce+allowed double policy.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
+                if (violation.blockedURI.split('?')[1] !== 'nonAllowed-appendChild') {
+                    return;
+                }
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
+                assert_equals(violation.originalPolicy, "script-src 'self' 'nonce-dummy'");
+                t.done();
+            }));
+
+            var e = document.createElement('script');
+            e.id = 'nonAllowed-appendChild';
+            e.src = '{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/nonexisting.js?' + e.id;
+            e.onload = t.unreached_func('OnLoad should not be triggered.');
+            document.body.appendChild(e);
+        }, 'Non-allowed script injected via `appendChild` is not permitted with `strict-dynamic` + a nonce+allowed double policy.');
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html.headers
new file mode 100644
index 0000000000..5b4078efd3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
+Content-Security-Policy: script-src 'self' 'nonce-dummy'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html
new file mode 100644
index 0000000000..1ceb74c63d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html
@@ -0,0 +1,44 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>A separate Report-Only policy does not influence `strict-dynamic` in the script-src directive.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served:
+    1) Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
+    2) Content-Security-Policy-Report-Only: script-src 'none'
+    -->
+</head>
+
+<body>
+    <h1>A separate Report-Only policy does not influence `strict-dynamic` in the script-src directive.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'appendChild-reportOnly') {
+                    t.done();
+                }
+            }));
+            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
+                if (violation.blockedURI.split('?')[1] !== 'appendChild-reportOnly') {
+                    return;
+                }
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
+                // Check that the violation comes from the Report-Only policy.
+                assert_equals(violation.originalPolicy, "script-src 'none'");
+                t.done();
+            }));
+            var e = document.createElement('script');
+            e.id = 'appendChild-reportOnly';
+            e.src = 'simpleSourcedScript.js?' + e.id;
+            e.onerror = t.unreached_func('Error should not be triggered.');
+            document.body.appendChild(e);
+        }, 'Script injected via `appendChild` is allowed with `strict-dynamic` + Report-Only `script-src \'none\'` policy.');
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.headers
new file mode 100644
index 0000000000..7883f80ef6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
+Content-Security-Policy-Report-Only: script-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html
new file mode 100644
index 0000000000..3a6056f566
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html
@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>Scripts injected via `eval` are not allowed with `strict-dynamic` without `unsafe-eval`.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
+</head>
+
+<body>
+    <h1>Scripts injected via `eval` are not allowed with `strict-dynamic` without `unsafe-eval`.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        var evalScriptRan = false;
+
+        async_test(function(t) {
+            window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+                assert_false(evalScriptRan);
+                assert_equals(e.effectiveDirective, 'script-src');
+                assert_equals(e.blockedURI, 'eval');
+            }));
+
+            assert_throws_js(Error,
+                function() {
+                    try {
+                        eval("evalScriptRan = true;");
+                    } catch (e) {
+                        throw new Error();
+                    }
+                });
+        }, "Script injected via `eval` is not allowed with `strict-dynamic` without `unsafe-eval`.");
+    </script>
+</body>
+
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html.headers
new file mode 100644
index 0000000000..b7918c9332
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html
new file mode 100644
index 0000000000..e4ce1e5944
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html
@@ -0,0 +1,52 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>`strict-dynamic` allows scripts matching hashes present in the policy.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' 'sha256-EEoi70frWHkGFhK51NVIJkXpq72aPxSCNZEow37ZmRA=' -->
+</head>
+
+<body>
+    <h1>`strict-dynamic` allows scripts matching hashes present in the policy.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        var hashScriptRan = false;
+        window.addEventListener('securitypolicyviolation', function(e) {
+            assert_unreached('CSP violation reports should not fire.');
+        });
+    </script>
+
+    <!-- Hash: 'sha256-EEoi70frWHkGFhK51NVIJkXpq72aPxSCNZEow37ZmRA=' -->
+    <script>
+        hashScriptRan = true;
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            assert_true(hashScriptRan);
+            t.done();
+        }, "Script matching SHA256 hash is allowed with `strict-dynamic`.");
+    </script>
+
+    <!-- Hash: 'sha256-IFt1v6itHgqlrtInbPm/y7qyWcAlDbPgZM+92C5EZ5o=' -->
+    <script>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'hashScript') {
+                    t.done();
+                }
+            }));
+            var e = document.createElement('script');
+            e.id = 'hashScript';
+            e.src = 'simpleSourcedScript.js?' + e.id;
+            e.onerror = t.unreached_func('Error should not be triggered.');
+            document.body.appendChild(e);
+        }, 'Script injected via `appendChild` from a script matching SHA256 hash is allowed with `strict-dynamic`.');
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers
new file mode 100644
index 0000000000..0d824d8b0e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' 'sha256-EEoi70frWHkGFhK51NVIJkXpq72aPxSCNZEow37ZmRA='
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html
new file mode 100644
index 0000000000..29a2a59573
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html
@@ -0,0 +1,32 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>`strict-dynamic` does not drop allowed source expressions in `img-src`.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: img-src 'strict-dynamic' 'self' -->
+</head>
+
+<body>
+    <h1>`strict-dynamic` does not drop allowed source expressions in `img-src`.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            assert_unreached('No CSP violation report has fired.');
+        });
+
+        async_test(function(t) {
+            var e = document.createElement('img');
+            e.id = 'allowedImage';
+            e.src = '/content-security-policy/support/pass.png';
+            e.onerror = t.unreached_func('Error should not be triggered.');
+            e.onload = t.step_func_done();
+            document.body.appendChild(e);
+        }, '`strict-dynamic` does not drop allowed source expressions in `img-src`.');
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html.headers
new file mode 100644
index 0000000000..75a41c9e25
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: img-src 'strict-dynamic' 'self'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html
new file mode 100644
index 0000000000..f7625afdaf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html
@@ -0,0 +1,32 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
+</head>
+
+<body>
+    <h1>Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.</h1>
+    <div id='log'></div>
+    <a id='javascriptUri' href='javascript:javascriptUriScriptRan = true;'></a>
+
+    <script nonce='dummy'>
+        var javascriptUriScriptRan = false;
+
+        async_test(function(t) {
+            window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+                assert_false(javascriptUriScriptRan);
+                assert_equals(e.effectiveDirective, 'script-src-elem');
+            }));
+
+            document.getElementById('javascriptUri').click();
+            assert_false(javascriptUriScriptRan);
+        }, "Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.");
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.headers
new file mode 100644
index 0000000000..b7918c9332
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html
new file mode 100644
index 0000000000..fa38b65a23
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html
@@ -0,0 +1,76 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>A `strict-dynamic` policy can be served in a META tag.</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'strict-dynamic' 'nonce-dummy'">
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
+</head>
+
+<body>
+    <h1>A `strict-dynamic` policy can be served in a META tag.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            assert_unreached('No CSP violation report has fired.');
+        });
+
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'appendChild') {
+                    t.done();
+                }
+            }));
+            var e = document.createElement('script');
+            e.id = 'appendChild';
+            e.src = 'simpleSourcedScript.js?' + e.id;
+            e.onerror = t.unreached_func('Error should not be triggered.');
+            document.body.appendChild(e);
+        }, 'Script injected via `appendChild` is allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'appendChild-incorrectNonce') {
+                    t.done();
+                }
+            }));
+            var e = document.createElement('script');
+            e.id = 'appendChild-incorrectNonce';
+            e.src = 'simpleSourcedScript.js?' + e.id;
+            e.setAttribute('nonce', 'wrong');
+            e.onerror = t.unreached_func('Error should not be triggered.');
+            document.body.appendChild(e);
+        }, 'Script injected via `appendChild` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.appendChildViaTextContent = t.step_func_done();
+            var e = document.createElement('script');
+            e.id = 'appendChild-textContent';
+            e.textContent = "appendChildViaTextContent();";
+            e.onerror = t.unreached_func('Error should not be triggered.');
+            document.body.appendChild(e);
+        }, 'Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.appendChildViaTextContentIncorrectNonce = t.step_func_done();
+            var e = document.createElement('script');
+            e.id = 'appendChild-textContent-incorrectNonce';
+            e.setAttribute('nonce', 'wrong');
+            e.textContent = "appendChildViaTextContentIncorrectNonce();";
+            e.onerror = t.unreached_func('Error should not be triggered.');
+            document.body.appendChild(e);
+        }, 'Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.');
+    </script>
+</body>
+
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html.headers
new file mode 100644
index 0000000000..519dcaacb1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html
new file mode 100644
index 0000000000..263d5d1d87
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html
@@ -0,0 +1,37 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>Scripts injected via `new Function()` are not allowed with `strict-dynamic` without `unsafe-eval`.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
+</head>
+
+<body>
+    <h1>Scripts injected via `new Function()` are not allowed with `strict-dynamic` without `unsafe-eval`.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        var newFunctionScriptRan = false;
+
+        async_test(function(t) {
+            window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+                assert_false(newFunctionScriptRan);
+                assert_equals(e.effectiveDirective, 'script-src');
+            }));
+
+            assert_throws_js(Error,
+                function() {
+                    try {
+                        new Function('newFunctionScriptRan = true;')();
+                    } catch (e) {
+                        throw new Error();
+                    }
+                });
+        }, "Script injected via 'eval' is not allowed with 'strict-dynamic' without 'unsafe-eval'.");
+    </script>
+</body>
+
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html.headers
new file mode 100644
index 0000000000..b7918c9332
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html
new file mode 100644
index 0000000000..63b7a61247
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html
@@ -0,0 +1,76 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>Nonced and non parser-inserted scripts should run with `strict-dynamic` in the script-src directive.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
+</head>
+
+<body>
+    <h1>Nonced and non parser-inserted scripts should run with `strict-dynamic` in the script-src directive.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            assert_unreached('No CSP violation report has fired.');
+        });
+
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'appendChild') {
+                    t.done();
+                }
+            }));
+            var e = document.createElement('script');
+            e.id = 'appendChild';
+            e.src = 'simpleSourcedScript.js?' + e.id;
+            e.onerror = t.unreached_func('Error should not be triggered.');
+            document.body.appendChild(e);
+        }, 'Script injected via `appendChild` is allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'appendChild-incorrectNonce') {
+                    t.done();
+                }
+            }));
+            var e = document.createElement('script');
+            e.id = 'appendChild-incorrectNonce';
+            e.src = 'simpleSourcedScript.js?' + e.id;
+            e.setAttribute('nonce', 'wrong');
+            e.onerror = t.unreached_func('Error should not be triggered.');
+            document.body.appendChild(e);
+        }, 'Script injected via `appendChild` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.appendChildViaTextContent = t.step_func_done();
+            var e = document.createElement('script');
+            e.id = 'appendChild-textContent';
+            e.textContent = "appendChildViaTextContent();";
+            e.onerror = t.unreached_func('Error should not be triggered.');
+            document.body.appendChild(e);
+        }, 'Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.appendChildViaTextContentIncorrectNonce = t.step_func_done();
+            var e = document.createElement('script');
+            e.id = 'appendChild-textContent-incorrectNonce';
+            e.setAttribute('nonce', 'wrong');
+            e.textContent = "appendChildViaTextContentIncorrectNonce();";
+            e.onerror = t.unreached_func('Error should not be triggered.');
+            document.body.appendChild(e);
+        }, 'Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.');
+    </script>
+
+</body>
+
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html.headers
new file mode 100644
index 0000000000..b7918c9332
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html
new file mode 100644
index 0000000000..ac180d23f5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html
@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>Scripts without a correct nonce should not run with `strict-dynamic` in the script-src directive.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
+</head>
+
+<body>
+    <h1>Scripts without a correct nonce should not run with `strict-dynamic` in the script-src directive.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+                assert_equals(e.effectiveDirective, 'script-src-elem');
+            }));
+        }, 'All the expected CSP violation reports have been fired.');
+    </script>
+
+    <script nonce='wrong'>
+        assert_unreached('Inline script with an incorrect nonce should not be executed.');
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.headers
new file mode 100644
index 0000000000..b7918c9332
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html
new file mode 100644
index 0000000000..c5e33dc425
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html
@@ -0,0 +1,205 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>Parser-inserted scripts without a correct nonce are not allowed with `strict-dynamic` in the script-src directive.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
+</head>
+
+<body>
+    <h1>Parser-inserted scripts without a correct nonce are not allowed with `strict-dynamic` in the script-src directive.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'documentWrite') {
+                    assert_unreached('Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
+                }
+            }));
+            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
+                if (violation.blockedURI.split('?')[1] !== 'documentWrite') {
+                    return;
+                }
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
+                t.done();
+            }));
+
+            document.write('<scr' + 'ipt id="documentWrite" src="simpleSourcedScript.js?documentWrite"></scr' + 'ipt>');
+        }, 'Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'documentWriteln') {
+                    assert_unreached('Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
+                }
+            }));
+            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
+                if (violation.blockedURI.split('?')[1] !== 'documentWriteln') {
+                    return;
+                }
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
+                t.done();
+            }));
+
+            document.writeln('<scr' + 'ipt id="documentWriteln" src="simpleSourcedScript.js?documentWriteln"></scr' + 'ipt>');
+        }, 'Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'documentWrite-deferred') {
+                    assert_unreached('Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
+                }
+            }));
+            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
+                if (violation.blockedURI.split('?')[1] !== 'documentWrite-deferred') {
+                    return;
+                }
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
+                t.done();
+            }));
+
+            document.write('<scr' + 'ipt defer id="documentWrite-deferred" src="simpleSourcedScript.js?documentWrite-deferred"></scr' + 'ipt>');
+        }, 'Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'documentWriteln-deferred') {
+                    assert_unreached('Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
+                }
+            }));
+            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
+                if (violation.blockedURI.split('?')[1] !== 'documentWriteln-deferred') {
+                    return;
+                }
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
+                t.done();
+            }));
+
+            document.writeln('<scr' + 'ipt defer id="documentWriteln-deferred" src="simpleSourcedScript.js?documentWriteln-deferred"></scr' + 'ipt>');
+        }, 'Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'documentWrite-async') {
+                    assert_unreached('Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
+                }
+            }));
+            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
+                if (violation.blockedURI.split('?')[1] !== 'documentWrite-async') {
+                    return;
+                }
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
+                t.done();
+            }));
+
+            document.write('<scr' + 'ipt async id="documentWrite-async" src="simpleSourcedScript.js?documentWrite-async"></scr' + 'ipt>');
+        }, 'Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'documentWriteln-async') {
+                    assert_unreached('Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
+                }
+            }));
+            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
+                if (violation.blockedURI.split('?')[1] !== 'documentWriteln-async') {
+                    return;
+                }
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
+                t.done();
+            }));
+
+            document.writeln('<scr' + 'ipt async id="documentWriteln-async" src="simpleSourcedScript.js?documentWriteln-async"></scr' + 'ipt>');
+        }, 'Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'documentWrite-deferred-async') {
+                    assert_unreached('Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
+                }
+            }));
+            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
+                if (violation.blockedURI.split('?')[1] !== 'documentWrite-deferred-async') {
+                    return;
+                }
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
+                t.done();
+            }));
+
+            document.write('<scr' + 'ipt defer async id="documentWrite-deferred-async" src="simpleSourcedScript.js?documentWrite-deferred-async"></scr' + 'ipt>');
+        }, 'Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'documentWriteln-deferred-async') {
+                    assert_unreached('Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
+                }
+            }));
+            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
+                if (violation.blockedURI.split('?')[1] !== 'documentWriteln-deferred-async') {
+                    return;
+                }
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
+                t.done();
+            }));
+
+            document.writeln('<scr' + 'ipt defer async id="documentWriteln-deferred-async " src="simpleSourcedScript.js?documentWriteln-deferred-async "></scr' + 'ipt>');
+        }, 'Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        var innerHTMLScriptRan = false;
+        async_test(function(t) {
+            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
+                if (violation.target.id !== 'innerHTML') {
+                    return;
+                }
+                assert_false(innerHTMLScriptRan);
+                assert_equals(violation.effectiveDirective, 'script-src-attr');
+                t.done();
+            }));
+
+            var e = document.createElement('div');
+            e.innerHTML = "<img id='innerHTML' src='/nonexisting.jpg' onerror='innerHTMLScriptRan = true;' style='display:none'>";
+            document.body.appendChild(e);
+        }, 'Script injected via `innerHTML` is not allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        var insertAdjacentHTMLScriptRan = false;
+        async_test(function(t) {
+            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
+                if (violation.target.id !== 'insertAdjacentHTML') {
+                    return;
+                }
+                assert_false(insertAdjacentHTMLScriptRan);
+                assert_equals(violation.effectiveDirective, 'script-src-attr');
+                t.done();
+            }));
+
+            var e = document.createElement('div');
+            e.insertAdjacentHTML('afterbegin', "<img id='insertAdjacentHTML' src='/nonexisting.jpg' onerror='insertAdjacentHTMLScriptRan = true;' style='display:none'>");
+            document.body.appendChild(e);
+        }, 'Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`.');
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.headers
new file mode 100644
index 0000000000..b7918c9332
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html
new file mode 100644
index 0000000000..9368089781
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html
@@ -0,0 +1,110 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>Parser-inserted scripts with a correct nonce are allowed with `strict-dynamic` in the script-src directive.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
+</head>
+
+<body>
+    <h1>Parser-inserted scripts with a correct nonce are allowed with `strict-dynamic` in the script-src directive.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            assert_unreached('No CSP violation report has fired.');
+        });
+
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'documentWrite') {
+                    t.done();
+                }
+            }));
+            document.write('<scr' + 'ipt nonce="dummy" id="documentWrite" src="simpleSourcedScript.js"></scr' + 'ipt>');
+        }, 'Parser-inserted script via `document.write` with a correct nonce is allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'documentWriteln') {
+                    t.done();
+                }
+            }));
+            document.writeln('<scr' + 'ipt nonce="dummy" id="documentWriteln" src="simpleSourcedScript.js"></scr' + 'ipt>');
+        }, 'Parser-inserted script via `document.writeln` with a correct nonce is allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'documentWrite-defer') {
+                    t.done();
+                }
+            }));
+            document.write('<scr' + 'ipt defer nonce="dummy" id="documentWrite-defer" src="simpleSourcedScript.js"></scr' + 'ipt>');
+        }, 'Parser-inserted deferred script via `document.write` with a correct nonce is allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'documentWriteln-defer') {
+                    t.done();
+                }
+            }));
+            document.writeln('<scr' + 'ipt defer nonce="dummy" id="documentWriteln-defer" src="simpleSourcedScript.js"></scr' + 'ipt>');
+        }, 'Parser-inserted deferred script via `document.writeln` with a correct nonce is allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'documentWrite-async') {
+                    t.done();
+                }
+            }));
+            document.write('<scr' + 'ipt async nonce="dummy" id="documentWrite-async" src="simpleSourcedScript.js"></scr' + 'ipt>');
+        }, 'Parser-inserted async script via `document.write` with a correct nonce is allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'documentWriteln-async') {
+                    t.done();
+                }
+            }));
+            document.writeln('<scr' + 'ipt async nonce="dummy" id="documentWriteln-async" src="simpleSourcedScript.js"></scr' + 'ipt>');
+        }, 'Parser-inserted async script via `document.writeln` with a correct nonce is allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'documentWrite-defer-async') {
+                    t.done();
+                }
+            }));
+            document.write('<scr' + 'ipt defer async nonce="dummy" id="documentWrite-defer-async" src="simpleSourcedScript.js"></scr' + 'ipt>');
+        }, 'Parser-inserted deferred async script via `document.write` with a correct nonce is allowed with `strict-dynamic`.');
+    </script>
+
+    <script nonce='dummy'>
+        async_test(function(t) {
+            window.addEventListener('message', t.step_func(function(e) {
+                if (e.data === 'documentWriteln-defer-async') {
+                    t.done();
+                }
+            }));
+            document.writeln('<scr' + 'ipt defer async nonce="dummy" id="documentWriteln-defer-async" src="simpleSourcedScript.js"></scr' + 'ipt>');
+        }, 'Parser-inserted deferred async script via `document.writeln` with a correct nonce is allowed with `strict-dynamic`.');
+    </script>
+
+</body>
+
+</html>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html.headers
new file mode 100644
index 0000000000..b7918c9332
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_worker-importScripts.https.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_worker-importScripts.https.html
new file mode 100644
index 0000000000..681e19547a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_worker-importScripts.https.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<script src='/resources/testharness.js'></script>
+<script src='/resources/testharnessreport.js'></script>
+<script src='../support/testharness-helper.js'></script>
+
+<meta http-equiv="content-security-policy" content="script-src 'nonce-abc' 'strict-dynamic'">
+
+<script nonce="abc">
+  async_test(t => {
+    assert_no_csp_event_for_url(t, "../support/import-scripts.js");
+    var w = new Worker("../support/import-scripts.js");
+    assert_no_event(t, w, "error");
+    waitUntilEvent(w, "message")
+      .then(t.step_func_done(e => {
+        assert_true(e.data.executed);
+      }));
+  }, "`importScripts(...)` is allowed by 'strict-dynamic'");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_worker.https.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_worker.https.html
new file mode 100644
index 0000000000..213eb6276d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_worker.https.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<script src='/resources/testharness.js'></script>
+<script src='/resources/testharnessreport.js'></script>
+<script src='../support/testharness-helper.js'></script>
+
+<meta http-equiv="content-security-policy" content="script-src 'nonce-abc' 'strict-dynamic'">
+
+<script nonce="abc">
+  assert_worker_is_loaded(
+    "../support/ping.js",
+    "Dedicated worker is allowed via 'strict-dynamic'");
+
+  assert_shared_worker_is_loaded(
+    "../support/ping.js",
+    "Shared worker is allowed via 'strict-dynamic'");
+
+  assert_service_worker_is_loaded(
+    "../support/ping.js",
+    "Service worker is allowed via 'strict-dynamic'");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-wildcards-disallowed.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-wildcards-disallowed.html
new file mode 100644
index 0000000000..7bf3d89b67
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-wildcards-disallowed.html
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-nonce' *; connect-src 'self';">
+    <title>script-src disallowed wildcard use</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    </head>
+    <body>
+    <script nonce="nonce">
+        var t1 = async_test('data: URIs should not match *');
+        t1.step(function() {
+            var script = document.createElement("script");
+            script.src = 'data:application/javascript,';
+            script.addEventListener('load', t1.step_func(function() {
+                assert_unreached('Should not successfully load data URI.');
+            }));
+            script.addEventListener('error', t1.step_func(function() {
+                t1.done();
+            }));
+            document.head.appendChild(script);
+        });
+
+        var t2 = async_test('blob: URIs should not match *');
+        t2.step(function() {
+            var b = new Blob([''], { type: 'application/javascript' });
+            var script = document.createElement('script');
+            script.addEventListener('load', t2.step_func(function() {
+                assert_unreached('Should not successfully load blob URI.');
+            }));
+            script.addEventListener('error', t2.step_func(function() {
+                t2.done();
+            }));
+
+            script.src = URL.createObjectURL(b);
+            document.head.appendChild(script);
+        });
+
+        var t3 = async_test('filesystem URIs should not match *');
+        if (window.webkitRequestFileSystem) {
+            window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) {
+                fs.root.getFile('fail.js', {create: true}, function(fileEntry) {
+                    fileEntry.createWriter(function(fileWriter) {
+                        var script = document.createElement('script');
+
+                        script.addEventListener('load', t3.step_func(function() {
+                            assert_unreached('Should not successfully load filesystem URI.');
+                        }));
+                        script.addEventListener('error', t3.step_func(function() {
+                            t3.done();
+                        }));
+
+                        script.src = fileEntry.toURL('application/javascript');
+                        document.body.appendChild(script);
+                    });
+                });
+            });
+        } else {
+          t3.done();
+        }
+    </script>
+    </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scripthash-allowed.sub.html b/testing/web-platform/tests/content-security-policy/script-src/scripthash-allowed.sub.html
new file mode 100644
index 0000000000..8b3b45f77b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scripthash-allowed.sub.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-IFmozo9WnnsMXVl/Ka8XzJ3Nd8yzS2zA2ME0mwtd+Ck=' 'sha256-jSpTmJKcrnHttKdYM/wCCDJoQY5tdSxNf7zd2prwFfI=' 'sha256-qbgA2XjB2EZKjn/UmK7v/K77t+fvfxA89QT/K9qPNyE=' 'sha256-K+7X5Ip3msvRvyQzf6fkrWZziuhaUIee1aLnlP5nX10='; connect-src 'self';">
+    <title>scripthash-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/content-security-policy/support/alertAssert.sub.js?alerts=%5B%22PASS%20(1%2F4)%22%2C%22PASS%20(2%2F4)%22%2C%22PASS%20(3%2F4)%22%2C%22PASS%20(4%2F4)%22%5D">
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("Fail");
+        });
+    </script>
+
+    <script>
+        alert_assert('PASS (1/4)');
+
+    </script>
+    <script>
+        alert_assert('PASS (2/4)');
+
+    </script>
+    <script>
+        alert_assert('PASS (3/4)');
+
+    </script>
+    <script>
+        alert_assert('PASS (4/4)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the effect of a valid script-hash value. It passes if no CSP violation is generated, and the alert_assert() is executed.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scripthash-base64url-converts-to-base64.sub.html b/testing/web-platform/tests/content-security-policy/script-src/scripthash-base64url-converts-to-base64.sub.html
new file mode 100644
index 0000000000..82bf3b8622
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scripthash-base64url-converts-to-base64.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy"
+    content="script-src 'self'
+    'sha256-fRoLYKuwZQJxt6FZolBE1MyQUsKFOnlf-uj65N-txt0='
+    'sha384-vw3Q67p46tF_mKt4v6VDRTLv5Nre_boyQqppYghZpZmuy7po_KT4WSj2PF6VpNiS'
+    'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
+    ">
+    <title>Test whether hash-src are normalized from base64url to base64.</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/content-security-policy/support/alertAssert.sub.js?alerts=%5B%22PASS%20(1%2F2)%22%2C%22PASS%20(2%2F2)%22%5D"></script>
+    <script nonce="EDNnf03nceIOfn39fn3e9h3sdfa">
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("Fail");
+        });
+    </script>
+
+    <script>
+        alert_assert('PASS (1/2)');
+
+    </script>
+    <script>
+        alert_assert('PASS (2/2)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests whether hash-src are normalized from base64url
+        to base64. It passes if no CSP violation is generated, and
+        the alert_assert() calls are executed.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scripthash-basic-blocked-error-event.html b/testing/web-platform/tests/content-security-policy/script-src/scripthash-basic-blocked-error-event.html
new file mode 100644
index 0000000000..62b869335f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scripthash-basic-blocked-error-event.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<head>
+    <title>CSP script-hash block causes error event</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-deadbeef'"></meta>
+</head>
+<body>
+    <script src="support/inline-script-should-be-blocked.js"></script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html
new file mode 100644
index 0000000000..6bdc9f992d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-3iveTSiUbmzN7COYvdDwyaXXzJ3SrjKlTaOvQ/GdRpo=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self';">
+    <title>scripthash-basic-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("Fail");
+        });
+    </script>
+
+    <script>
+        var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]');
+        var expected_alerts = ["PASS (1/1)"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_equals(expected_alerts[i], msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <script>
+        alert_assert('PASS (1/1)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (1/4)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (2/4)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (3/4)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (4/4)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the effect of a valid script-hash value, with one valid script and several invalid ones. It passes if one alert is executed and a CSP violation is reported.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scripthash-case-insensitive.sub.html b/testing/web-platform/tests/content-security-policy/script-src/scripthash-case-insensitive.sub.html
new file mode 100644
index 0000000000..5b8f1bb823
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scripthash-case-insensitive.sub.html
@@ -0,0 +1,60 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy"
+    content="script-src 'self'
+    'SHA256-VCOfB9NQbtW8/s+T7yizqn0dz0Ipt5krwH9BPUaXJTA='
+    'SHA384-efOmACJwOYjUewZJTpktK4Kxl9spgncVwxok9DaIBIMN2zBzwxDni19L5uHkIX3E'
+    'SHA512-t9CmeiAGRym+Wsi8F+5TV1QEjcbFppf7ONB9HUTOs5pMLUy3BQCmASwXD/VKl0B5QytTTJawA2IhVvoebs7Gyg=='
+    'sHa256-BPe1cNQpEQoucXTYM91Ku9xnHT/BZXMOeOFeMZTPWis='
+    'shA384-qNmIi2ya4g29IbFyUBBPFJ5BdkW43bygT/MrFSoe7o/ALn+a3iJDkssigmMHQ4J0'
+    'Sha512-GuQbQFeVHDBySntDnOpbrNCe4xwjLhnnaVRAGz5JAnYK9pj0vOEAkmKgzNJApgufV3r37DE7Derx5DGUmqkukg=='
+    'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
+    ">
+    <title>Test whether hash-algorithm parts are matched case-insensitively</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/content-security-policy/support/alertAssert.sub.js?alerts=%5B%22PASS%20(1%2F6)%22%2C%22PASS%20(2%2F6)%22%2C%22PASS%20(3%2F6)%22%2C%22PASS%20(4%2F6)%22%2C%22PASS%20(5%2F6)%22%2C%22PASS%20(6%2F6)%22%5D"></script>
+    <script nonce="EDNnf03nceIOfn39fn3e9h3sdfa">
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("Fail");
+        });
+    </script>
+
+    <script>
+        alert_assert('PASS (1/6)');
+
+    </script>
+    <script>
+        alert_assert('PASS (2/6)');
+
+    </script>
+    <script>
+        alert_assert('PASS (3/6)');
+
+    </script>
+    <script>
+        alert_assert('PASS (4/6)');
+
+    </script>
+    <script>
+        alert_assert('PASS (5/6)');
+
+    </script>
+    <script>
+        alert_assert('PASS (6/6)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests whether hash-algorithm parts are matched
+        case-insensitively. It passes if no CSP violation is generated, and
+        the alert_assert() calls are executed.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scripthash-changed-1.html b/testing/web-platform/tests/content-security-policy/script-src/scripthash-changed-1.html
new file mode 100644
index 0000000000..9da41dd1ef
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scripthash-changed-1.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<head>
+    <title>CSP inline script check is done at #prepare-a-script (hash)</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!--
+      'log1 += 'scr1 at #prepare-a-script';' => 'sha256-sI+xsvqqUw0LQQGgsgkYoXKWhlGgaCqsqVbPx0Z2A4s=' (allowed)
+      'log1 += 'scr1 at #execute-the-script-block';' => 'sha256-Vtap5AhPN9kbQAbWqObJexCvNDexqoIwo4XsABQBqcg=' (blocked)
+    -->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-sI+xsvqqUw0LQQGgsgkYoXKWhlGgaCqsqVbPx0Z2A4s='"></meta>
+</head>
+<!--
+  "Should element's inline behavior be blocked by Content Security Policy?"
+  is executed at the time of https://html.spec.whatwg.org/C/#prepare-a-script,
+  not at https://html.spec.whatwg.org/C/#execute-the-script-block.
+  So when innerText is modified after #prepare-a-script, the text BEFORE
+  the modification is used for hash check.
+-->
+<script nonce="abc">
+let log1 = '';
+</script>
+
+<!--  Execution order:
+  async script is executed
+  -> stylesheet is loaded
+  -> inline script is executed. -->
+<link rel="stylesheet" href="support/empty.css?dummy=1&pipe=trickle(d2)" type="text/css">
+<script src="support/change-scripthash-before-execute.js?dummy=1&pipe=trickle(d1)" async></script>
+<script id="scr1">log1 += 'scr1 at #prepare-a-script';</script>
+
+<script nonce="abc">
+test(() => {
+  assert_equals(log1, 'scr1 at #prepare-a-script');
+}, 'scr1.innerText before modification should not be blocked');
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scripthash-changed-2.html b/testing/web-platform/tests/content-security-policy/script-src/scripthash-changed-2.html
new file mode 100644
index 0000000000..927d60a8d7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scripthash-changed-2.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<head>
+    <title>CSP inline script check is done at #prepare-a-script (hash)</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!--
+      'log2 += 'scr2 at #prepare-a-script';' => 'sha256-9vE5NuHfEDoLvk3nPZPDX2/mnG+ZwKhpPuwQZwCDGc4=' (blocked)
+      'log2 += 'scr2 at #execute-the-script-block';' => 'sha256-3AdhWTFuyxSUPxmqpTJaFRx3R5WNcyGw57lFoj1rTXw=' (allowed)
+    -->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-3AdhWTFuyxSUPxmqpTJaFRx3R5WNcyGw57lFoj1rTXw='"></meta>
+</head>
+<!--
+  "Should element's inline behavior be blocked by Content Security Policy?"
+  is executed at the time of https://html.spec.whatwg.org/C/#prepare-a-script,
+  not at https://html.spec.whatwg.org/C/#execute-the-script-block.
+  So when innerText is modified after #prepare-a-script, the text BEFORE
+  the modification is used for hash check.
+-->
+<script nonce="abc">
+let log2 = '';
+</script>
+
+<!--  Execution order:
+  async script is executed
+  -> stylesheet is loaded
+  -> inline script is executed. -->
+<link rel="stylesheet" href="support/empty.css?dummy=2&pipe=trickle(d2)" type="text/css">
+<script src="support/change-scripthash-before-execute.js?dummy=2&pipe=trickle(d1)" async></script>
+<script id="scr2">log2 += 'scr2 at #prepare-a-script';</script>
+
+<script nonce="abc">
+test(() => {
+  assert_equals(log2, '');
+}, 'scr2.innerText before modification should be blocked');
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scripthash-default-src.sub.html b/testing/web-platform/tests/content-security-policy/script-src/scripthash-default-src.sub.html
new file mode 100644
index 0000000000..2bccf85dcd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scripthash-default-src.sub.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'nonce-abc' 'sha256-sc3CeiHrlck5tH2tTC4MnBYFnI9D5zp8f9odqnmGQjE='; connect-src 'self';">
+    <title>script-hash allowed from default-src</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script nonce='abc'>
+        setup({ single_test: true });
+        window.addEventListener('securitypolicyviolation', function(e) {
+            assert_unreached("Should not have fired event");
+        });
+    </script>
+
+    <script>done();</script>
+    </head>
+
+    <body>
+    <div id="log"></div>
+    </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html b/testing/web-platform/tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html
new file mode 100644
index 0000000000..5d3dd8b38e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html
@@ -0,0 +1,56 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'sha256-3iveTSiUbmzN7COYvdDwyaXXzJ3SrjKlTaOvQ/GdRpo=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4=' 'sha256-lxHfHAe5I15v8qaArcZ5WiKmLU4CjV+3tJeQUqSIWBk='; connect-src 'self';">
+
+    <title>scripthash-ignore-unsafeinline</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script>window.addEventListener('securitypolicyviolation', function(e) { alert_assert("Fail"); })</script>
+    <script>
+        var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]');
+        var expected_alerts = ["PASS (1/1)"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_equals(expected_alerts[i], msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <script>
+        alert_assert('PASS (1/1)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (1/1)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests that a valid hash value disables inline JavaScript, even if &apos;unsafe-inline&apos; is present.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html b/testing/web-platform/tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html
new file mode 100644
index 0000000000..b082b55e21
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-nonceynonce' 'sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c='; connect-src 'self';">
+    <title>scripthash-unicode-normalization</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+</head>
+
+<body>
+    <!-- The following two scripts contain two separate code points (U+00C5
+        and U+212B, respectively) which, depending on your text editor, might be
+        rendered the same.However, their difference is important because, under
+        NFC normalization, they would become the same code point, which would be
+        against the spec. This test, therefore, validates that the scripts have
+        *different* hash values. -->
+    <script nonce="nonceynonce">
+      var t_spv = async_test("Should fire securitypolicyviolation");
+      window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) {
+          assert_equals(e.violatedDirective, "script-src-elem");
+      }));
+
+      var matchingContent = 'Å';
+      var nonMatchingContent = 'Å';
+
+      // This script should have a hash value of
+      // sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c=
+      var scriptContent1 = "window.finish('" + matchingContent + "');";
+
+      // This script should have a hash value of
+      // sha256-iNjjXUXds31FFvkAmbC74Sxnvreug3PzGtu16udQyqM=
+      var scriptContent2 = "window.finish('" + nonMatchingContent + "');";
+
+      var script1 = document.createElement('script');
+      var script2 = document.createElement('script');
+
+      script1.test = async_test("Only matching content runs even with NFC normalization.");
+
+      var failure = function() {
+        assert_unreached();
+      }
+
+      window.finish = function(content) {
+        if (content == matchingContent) {
+          script1.test.step(function() {
+            script1.test.done();
+          });
+        } else {
+          script1.test.step(function() {
+            assert_unreached("nonMatchingContent script ran");
+          });
+        }
+      }
+
+      script1.onerror = failure;
+
+      document.body.appendChild(script2);
+      script2.textContent = scriptContent2;
+      document.body.appendChild(script1);
+      script1.textContent = scriptContent1;
+    </script>
+
+    <p>
+        This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-allowed.sub.html b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-allowed.sub.html
new file mode 100644
index 0000000000..2cd7d646dd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-allowed.sub.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-noncynonce' 'nonce-noncy+/nonce='; connect-src 'self';">
+    <title>scriptnonce-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script nonce="noncynonce">
+        function log(msg) {
+            test(function() {
+                assert_unreached(msg)
+            });
+        }
+
+    </script>
+    <script nonce="noncynonce">
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("Fail");
+        });
+
+        var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)"]');
+        var expected_alerts = ["PASS (1/2)", "PASS (2/2)"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_equals(expected_alerts[i], msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce='; connect-src 'self';
+-->
+    <script nonce="noncynonce">
+        alert_assert('PASS (1/2)');
+
+    </script>
+    <script nonce="noncy+/nonce=">
+        alert_assert('PASS (2/2)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the effect of a valid script-nonce value. It passes if no CSP violation is generated and the alerts are executed.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html
new file mode 100644
index 0000000000..232ca052e5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html
@@ -0,0 +1,79 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self';">
+    <title>scriptnonce-and-scripthash</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script nonce="nonceynonce">
+        function log(msg) {
+            test(function() {
+                assert_unreached(msg)
+            });
+        }
+    </script>
+    <script nonce="nonceynonce">
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("violated-directive=" + e.violatedDirective);
+        });
+
+        var t_alert = async_test('Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]');
+        var expected_alerts = ["PASS (1/3)", "PASS (2/3)", "PASS (3/3)", "violated-directive=script-src-elem", "violated-directive=script-src-elem"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_equals(expected_alerts[i], msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self';
+-->
+    <script nonce="nonceynonce">
+        alert_assert('PASS (1/3)');
+
+    </script>
+    <script>
+        alert_assert('PASS (2/3)');
+
+    </script>
+    <script nonce="nonceynonce">
+        alert_assert('PASS (3/3)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (1/2)');
+
+    </script>
+    <script nonce="notanonce">
+        alert_assert('FAIL (2/2)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the combined use of script hash and script nonce. It passes if a CSP violation is generated and the three alerts show PASS.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html
new file mode 100644
index 0000000000..2001afcd9c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-noncynonce'; connect-src 'self';">
+    <title>scriptnonce-basic-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/alertAssert.sub.js?alerts=["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src-elem", "violated-directive=script-src-elem", "violated-directive=script-src-elem"]'></script>
+    <script nonce="noncynonce">
+        alert_assert('PASS (closely-quoted nonce)');
+
+    </script>
+    <script nonce="   noncynonce    ">
+        alert_assert('PASS (nonce w/whitespace)');
+
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("violated-directive=" + e.violatedDirective);
+        });
+    </script>
+    <script nonce="noncynonce noncynonce">
+        alert_assert('FAIL (1/3)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (2/3)');
+
+    </script>
+    <script nonce="noncynonceno?">
+        alert_assert('FAIL (3/3)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the effect of a valid script-nonce value. It passes if a CSP violation is generated, and the two PASS alerts are executed.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-changed-1.html b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-changed-1.html
new file mode 100644
index 0000000000..75f92f354a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-changed-1.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<head>
+    <title>CSP inline script check is done at #prepare-a-script (nonce)</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-deadbeef'"></meta>
+</head>
+<!--
+  "Should element's inline behavior be blocked by Content Security Policy?"
+  is executed at the time of https://html.spec.whatwg.org/C/#prepare-a-script,
+  not at https://html.spec.whatwg.org/C/#execute-the-script-block.
+  So when nonce is modified after #prepare-a-script, the nonce BEFORE
+  the modification is used for hash check.
+-->
+<script nonce="abc">
+let log1 = '';
+</script>
+
+<!--  Execution order:
+  async script is executed
+  -> stylesheet is loaded
+  -> inline script is executed. -->
+<link rel="stylesheet" href="support/empty.css?dummy=3&pipe=trickle(d2)" type="text/css">
+<script src="support/change-scriptnonce-before-execute.js?dummy=3&pipe=trickle(d1)" async></script>
+<script id="scr1" nonce="abc">log1 += 'scr1 executed';</script>
+
+<script nonce="abc">
+test(() => {
+  assert_equals(log1, 'scr1 executed');
+}, 'scr1 nonce before modification should not be blocked');
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-changed-2.html b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-changed-2.html
new file mode 100644
index 0000000000..f2321dd656
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-changed-2.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<head>
+    <title>CSP inline script check is done at #prepare-a-script (nonce)</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-deadbeef'"></meta>
+</head>
+<!--
+  "Should element's inline behavior be blocked by Content Security Policy?"
+  is executed at the time of https://html.spec.whatwg.org/C/#prepare-a-script,
+  not at https://html.spec.whatwg.org/C/#execute-the-script-block.
+  So when nonce is modified after #prepare-a-script, the nonce BEFORE
+  the modification is used for hash check.
+-->
+<script nonce="abc">
+let log2 = '';
+</script>
+
+<!--  Execution order:
+  async script is executed
+  -> stylesheet is loaded
+  -> inline script is executed. -->
+<link rel="stylesheet" href="support/empty.css?dummy=4&pipe=trickle(d2)" type="text/css">
+<script src="support/change-scriptnonce-before-execute.js?dummy=4&pipe=trickle(d1)" async></script>
+<script id="scr2" nonce="wrong">log2 += 'scr2 executed';</script>
+
+<script nonce="abc">
+test(() => {
+  assert_equals(log2, '');
+}, 'scr2 nonce before modification should be blocked');
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html
new file mode 100644
index 0000000000..6d752b3b7e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html
@@ -0,0 +1,74 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce=' 'unsafe-inline'; connect-src 'self';">
+    <title>scriptnonce-ignore-unsafeinline</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script nonce='noncynonce'>
+        function log(msg) {
+            test(function() {
+                assert_unreached(msg)
+            });
+        }
+
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("violated-directive=" + e.violatedDirective);
+        });
+    </script>
+    <script nonce='noncynonce'>
+        var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"]');
+        var expected_alerts = ["PASS (1/2)", "PASS (2/2)", "violated-directive=script-src-elem"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_equals(expected_alerts[i], msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce=' 'unsafe-inline'; connect-src 'self';
+-->
+    <script nonce="noncynonce">
+
+
+    </script>
+    <script nonce="noncynonce">
+        alert_assert('PASS (1/2)');
+    </script>
+    <script nonce="noncy+/nonce=">
+        alert_assert('PASS (2/2)');
+
+    </script>
+    <script>
+        alert_assert('FAIL (1/1)');
+
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests that a valid nonce disables inline JavaScript, even if &apos;unsafe-inline&apos; is present.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-redirect.sub.html b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-redirect.sub.html
new file mode 100644
index 0000000000..e659e570ee
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-redirect.sub.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self';">
+    <title>scriptnonce-redirect</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script nonce="noncynonce">
+        function log(msg) {
+            test(function() {
+                assert_unreached(msg)
+            });
+        }
+
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("Fail");
+        });
+    </script>
+    <script nonce="noncynonce">
+        var t_alert = async_test('Expecting alerts: ["PASS"]');
+        var expected_alerts = ["PASS"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_equals(expected_alerts[i], msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self';
+-->
+</head>
+
+<body>
+    This tests whether a deferred script load caused by a redirect is properly allowed by a nonce.
+    <script nonce="noncynonce" src="/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/alert-pass.js"></script>
+    <script nonce="noncynonce">
+
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-specified-source.sub.html b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-specified-source.sub.html
new file mode 100644
index 0000000000..154ab68de6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-specified-source.sub.html
@@ -0,0 +1,43 @@
+<!doctype html>
+<script nonce="specified" src="/resources/testharness.js"></script>
+<script nonce="specified" src="/resources/testharnessreport.js"></script>
+
+<div id=log></div>
+<script nonce="specified">
+  [
+    {
+      name: 'CSP with both source and nonce should allow matching source',
+      src: "http://{{host}}:{{ports[http][0]}}/content-security-policy/support/alert-pass.js",
+      nonce: "notspecified"
+    },
+    {
+      name: 'CSP with both source and nonce should allow both matching nonce and source',
+      src: "http://{{host}}:{{ports[http][0]}}/content-security-policy/support/alert-pass.js",
+      nonce: "specified"
+    }
+  ].forEach(elt => {
+    async_test((test) => {
+      const s = document.createElement('script');
+      s.src = elt.src;
+      s.nonce = elt.nonce;
+      s.onload = () => test.done();
+      s.onerror = test.unreached_func('Script should load correctly');
+      document.body.appendChild(s);
+    }, elt.name);
+  });
+
+  const t = async_test('No CSP violation should fire and all scripts should load');
+  let count = 0;
+  const expected = 2;
+  function alert_assert(msg) {
+    if (msg === "PASS") {
+      count++;
+      if (count == expected) {
+        t.done();
+      }
+    }
+  }
+
+  window.addEventListener('securitypolicyviolation',
+    t.unreached_func('No CSP violation should fire'));
+</script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-specified-source.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-specified-source.sub.html.sub.headers
new file mode 100644
index 0000000000..d23494ca83
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scriptnonce-specified-source.sub.html.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src {{host}}:{{ports[http][0]}} 'nonce-specified'
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/simpleSourcedScript.js b/testing/web-platform/tests/content-security-policy/script-src/simpleSourcedScript.js
new file mode 100644
index 0000000000..deca86508f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/simpleSourcedScript.js
@@ -0,0 +1 @@
+window.postMessage(document.currentScript.id, "*");
diff --git a/testing/web-platform/tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html b/testing/web-platform/tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html
new file mode 100644
index 0000000000..2cae85ec30
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'; connect-src 'self';">
+    <title>srcdoc-doesnt-bypass-script-src</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem"]'></script>
+</head>
+
+<body>
+
+    <script nonce='abc'>
+        window.onmessage = function(e) {
+          log(e.data);
+        }
+
+        var i = document.createElement('iframe');
+        i.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        i.srcdoc = "<sc" + "ript nonce='abc'>" +
+                     "window.addEventListener('securitypolicyviolation', function(e) {" +
+                       "window.parent.postMessage('violated-directive=' + e.violatedDirective, '*');});" +
+                   "</scr" + "ipt>" +
+                   "<scr" + "ipt>window.parent.log('FAIL')</scr" + "ipt>";
+        document.body.appendChild(i);
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/change-scripthash-before-execute.js b/testing/web-platform/tests/content-security-policy/script-src/support/change-scripthash-before-execute.js
new file mode 100644
index 0000000000..a04e8575b2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/support/change-scripthash-before-execute.js
@@ -0,0 +1,10 @@
+// This script is executed after |scr1| and |scr2| are inserted into DOM
+// before their execution (if not blocked by CSP).
+if (document.getElementById("scr1")) {
+  document.getElementById("scr1").innerText =
+    "log1 += 'scr1 at #execute-the-script-block';";
+}
+if (document.getElementById("scr2")) {
+  document.getElementById("scr2").innerText =
+    "log2 += 'scr2 at #execute-the-script-block';";
+}
diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/change-scriptnonce-before-execute.js b/testing/web-platform/tests/content-security-policy/script-src/support/change-scriptnonce-before-execute.js
new file mode 100644
index 0000000000..2676b34728
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/support/change-scriptnonce-before-execute.js
@@ -0,0 +1,8 @@
+// This script is executed after |scr1| and |scr2| are inserted into DOM
+// before their execution (if not blocked by CSP).
+if (document.getElementById('scr1')) {
+  document.getElementById('scr1').setAttribute('nonce', 'wrong');
+}
+if (document.getElementById('scr2')) {
+  document.getElementById('scr2').setAttribute('nonce', 'abc');
+}
diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/empty.css b/testing/web-platform/tests/content-security-policy/script-src/support/empty.css
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/support/empty.css
diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/inject-script.js b/testing/web-platform/tests/content-security-policy/script-src/support/inject-script.js
new file mode 100644
index 0000000000..c04033c46f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/support/inject-script.js
@@ -0,0 +1,5 @@
+document.write("<script>log('Pass 1 of 2');</script>");
+
+var s = document.createElement('script');
+s.textContent = "log('Pass 2 of 2');";
+document.body.appendChild(s);
diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/inline-script-should-be-blocked.js b/testing/web-platform/tests/content-security-policy/script-src/support/inline-script-should-be-blocked.js
new file mode 100644
index 0000000000..f32d25074b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/support/inline-script-should-be-blocked.js
@@ -0,0 +1,14 @@
+var t;
+async_test(t => {
+  self.t = t;
+  const s = document.createElement('script');
+  s.onerror = t.step_func(function() {
+    assert_unreached('Script error event should not be fired.');
+  });
+  s.onload = t.step_func(function() {
+    assert_unreached('Script load event should not be fired.');
+  });
+  s.innerText = 'self.t.assert_unreached("Script should not run.");'
+  document.body.appendChild(s);
+  setTimeout(() => t.done(), 2000);
+});
diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/post-message.js b/testing/web-platform/tests/content-security-policy/script-src/support/post-message.js
new file mode 100644
index 0000000000..69daa31d2f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/support/post-message.js
@@ -0,0 +1 @@
+postMessage("importScripts allowed");
diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/worker-eval.js b/testing/web-platform/tests/content-security-policy/script-src/support/worker-eval.js
new file mode 100644
index 0000000000..9aa87129ae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/support/worker-eval.js
@@ -0,0 +1,5 @@
+var id = 0;
+try {
+    id = eval("1 + 2 + 3");
+} catch (e) {}
+postMessage(id === 0 ? "eval blocked" : "eval allowed");
diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/worker-eval.js.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/support/worker-eval.js.sub.headers
new file mode 100644
index 0000000000..afdcc7c011
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/support/worker-eval.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/worker-function-function.js b/testing/web-platform/tests/content-security-policy/script-src/support/worker-function-function.js
new file mode 100644
index 0000000000..03d9bf4cbb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/support/worker-function-function.js
@@ -0,0 +1,7 @@
+var fn = function() {
+    postMessage('Function() function blocked');
+}
+try {
+    fn = new Function("", "postMessage('Function() function allowed');");
+} catch (e) {}
+fn();
diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers
new file mode 100644
index 0000000000..afdcc7c011
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-importscripts.js b/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-importscripts.js
new file mode 100644
index 0000000000..d2b6691b8a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-importscripts.js
@@ -0,0 +1,17 @@
+var message = "importScripts allowed";
+try {
+    importScripts("/content-security-policy/support/post-message.js");
+} catch (e) {
+    message = "importScripts blocked";
+}
+
+if (typeof SharedWorkerGlobalScope === "function") {
+  onconnect = function (e) {
+    var port = e.ports[0];
+
+    port.onmessage = function () { port.postMessage(message); }
+    port.postMessage(message);
+  };
+} else if (typeof DedicatedWorkerGlobalScope === "function") {
+  self.postMessage(message);
+}
diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-importscripts.js.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-importscripts.js.sub.headers
new file mode 100644
index 0000000000..57616b1fc2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-importscripts.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-set-timeout.js b/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-set-timeout.js
new file mode 100644
index 0000000000..c4241c97d0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-set-timeout.js
@@ -0,0 +1,16 @@
+var id = 0;
+try {
+  id = setTimeout("postMessage('handler invoked')", 100);
+} catch (e) {}
+var message = id === 0 ? "setTimeout blocked" : "setTimeout allowed";
+
+if (typeof SharedWorkerGlobalScope === "function") {
+  onconnect = function (e) {
+    var port = e.ports[0];
+
+    port.onmessage = function () { port.postMessage(message); }
+    port.postMessage(message);
+  };
+} else if (typeof DedicatedWorkerGlobalScope === "function") {
+  self.postMessage(message);
+}
diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-set-timeout.js.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-set-timeout.js.sub.headers
new file mode 100644
index 0000000000..57616b1fc2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-set-timeout.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'none'
diff --git a/testing/web-platform/tests/content-security-policy/script-src/worker-data-set-timeout.sub.html b/testing/web-platform/tests/content-security-policy/script-src/worker-data-set-timeout.sub.html
new file mode 100644
index 0000000000..ac4b608b08
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/worker-data-set-timeout.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- We add two CSP entries on purpose. The first one does nothing
+    for the purpose of this test, but we want to check that both are
+    inherited -->
+    <meta http-equiv="Content-Security-Policy" content="object-src: 'none'">
+    <meta http-equiv="Content-Security-Policy" content="script-src data: 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>worker-data-set-timeout</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/testharness-helper.js'></script>
+</head>
+
+<body>
+    <script>
+      fetch('./support/worker-with-script-src-none-set-timeout.js')
+       .then(data => data.text())
+       .then(
+           text => assert_shared_worker_is_loaded(
+               `data:text/javascript,${text}`,
+               "Shared worker with data: url inherits CSP",
+               "setTimeout blocked"));
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/worker-eval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/script-src/worker-eval-blocked.sub.html
new file mode 100644
index 0000000000..01c9eb196f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/worker-eval-blocked.sub.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>worker-eval-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["eval blocked"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <p>This test loads a worker, delivered with its own policy.
+    The eval() call in the worker should be forbidden by that
+    policy.  No report should be generated because the worker
+    policy does not set a report-uri (although this parent
+    resource does).</p>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('Fail');
+        });
+
+        try {
+            var worker = new Worker('/content-security-policy/script-src/support/worker-eval.js');
+            worker.onmessage = function(event) {
+                log(event.data);
+            };
+        } catch (e) {
+            log(e);
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/worker-function-function-blocked.sub.html b/testing/web-platform/tests/content-security-policy/script-src/worker-function-function-blocked.sub.html
new file mode 100644
index 0000000000..8c1df9f667
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/worker-function-function-blocked.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>worker-function-function-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["Function() function blocked"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <p>This test loads a worker, delivered with its own policy.
+    The Function constructor should be forbidden by that
+    policy.  No report should be generated because the worker
+    policy does not set a report-uri (although this parent
+    resource does).</p>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('Fail');
+        });
+        try {
+            var worker = new Worker('/content-security-policy/script-src/support/worker-function-function.js');
+            worker.onmessage = function(event) {
+                log(event.data);
+            };
+        } catch (e) {
+            log(e);
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/worker-importscripts.sub.html b/testing/web-platform/tests/content-security-policy/script-src/worker-importscripts.sub.html
new file mode 100644
index 0000000000..ae7157cfa9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/worker-importscripts.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';">
+    <title>worker-importscripts</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/testharness-helper.js'></script>
+</head>
+
+<body>
+    <script>
+      assert_worker_is_loaded(
+        "./support/worker-with-script-src-none-importscripts.js",
+        "Dedicated worker delivers its own CSP",
+        "importScripts blocked");
+
+      assert_shared_worker_is_loaded(
+        "./support/worker-with-script-src-none-importscripts.js",
+        "Shared worker delivers its own CSP",
+        "importScripts blocked");
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/worker-script-src.sub.html b/testing/web-platform/tests/content-security-policy/script-src/worker-script-src.sub.html
new file mode 100644
index 0000000000..da7771b9c4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/worker-script-src.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>worker-script-src</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log('Fail');
+        });
+        try {
+            var foo = new Worker('/content-security-policy/script-src/support/post-message.js');
+            foo.onmessage = function(event) {
+                log("PASS");
+            };
+        } catch (e) {
+            log(e);
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/worker-set-timeout.sub.html b/testing/web-platform/tests/content-security-policy/script-src/worker-set-timeout.sub.html
new file mode 100644
index 0000000000..7e73626c6f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/worker-set-timeout.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'self' 'unsafe-eval'; connect-src 'self';">
+    <title>worker-set-timeout</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/testharness-helper.js'></script>
+</head>
+
+<body>
+    <script>
+      assert_worker_is_loaded(
+        "./support/worker-with-script-src-none-set-timeout.js",
+        "Dedicated worker delivers its own CSP",
+        "setTimeout blocked");
+
+      assert_shared_worker_is_loaded(
+        "./support/worker-with-script-src-none-set-timeout.js",
+        "Shared worker delivers its own CSP",
+        "setTimeout blocked");
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/blockeduri-eval.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/blockeduri-eval.html
new file mode 100644
index 0000000000..ddd5068df1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/blockeduri-eval.html
@@ -0,0 +1,20 @@
+<!doctype html>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+    async_test(t => {
+        var watcher = new EventWatcher(t, document, 'securitypolicyviolation');
+        watcher.wait_for('securitypolicyviolation').then(t.step_func_done(e => {
+            assert_equals(e.blockedURI, "eval");
+            assert_equals(e.lineNumber, 15);
+            assert_equals(e.columnNumber, 12);
+        }));
+
+        try {
+            eval("assert_unreached('eval() should be blocked.");
+        } catch (e) {
+            assert_equals(e.name, 'EvalError');
+        }
+    }, "Eval violations have a blockedURI of 'eval'");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/blockeduri-inline.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/blockeduri-inline.html
new file mode 100644
index 0000000000..7cced9ef69
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/blockeduri-inline.html
@@ -0,0 +1,19 @@
+<!doctype html>
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">
+<script nonce="abc" src="/resources/testharness.js"></script>
+<script nonce="abc" src="/resources/testharnessreport.js"></script>
+<script nonce="abc">
+    async_test(t => {
+        var watcher = new EventWatcher(t, document, 'securitypolicyviolation');
+        watcher.wait_for('securitypolicyviolation').then(t.step_func_done(e => {
+            assert_equals(e.blockedURI, "inline");
+            assert_equals(e.lineNumber, 15);
+            assert_equals(e.columnNumber, 8);
+        }));
+    }, "Inline violations have a blockedURI of 'inline'");
+</script>
+<script>
+    test(t => {
+        assert_unreached();
+    }, "Blocked script shouldn't execute.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/blockeduri-ws-wss-scheme.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/blockeduri-ws-wss-scheme.html
new file mode 100644
index 0000000000..88bf4ae599
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/blockeduri-ws-wss-scheme.html
@@ -0,0 +1,53 @@
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script>
+
+const info = get_host_info();
+
+const nextCSPViolation = (test) => {
+  return new Promise((resolve, reject) => {
+    document.addEventListener("securitypolicyviolation", resolve, {once: true});
+    test.step_timeout(() => reject("timeout"), 3000);
+  });
+};
+
+const redirector = get_host_info().HTTP_REMOTE_ORIGIN.replace("http", "wss") +
+  "/common/redirect.py";
+
+promise_setup(async () => {
+  const meta = document.createElement('meta');
+  meta.httpEquiv = "Content-Security-Policy";
+  meta.content = "connect-src " + redirector;
+  document.getElementsByTagName('head')[0].appendChild(meta);
+}, "Install <meta> CSP");
+
+promise_test(async test => {
+  const url = get_host_info().HTTP_ORIGIN.replace("http", "ws") + "/path";
+  const violation = nextCSPViolation(test);
+  try { new WebSocket(url); } catch (e) {}
+  assert_equals((await violation).blockedURI, url);
+}, "ws");
+
+promise_test(async test => {
+  const url = get_host_info().HTTP_ORIGIN.replace("http", "wss") + "/path";
+  const violation = nextCSPViolation(test);
+  try { new WebSocket(url); } catch (e) {}
+  assert_equals((await violation).blockedURI, url);
+}, "wss");
+
+promise_test(async test => {
+  const url = get_host_info().HTTP_REMOTE_ORIGIN.replace("http", "wss") + "/path";
+  const violation = nextCSPViolation(test);
+  try { new WebSocket(url); } catch (e) {}
+  assert_equals((await violation).blockedURI, url);
+}, "cross-origin");
+
+promise_test(async test => {
+  const url = get_host_info().HTTP_ORIGIN.replace("http", "wss") + "/path";
+  const violation = nextCSPViolation(test);
+  try {new WebSocket(redirector + "?location=" + url); } catch (e) {}
+  assert_equals((await violation).blockedURI, url);
+}, "redirect");
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/constructor-required-fields.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/constructor-required-fields.html
new file mode 100644
index 0000000000..1a090d8e2c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/constructor-required-fields.html
@@ -0,0 +1,239 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+    // basic tests.
+    test(function() {
+      assert_throws_js(TypeError,
+                       function() { new SecurityPolicyViolationEvent(); });
+    }, "SecurityPolicyViolationEvent constructor should throw with no parameters");
+
+    test(function() {
+      assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", {
+        documentURI: "http://example.com",
+        referrer: "http://example.com",
+        blockedURI: "http://example.com",
+        violatedDirective: "default-src",
+        effectiveDirective: "default-src",
+        originalPolicy: "default-src 'none'",
+        sourceFile: "example.js",
+        sample: "<script>alert('1');</scr" + "ipt>",
+        disposition: "enforce",
+        statusCode: 200,
+        lineNumber: 1,
+        columnNumber: 1,
+      }), undefined);
+    }, "SecurityPolicyViolationEvent constructor works with an init dict");
+
+    // missing required members
+    test(function() {
+      assert_throws_js(TypeError,
+        function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+          // documentURI: "http://example.com",
+          referrer: "http://example.com",
+          blockedURI: "http://example.com",
+          violatedDirective: "default-src",
+          effectiveDirective: "default-src",
+          originalPolicy: "default-src 'none'",
+          sourceFile: "example.js",
+          sample: "<script>alert('1');</scr" + "ipt>",
+          disposition: "enforce",
+          statusCode: 200,
+          lineNumber: 1,
+          columnNumber: 1,
+      })});
+    }, "SecurityPolicyViolationEvent constructor requires documentURI");
+
+    test(function() {
+      assert_throws_js(TypeError,
+        function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+          documentURI: "http://example.com",
+          referrer: "http://example.com",
+          blockedURI: "http://example.com",
+          // violatedDirective: "default-src",
+          effectiveDirective: "default-src",
+          originalPolicy: "default-src 'none'",
+          sourceFile: "example.js",
+          sample: "<script>alert('1');</scr" + "ipt>",
+          disposition: "enforce",
+          statusCode: 200,
+          lineNumber: 1,
+          columnNumber: 1,
+      })});
+    }, "SecurityPolicyViolationEvent constructor requires violatedDirective");
+
+    test(function() {
+      assert_throws_js(TypeError,
+        function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+          documentURI: "http://example.com",
+          referrer: "http://example.com",
+          blockedURI: "http://example.com",
+          violatedDirective: "default-src",
+          // effectiveDirective: "default-src",
+          originalPolicy: "default-src 'none'",
+          sourceFile: "example.js",
+          sample: "<script>alert('1');</scr" + "ipt>",
+          disposition: "enforce",
+          statusCode: 200,
+          lineNumber: 1,
+          columnNumber: 1,
+      })});
+    }, "SecurityPolicyViolationEvent constructor requires effectiveDirective");
+
+    test(function() {
+      assert_throws_js(TypeError,
+        function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+          documentURI: "http://example.com",
+          referrer: "http://example.com",
+          blockedURI: "http://example.com",
+          violatedDirective: "default-src",
+          effectiveDirective: "default-src",
+          // originalPolicy: "default-src 'none'",
+          sourceFile: "example.js",
+          sample: "<script>alert('1');</scr" + "ipt>",
+          disposition: "enforce",
+          statusCode: 200,
+          lineNumber: 1,
+          columnNumber: 1,
+      })});
+    }, "SecurityPolicyViolationEvent constructor requires originalPolicy");
+
+    test(function() {
+      assert_throws_js(TypeError,
+        function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+          documentURI: "http://example.com",
+          referrer: "http://example.com",
+          blockedURI: "http://example.com",
+          violatedDirective: "default-src",
+          effectiveDirective: "default-src",
+          originalPolicy: "default-src 'none'",
+          sourceFile: "example.js",
+          sample: "<script>alert('1');</scr" + "ipt>",
+          // disposition: "enforce",
+          statusCode: 200,
+          lineNumber: 1,
+          columnNumber: 1,
+      })});
+    }, "SecurityPolicyViolationEvent constructor requires disposition");
+
+    test(function() {
+      assert_throws_js(TypeError,
+        function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+          documentURI: "http://example.com",
+          referrer: "http://example.com",
+          blockedURI: "http://example.com",
+          violatedDirective: "default-src",
+          effectiveDirective: "default-src",
+          originalPolicy: "default-src 'none'",
+          sourceFile: "example.js",
+          sample: "<script>alert('1');</scr" + "ipt>",
+          disposition: "enforce",
+          // statusCode: 200,
+          lineNumber: 1,
+          columnNumber: 1,
+      })});
+    }, "SecurityPolicyViolationEvent constructor requires statusCode");
+
+    // missing optional members
+    test(function() {
+      assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", {
+        documentURI: "http://example.com",
+        // referrer: "http://example.com",
+        blockedURI: "http://example.com",
+        violatedDirective: "default-src",
+        effectiveDirective: "default-src",
+        originalPolicy: "default-src 'none'",
+        sourceFile: "example.js",
+        sample: "<script>alert('1');</scr" + "ipt>",
+        disposition: "enforce",
+        statusCode: 200,
+        lineNumber: 1,
+        columnNumber: 1,
+      }), undefined);
+    }, "SecurityPolicyViolationEvent constructor does not require referrer");
+
+    test(function() {
+      assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", {
+        documentURI: "http://example.com",
+        referrer: "http://example.com",
+        // blockedURI: "http://example.com",
+        violatedDirective: "default-src",
+        effectiveDirective: "default-src",
+        originalPolicy: "default-src 'none'",
+        sourceFile: "example.js",
+        sample: "<script>alert('1');</scr" + "ipt>",
+        disposition: "enforce",
+        statusCode: 200,
+        lineNumber: 1,
+        columnNumber: 1,
+      }), undefined);
+    }, "SecurityPolicyViolationEvent constructor does not require blockedURI");
+
+    test(function() {
+      assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", {
+        documentURI: "http://example.com",
+        referrer: "http://example.com",
+        blockedURI: "http://example.com",
+        violatedDirective: "default-src",
+        effectiveDirective: "default-src",
+        originalPolicy: "default-src 'none'",
+        // sourceFile: "example.js",
+        sample: "<script>alert('1');</scr" + "ipt>",
+        disposition: "enforce",
+        statusCode: 200,
+        lineNumber: 1,
+        columnNumber: 1,
+      }), undefined);
+    }, "SecurityPolicyViolationEvent constructor does not require sourceFile");
+
+    test(function() {
+      assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", {
+        documentURI: "http://example.com",
+        referrer: "http://example.com",
+        blockedURI: "http://example.com",
+        violatedDirective: "default-src",
+        effectiveDirective: "default-src",
+        originalPolicy: "default-src 'none'",
+        sourceFile: "example.js",
+        // sample: "<script>alert('1');</scr" + "ipt>",
+        disposition: "enforce",
+        statusCode: 200,
+        lineNumber: 1,
+        columnNumber: 1,
+      }), undefined);
+    }, "SecurityPolicyViolationEvent constructor does not require sample");
+
+    test(function() {
+      assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", {
+        documentURI: "http://example.com",
+        referrer: "http://example.com",
+        blockedURI: "http://example.com",
+        violatedDirective: "default-src",
+        effectiveDirective: "default-src",
+        originalPolicy: "default-src 'none'",
+        sourceFile: "example.js",
+        sample: "<script>alert('1');</scr" + "ipt>",
+        disposition: "enforce",
+        statusCode: 200,
+        // lineNumber: 1,
+        columnNumber: 1,
+      }), undefined);
+    }, "SecurityPolicyViolationEvent constructor does not require lineNumber");
+
+    test(function() {
+      assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", {
+        documentURI: "http://example.com",
+        referrer: "http://example.com",
+        blockedURI: "http://example.com",
+        violatedDirective: "default-src",
+        effectiveDirective: "default-src",
+        originalPolicy: "default-src 'none'",
+        sourceFile: "example.js",
+        sample: "<script>alert('1');</scr" + "ipt>",
+        disposition: "enforce",
+        statusCode: 200,
+        lineNumber: 1,
+        // columnNumber: 1,
+      }), undefined);
+    }, "SecurityPolicyViolationEvent constructor does not require columnNumber");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/idlharness.window.js b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/idlharness.window.js
new file mode 100644
index 0000000000..25efd0d4e1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/idlharness.window.js
@@ -0,0 +1,18 @@
+// META: script=/resources/WebIDLParser.js
+// META: script=/resources/idlharness.js
+
+// https://w3c.github.io/webappsec-csp/
+
+'use strict';
+
+idl_test(
+  ['CSP'],
+  ['dom', 'reporting'],
+  idl_array => {
+    idl_array.add_objects({
+      SecurityPolicyViolationEvent: [
+        'new SecurityPolicyViolationEvent("securitypolicyviolation")'
+      ]
+    })
+  }
+);
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html
new file mode 100644
index 0000000000..c63206db46
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html
@@ -0,0 +1,31 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="./support/testharness-helper.sub.js"></script>
+<body></body>
+<script>
+    function waitForViolation(el, t, policy, blockedURI) {
+      return new Promise(resolve => {
+        el.addEventListener('securitypolicyviolation', e => {
+          if (e.originalPolicy == policy && e.blockedURI == blockedURI)
+            resolve(e);
+          else
+            t.unreached_func("Unexpected violation event for " + e.blockedURI)();
+        });
+      });
+    }
+
+    async_test(t => {
+      var i = document.createElement("img");
+      var redirect = generateCrossOriginRedirectImage();
+      i.src = redirect.url;
+
+      // Report-only policy should trigger a violation on the redirected request.
+      waitForViolation(window, t, "img-src https:", new URL(redirect.url, window.location).href).then(t.step_func(e => {
+        t.done();
+      }));
+
+      document.body.appendChild(i);
+    }, "Image that redirects to http:// URL prohibited by Report-Only must generate a violation report, even with upgrade-insecure-requests");
+</script>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html.headers b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html.headers
new file mode 100644
index 0000000000..57207bbd23
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html.headers
@@ -0,0 +1,2 @@
+Content-Security-Policy-Report-Only: img-src https:
+Content-Security-Policy: upgrade-insecure-requests
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub.html
new file mode 100644
index 0000000000..9bffad09b3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub.html
@@ -0,0 +1,25 @@
+<!doctype html>
+<meta http-equiv="content-security-policy" content="img-src 'self'">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body></body>
+<script>
+  async_test(t => {
+    const i = document.createElement("img");
+
+    const target = "http://{{hosts[alt][]}}:{{ports[http][0]}}/content-security-policy/support/fail.png";
+    const url = window.origin + "/common/redirect.py?location=" + encodeURIComponent(target);
+
+    window.addEventListener('securitypolicyviolation', t.step_func_done((e) => {
+      assert_equals(e.blockedURI, url);
+    }));
+
+    i.onload = t.step_func(() => {
+      assert_unreached("Img should be blocked.");
+    });
+    i.src = url;
+
+    document.body.appendChild(i);
+  }, "The blocked URI in the security policy violation event should be the original URI before redirects.");
+</script>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/inside-dedicated-worker.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/inside-dedicated-worker.html
new file mode 100644
index 0000000000..0912ec2ad9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/inside-dedicated-worker.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<!--
+  Set a policy in the document to ensure that the block is triggering
+  in the worker and not in the document.
+-->
+<meta http-equiv="content-security-policy" content="connect-src 'self'">
+
+<script>
+  var w = new Worker("./support/inside-worker.sub.js");
+
+  // Forward 'securitypolicyviolation' events from the document into the
+  // worker (we shouldn't actually see any, so the worker will assert that
+  // none are fired).
+  document.addEventListener('securitypolicyviolation', _ => {
+    w.postMessage("SecurityPolicyViolation from Document");
+  });
+
+  fetch_tests_from_worker(w);
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/inside-service-worker.https.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/inside-service-worker.https.html
new file mode 100644
index 0000000000..e0e59c8b8e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/inside-service-worker.https.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<!--
+  Set a policy in the document to ensure that the block is triggering
+  in the worker and not in the document.
+-->
+<meta http-equiv="content-security-policy" content="connect-src 'self'">
+
+<script>
+  navigator.serviceWorker.register("./support/inside-worker.sub.js", { scope: "./support/" })
+    .then(r => {
+      var sw = r.active || r.installing || r.waiting;
+      add_completion_callback(_ => r.unregister());
+
+      // Forward 'securitypolicyviolation' events from the document into the
+      // worker (we shouldn't actually see any, so the worker will assert that
+      // none are fired.
+      document.addEventListener('securitypolicyviolation', _ => {
+        sw.postMessage("SecurityPolicyViolation from Document");
+      });
+
+      fetch_tests_from_worker(sw);
+    });
+</script>
+
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/inside-shared-worker.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/inside-shared-worker.html
new file mode 100644
index 0000000000..4fddf12a3c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/inside-shared-worker.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<!--
+  Set a policy in the document to ensure that the block is triggering
+  in the worker and not in the document.
+-->
+<meta http-equiv="content-security-policy" content="connect-src 'self'">
+
+<script>
+  var w = new SharedWorker("./support/inside-worker.sub.js");
+
+  // Forward 'securitypolicyviolation' events from the document into the
+  // worker (we shouldn't actually see any, so the worker will assert that
+  // none are fired.
+  document.addEventListener('securitypolicyviolation', _ => {
+    w.port.postMessage("SecurityPolicyViolation from Document");
+  });
+
+  fetch_tests_from_worker(w);
+</script>
+
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html
new file mode 100644
index 0000000000..3e25ce299c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html
@@ -0,0 +1,80 @@
+<!doctype html>
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'; style-src 'self'; img-src 'none'">
+<script nonce="abc" src="/resources/testharness.js"></script>
+<script nonce="abc" src="/resources/testharnessreport.js"></script>
+<body>
+<script nonce="abc">
+    function waitForViolation(el) {
+      return new Promise(resolve => {
+        el.addEventListener('securitypolicyviolation', e => resolve(e));
+      });
+    }
+
+    async_test(t => {
+      var s = document.createElement('script');
+      s.innerText = "assert_unreached('inline script block')";
+
+      waitForViolation(s)
+        .then(t.step_func_done(e => {
+          assert_equals(e.blockedURI, "inline");
+          assert_equals(e.sample, "");
+        }));
+
+      document.head.append(s);
+    }, "Inline script should not have a sample.");
+
+    async_test(t => {
+      var a = document.createElement("a");
+      a.setAttribute("onclick", "assert_unreached('inline event handler')");
+
+      waitForViolation(a)
+        .then(t.step_func_done(e => {
+          assert_equals(e.blockedURI, "inline");
+          assert_equals(e.sample, "");
+        }));
+
+      document.body.append(a);
+      a.click();
+    }, "Inline event handlers should not have a sample.");
+
+    async_test(t => {
+      var i = document.createElement("iframe");
+      i.src = "javascript:'inline url'";
+
+      waitForViolation(i)
+        .then(t.step_func_done(e => {
+          assert_equals(e.blockedURI, "inline");
+          assert_equals(e.sample, "");
+        }));
+
+      document.body.append(i);
+    }, "JavaScript URLs in iframes should not have a sample.");
+
+    async_test(t => {
+      var violations = 0;
+      document.addEventListener('securitypolicyviolation', t.step_func(e => {
+        if (e.blockedURI != "eval")
+          return;
+
+        assert_equals(e.sample, "");
+        violations++
+        if (violations == 3)
+          t.done();
+      }));
+      try {
+        eval("assert_unreached('eval')");
+        assert_unreached('eval');
+      } catch (e) {
+      }
+      try {
+        setInterval("assert_unreached('interval')", 1000);
+        assert_unreached('interval');
+      } catch (e) {
+      }
+      try {
+        setTimeout("assert_unreached('timeout')", 1000);
+        assert_unreached('timeout');
+      } catch (e) {
+      }
+    }, "eval()-alikes should not have a sample.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/script-sample.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/script-sample.html
new file mode 100644
index 0000000000..b38055bf7b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/script-sample.html
@@ -0,0 +1,94 @@
+<!doctype html>
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'report-sample'; style-src 'self'; img-src 'none'">
+<script nonce="abc" src="/resources/testharness.js"></script>
+<script nonce="abc" src="/resources/testharnessreport.js"></script>
+<body>
+<script nonce="abc">
+    function waitForViolation(el) {
+      return new Promise(resolve => {
+        el.addEventListener('securitypolicyviolation', e => resolve(e));
+      });
+    }
+
+    async_test(t => {
+      var s = document.createElement('script');
+      s.innerText = "assert_unreached('inline script block')";
+
+      waitForViolation(s)
+        .then(t.step_func_done(e => {
+          assert_equals(e.blockedURI, "inline");
+          assert_equals(e.sample, "assert_unreached('inline script block')");
+        }));
+
+      document.head.append(s);
+    }, "Inline script should have a sample.");
+
+    async_test(t => {
+      var a = document.createElement("a");
+      a.setAttribute("onclick", "assert_unreached('inline event handler')");
+
+      waitForViolation(a)
+        .then(t.step_func_done(e => {
+          assert_equals(e.blockedURI, "inline");
+          assert_equals(e.sample, "assert_unreached('inline event handler')");
+        }));
+
+      document.body.append(a);
+      a.click();
+    }, "Inline event handlers should have a sample.");
+
+    async_test(t => {
+      var i = document.createElement("iframe");
+      i.src = "javascript:'inline url'";
+
+      waitForViolation(i)
+        .then(t.step_func_done(e => {
+          assert_equals(e.blockedURI, "inline");
+          assert_equals(e.sample, "javascript:'inline url'");
+        }));
+
+      document.body.append(i);
+    }, "JavaScript URLs in iframes should have a sample.");
+
+    async_test(t => {
+      document.addEventListener('securitypolicyviolation', t.step_func(e => {
+        if (e.blockedURI == "eval" &&
+            e.sample == "assert_unreached('eval')") {
+          t.done();
+        }
+      }));
+      try {
+        eval("assert_unreached('eval')");
+        assert_unreached('eval');
+      } catch (e) {
+      }
+    }, "eval() should have a sample.");
+
+    async_test(t => {
+      document.addEventListener('securitypolicyviolation', t.step_func(e => {
+        if (e.blockedURI == "eval" &&
+            e.sample == "assert_unreached('interval')") {
+          t.done();
+        }
+      }));
+      try {
+        setInterval("assert_unreached('interval')", 1000);
+        assert_unreached('interval');
+      } catch (e) {
+      }
+    }, "setInterval() should have a sample.");
+
+    async_test(t => {
+      document.addEventListener('securitypolicyviolation', t.step_func(e => {
+        if (e.blockedURI == "eval" &&
+            e.sample == "assert_unreached('timeout')") {
+          t.done();
+        }
+      }));
+      try {
+        setTimeout("assert_unreached('timeout')", 1000);
+        assert_unreached('timeout');
+      } catch (e) {
+      }
+    }, "setTimeout() should have a sample.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html
new file mode 100644
index 0000000000..318fae4634
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/content-security-policy/support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+<body>
+<script>
+  async_test(t => {
+    waitUntilEvent(window, "securitypolicyviolation")
+      .then(t.step_func_done(e => {
+        assert_equals(e.documentURI, document.location.toString());
+        assert_equals(e.referrer, document.referrer);
+        assert_equals(e.blockedURI, "http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/fail.png");
+        assert_equals(e.violatedDirective, "img-src");
+        assert_equals(e.effectiveDirective, "img-src");
+        assert_equals(e.originalPolicy, "img-src \'none\'");
+        assert_equals(e.disposition, "enforce");
+        assert_equals(new URL(e.sourceFile).pathname, "/content-security-policy/support/inject-image.sub.js");
+        assert_equals(e.lineNumber, 2);
+        assert_equals(e.columnNumber, 0);
+        assert_equals(e.statusCode, 200);
+      }));
+
+    var s = document.createElement("script");
+    s.src = "{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/content-security-policy/support/inject-image.sub.js";
+    document.body.appendChild(s);
+  }, "Non-redirected cross-origin URLs are not stripped.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html
new file mode 100644
index 0000000000..44ca8d50e4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/content-security-policy/support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+<body>
+<script>
+  async_test(t => {
+    waitUntilEvent(window, "securitypolicyviolation")
+      .then(t.step_func_done(e => {
+        assert_equals(e.documentURI, document.location.toString());
+        assert_equals(e.referrer, document.referrer);
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{domains[www]}}:{{location[port]}}/content-security-policy/support/fail.png");
+        assert_equals(e.violatedDirective, "img-src");
+        assert_equals(e.effectiveDirective, "img-src");
+        assert_equals(e.originalPolicy, "img-src \'none\'");
+        assert_equals(e.disposition, "enforce");
+        assert_equals(new URL(e.sourceFile).pathname, "/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html");
+        assert_equals(e.lineNumber, 25);
+        assert_equals(e.columnNumber, 4);
+        assert_equals(e.statusCode, 200);
+      }));
+
+    var i = document.createElement("img");
+    i.src = "{{location[scheme]}}://{{domains[www]}}:{{location[port]}}/content-security-policy/support/fail.png";
+  }, "Non-redirected cross-origin URLs are not stripped.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html
new file mode 100644
index 0000000000..c09643c20e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/content-security-policy/support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+<body>
+<script>
+  async_test(t => {
+    waitUntilEvent(window, "securitypolicyviolation")
+      .then(t.step_func_done(e => {
+        assert_equals(e.documentURI, document.location.toString());
+        assert_equals(e.referrer, document.referrer);
+        assert_equals(e.blockedURI, "http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/fail.png");
+        assert_equals(e.violatedDirective, "img-src");
+        assert_equals(e.effectiveDirective, "img-src");
+        assert_equals(e.originalPolicy, "img-src \'none\'");
+        assert_equals(e.disposition, "enforce");
+        assert_equals(new URL(e.sourceFile).pathname, "/content-security-policy/support/inject-image.sub.js");
+        assert_equals(e.lineNumber, 2);
+        assert_equals(e.columnNumber, 0);
+        assert_equals(e.statusCode, 200);
+      }));
+
+    var s = document.createElement("script");
+    s.src = "/content-security-policy/support/inject-image.sub.js";
+    document.body.appendChild(s);
+  }, "Non-redirected cross-origin URLs are not stripped.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html
new file mode 100644
index 0000000000..541c139533
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/content-security-policy/support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+<body>
+<script>
+  async_test(t => {
+    waitUntilEvent(window, "securitypolicyviolation")
+      .then(t.step_func_done(e => {
+        assert_equals(e.documentURI, document.location.toString());
+        assert_equals(e.referrer, document.referrer);
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+        assert_equals(e.violatedDirective, "img-src");
+        assert_equals(e.effectiveDirective, "img-src");
+        assert_equals(e.originalPolicy, "img-src \'none\'");
+        assert_equals(e.disposition, "enforce");
+        assert_equals(new URL(e.sourceFile).pathname, "/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html");
+        assert_equals(e.lineNumber, 25);
+        assert_equals(e.columnNumber, 4);
+        assert_equals(e.statusCode, 200);
+      }));
+
+    var i = document.createElement("img");
+    i.src = "/content-security-policy/support/fail.png";
+  }, "Non-redirected same-origin URLs are not stripped.");
+</script>
+
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/source-file-blob-scheme.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/source-file-blob-scheme.html
new file mode 100644
index 0000000000..ad3d9f3600
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/source-file-blob-scheme.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' blob:">
+<script nonce="abc" src="/resources/testharness.js"></script>
+<script nonce="abc" src="/resources/testharnessreport.js"></script>
+<script nonce="abc">
+    async_test(t => {
+        var watcher = new EventWatcher(t, document, 'securitypolicyviolation');
+        watcher.wait_for('securitypolicyviolation').then(t.step_func_done(e => {
+            assert_equals(e.blockedURI, "eval");
+            assert_equals(e.sourceFile, "blob");
+            assert_equals(e.lineNumber, 3);
+            assert_equals(e.columnNumber, 16);
+        }));
+
+        var scriptText = `
+            try {
+                eval("assert_unreached('no eval')");
+            } catch (e) {
+                assert_equals(e.name, 'EvalError');
+            }
+        `;
+        var s = document.createElement("script");
+        s.src = URL.createObjectURL(new Blob([scriptText], {type: "text/javascript"}));
+        document.head.append(s);
+    }, "Violations from data:-URL scripts have a sourceFile of 'blob'");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/source-file-data-scheme.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/source-file-data-scheme.html
new file mode 100644
index 0000000000..06511571d4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/source-file-data-scheme.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' data:">
+<script nonce="abc" src="/resources/testharness.js"></script>
+<script nonce="abc" src="/resources/testharnessreport.js"></script>
+<script nonce="abc">
+    async_test(t => {
+        var watcher = new EventWatcher(t, document, 'securitypolicyviolation');
+        watcher.wait_for('securitypolicyviolation').then(t.step_func_done(e => {
+            assert_equals(e.blockedURI, "eval");
+            assert_equals(e.sourceFile, "data");
+            assert_equals(e.lineNumber, 3);
+            assert_equals(e.columnNumber, 16);
+        }));
+
+        var scriptText = `
+            try {
+                eval("assert_unreached('no eval')");
+            } catch (e) {
+                assert_equals(e.name, 'EvalError');
+            }
+        `;
+        var s = document.createElement("script");
+        s.src = "data:text/javascript," + encodeURIComponent(scriptText);
+        document.head.append(s);
+    }, "Violations from data:-URL scripts have a sourceFile of 'data'");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/source-file.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/source-file.html
new file mode 100644
index 0000000000..354b8dfd20
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/source-file.html
@@ -0,0 +1,102 @@
+<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script';" />
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+
+const policy = trustedTypes.createPolicy("sample", {createScript: x => x});
+
+// Check CSP violated by a script originating from |input| returns a CSP
+// violation whose sourceFile is |output|.
+const testSourceFile = (description, input, output) => {
+  promise_test(async test => {
+    // Listen for TrustedType violation.
+    const violation = new Promise(resolve => {
+      document.addEventListener("securitypolicyviolation", e => {
+        resolve(e);
+      }, {once: true});
+    });
+
+    // A trusted script using a customized sourceURL. The script's execution
+    // itself will trigger a TrustedType violation.
+    const trusted_script = policy.createScript(`
+      eval('');
+      //# sourceURL=${input}
+    `)
+    try {
+      eval(trusted_script);
+      assert_unreached();
+    } catch (e) {}
+
+    assert_equals((await violation).sourceFile, output);
+  }, description);
+};
+
+testSourceFile("Basic HTTPS URL",
+               "http://dummy.test/script1.js",
+               "http://dummy.test/script1.js");
+
+testSourceFile("Basic HTTP URL",
+               "https://dummy.test/script1.js",
+               "https://dummy.test/script1.js");
+
+testSourceFile("Basic WSS URL",
+               "wss://dummy.test/script1.js",
+               "wss://dummy.test/script1.js");
+
+testSourceFile("Basic WS URL",
+               "ws://dummy.test/script1.js",
+               "ws://dummy.test/script1.js");
+
+testSourceFile("Fragment",
+               "https://dummy.test/script1.js#frag",
+               "https://dummy.test/script1.js");
+
+testSourceFile("Query",
+               "https://dummy.test/script1.js?query",
+               "https://dummy.test/script1.js");
+
+testSourceFile("Port",
+               "https://dummy.test:8080/script1.js",
+               "https://dummy.test:8080/script1.js");
+
+testSourceFile("User:password",
+               "https://user:password@dummy.test/script1.js",
+               "https://dummy.test/script1.js");
+
+testSourceFile("User",
+               "https://user@dummy.test/script1.js",
+               "https://dummy.test/script1.js");
+
+testSourceFile("Invalid URL",
+               "script2.js",
+               "");
+
+testSourceFile("file:",
+               "file:///temp/script3.js",
+               "file");
+
+testSourceFile("Custom protocol",
+               "webpack://node_modules/sample/script4.js",
+               "webpack");
+
+testSourceFile("about:blank",
+               "about:blank",
+               "about");
+
+testSourceFile("about:custom",
+               "about:custom",
+               "about");
+
+testSourceFile("data:",
+               "data:text/html;charset=utf8,<html></html>",
+               "data");
+
+testSourceFile("blob:",
+               "blob:http://test.test/012345-6789-abcd-efab-0123456789",
+               "blob");
+
+testSourceFile("javascript:",
+               "javascript:void(0)",
+               "javascript");
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html
new file mode 100644
index 0000000000..1fb0bf0c09
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html
@@ -0,0 +1,39 @@
+<!doctype html>
+<meta http-equiv="Content-Security-Policy" content="style-src 'nonce-abc'">
+<script nonce="abc" src="/resources/testharness.js"></script>
+<script nonce="abc" src="/resources/testharnessreport.js"></script>
+<body>
+<script nonce="abc">
+    function waitForViolation(el) {
+      return new Promise(resolve => {
+        el.addEventListener('securitypolicyviolation', e => resolve(e));
+      });
+    }
+
+    async_test(t => {
+      var s = document.createElement('style');
+      s.innerText = "p { omg: yay !important; }";
+
+      waitForViolation(s)
+        .then(t.step_func_done(e => {
+          assert_equals(e.blockedURI, "inline");
+          assert_equals(e.sample, "");
+        }));
+
+      document.head.append(s);
+    }, "Inline style blocks should not have a sample.");
+
+    async_test(t => {
+      var p = document.createElement('p');
+      p.setAttribute("style", "omg: yay !important;");
+      p.innerText = "Yay!";
+
+      waitForViolation(p)
+        .then(t.step_func_done(e => {
+          assert_equals(e.blockedURI, "inline");
+          assert_equals(e.sample, "");
+        }));
+
+      document.head.append(p);
+    }, "Inline style attributes should not have a sample.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/style-sample.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/style-sample.html
new file mode 100644
index 0000000000..7eed52aac7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/style-sample.html
@@ -0,0 +1,39 @@
+<!doctype html>
+<meta http-equiv="Content-Security-Policy" content="style-src 'nonce-abc' 'report-sample'">
+<script nonce="abc" src="/resources/testharness.js"></script>
+<script nonce="abc" src="/resources/testharnessreport.js"></script>
+<body>
+<script nonce="abc">
+    function waitForViolation(el) {
+      return new Promise(resolve => {
+        el.addEventListener('securitypolicyviolation', e => resolve(e));
+      });
+    }
+
+    async_test(t => {
+      var s = document.createElement('style');
+      s.innerText = "p { omg: yay !important; }";
+
+      waitForViolation(s)
+        .then(t.step_func_done(e => {
+          assert_equals(e.blockedURI, "inline");
+          assert_equals(e.sample, "p { omg: yay !important; }");
+        }));
+
+      document.head.append(s);
+    }, "Inline style blocks should have a sample.");
+
+    async_test(t => {
+      var p = document.createElement('p');
+      p.setAttribute("style", "omg: yay !important;");
+      p.innerText = "Yay!";
+
+      waitForViolation(p)
+        .then(t.step_func_done(e => {
+          assert_equals(e.blockedURI, "inline");
+          assert_equals(e.sample, "omg: yay !important;");
+        }));
+
+      document.head.append(p);
+    }, "Inline style attributes should have a sample.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js
new file mode 100644
index 0000000000..58bd02fd9e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js
@@ -0,0 +1,57 @@
+importScripts("{{location[scheme]}}://{{host}}:{{location[port]}}/resources/testharness.js");
+importScripts("{{location[scheme]}}://{{host}}:{{location[port]}}/content-security-policy/support/testharness-helper.js");
+
+var cspEventFiredInDocument = false;
+// ServiceWorker and Worker
+self.addEventListener("message", e => {
+  if (e.data == "SecurityPolicyViolation from Document")
+    cspEventFiredInDocument = true;
+});
+// SharedWorker
+self.addEventListener("connect", c => {
+  c.ports[0].addEventListener("message", m => {
+    if (m.data == "SecurityPolicyViolation from Document")
+      cspEventFiredInDocument = true;
+  });
+});
+
+async_test(t => {
+  var url = "{{location[scheme]}}://{{host}}:{{location[port]}}/content-security-policy/support/resource.py";
+  assert_no_csp_event_for_url(t, url);
+
+  fetch(url)
+    .catch(t.unreached_func("Fetch should succeed."))
+    .then(t.step_func_done(r => {
+      assert_equals(r.status, 200);
+      assert_false(cspEventFiredInDocument);
+    }));
+}, "No SecurityPolicyViolation event fired for successful load.");
+
+async_test(t => {
+  var url = "{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/content-security-policy/support/resource.py";
+  waitUntilCSPEventForURL(t, url)
+    .then(t.step_func_done(e => {
+      assert_equals(e.blockedURI, url);
+      assert_false(cspEventFiredInDocument);
+    }));
+
+  fetch(url)
+    .then(t.unreached_func("Fetch should not succeed."))
+    .catch(t.step_func(e => assert_true(e instanceof TypeError)));
+}, "SecurityPolicyViolation event fired on global.");
+
+async_test(t => {
+  var url = "{{location[scheme]}}://{{host}}:{{location[port]}}/common/redirect.py?location={{location[scheme]}}://{{domains[www]}}:{{location[port]}}/content-security-policy/support/ping.js";
+  waitUntilCSPEventForURL(t, url)
+    .then(t.step_func_done(e => {
+      assert_equals(e.blockedURI, url);
+      assert_false(cspEventFiredInDocument);
+    }));
+
+  fetch(url)
+    .then(t.unreached_func("Fetch should not succeed."))
+    .catch(t.step_func(e => assert_true(e instanceof TypeError)));
+}, "SecurityPolicyViolation event fired on global with the correct blockedURI.");
+
+// Worker tests need an explicit `done()`.
+done();
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js.headers b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js.headers
new file mode 100644
index 0000000000..50ff4a5b94
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: connect-src 'self'
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/support/testharness-helper.sub.js b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/support/testharness-helper.sub.js
new file mode 100644
index 0000000000..816b88fc6e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/support/testharness-helper.sub.js
@@ -0,0 +1,5 @@
+function generateCrossOriginRedirectImage() {
+  var target = "http://{{host}}:{{ports[https][0]}}/content-security-policy/support/pass.png";
+  var url = "/common/redirect.py?location=" + encodeURIComponent(target);
+  return { url: url, target: target }
+}
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/targeting.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/targeting.html
new file mode 100644
index 0000000000..b21273ca55
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/targeting.html
@@ -0,0 +1,169 @@
+<!doctype html>
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'; style-src 'self'">
+<script nonce="abc" src="/resources/testharness.js"></script>
+<script nonce="abc" src="/resources/testharnessreport.js"></script>
+<script nonce="abc">
+    var unexecuted_test = async_test("These tests should not fail.");
+
+    async_test(t => {
+        var watcher = new EventWatcher(t, document, ['securitypolicyviolation'])
+        watcher.wait_for('securitypolicyviolation')
+            .then(t.step_func(e => {
+                assert_equals(e.blockedURI, "inline");
+                assert_equals(e.target, document.querySelector('#block1'));
+                return watcher.wait_for('securitypolicyviolation');
+            }))
+            .then(t.step_func(e => {
+                assert_equals(e.blockedURI, "inline");
+                assert_equals(e.target, document.querySelector('#block2'));
+                return watcher.wait_for('securitypolicyviolation');
+            }))
+            .then(t.step_func(e => {
+                assert_equals(e.blockedURI, "inline");
+                assert_equals(e.target, document.querySelector('#block3'));
+                return watcher.wait_for('securitypolicyviolation');
+            }))
+            .then(t.step_func(e => {
+                assert_equals(e.blockedURI, "inline");
+                assert_equals(e.target, document.querySelector('#block4'));
+                return watcher.wait_for('securitypolicyviolation');
+            }))
+            .then(t.step_func(e => {
+                assert_equals(e.blockedURI, "inline");
+                assert_equals(e.target, document.querySelector('#block5'));
+                return watcher.wait_for('securitypolicyviolation');
+            }))
+            .then(t.step_func(e => {
+                assert_equals(e.blockedURI, "inline");
+                assert_equals(e.lineNumber, 118);
+                assert_in_array(e.columnNumber, [4, 6]);
+                assert_equals(e.target, document, "Elements created in this document, but pushed into a same-origin frame trigger on that frame's document, not on this frame's document.");
+                return watcher.wait_for('securitypolicyviolation');
+            }))
+            .then(t.step_func(e => {
+                assert_equals(e.blockedURI, "inline");
+                assert_equals(e.lineNumber, 131);
+                assert_in_array(e.columnNumber, [4, 59]);
+                assert_equals(e.target, document, "Elements created in this document, but pushed into a same-origin frame trigger on that frame's document, not on this frame's document.");
+                return watcher.wait_for('securitypolicyviolation');
+            }))
+            .then(t.step_func(e => {
+                assert_equals(e.blockedURI, "inline");
+                assert_equals(e.lineNumber, 139);
+                assert_in_array(e.columnNumber, [4, 6]);
+                assert_equals(e.target, document, "Inline event handlers for disconnected elements target the document.");
+                return watcher.wait_for('securitypolicyviolation');
+            }))
+            .then(t.step_func(e => {
+                assert_equals(e.blockedURI, "inline");
+                assert_equals(e.lineNumber, 0);
+                assert_equals(e.columnNumber, 0);
+                assert_equals(e.target, document, "Inline event handlers for elements disconnected after triggering target the document.");
+            }))
+            .then(t.step_func_done(_ => {
+                unexecuted_test.done();
+            }));
+    }, "Inline violations target the right element.");
+
+</script>
+<!-- Inline block with no nonce. -->
+<script id="block1">
+    unexecuted_test.assert_unreached("This code block should not execute.");
+</script>
+
+<!-- Inline event handler. -->
+<a id="block2" onclick="void(0)">Click me!</a>
+<script nonce='abc'>document.querySelector('#block2').click();</script>
+
+<!-- Style block. -->
+<style id="block3">
+  p { color: red !important; }
+</style>
+
+<!-- Inline event handler inside Shadow DOM -->
+<div id="block4"></div>
+<script nonce='abc'>
+  async_test(t => {
+    var shadow = document.querySelector('#block4').attachShadow({"mode":"closed"});
+    shadow.innerHTML = "<a id='block4a' onclick='void(0)'>Click!</a>";
+    var a = shadow.querySelector('#block4a');
+    a.addEventListener('securitypolicyviolation', t.step_func_done(e => {
+      assert_equals(e.blockedURI, "inline");
+      assert_equals(e.target, a);
+    }));
+    a.click();
+  }, "Correct targeting inside shadow tree (inline handler).");
+</script>
+
+<!-- Inline event handler inside Shadow DOM -->
+<div id="block5"></div>
+<script nonce='abc'>
+  async_test(t => {
+    var shadow = document.querySelector('#block5').attachShadow({"mode":"closed"});
+    var style = document.createElement('style');
+    style.innerText = 'p { color: red; }';
+    style.addEventListener('securitypolicyviolation', t.step_func_done(e => {
+      assert_equals(e.blockedURI, "inline");
+      assert_equals(e.target, style);
+    }));
+    shadow.appendChild(style);
+  }, "Correct targeting inside shadow tree (style).");
+</script>
+
+<!-- Pushed into a same-origin Document that isn't this Document -->
+<iframe id="block6"></iframe>
+<script nonce="abc">
+  async_test(t => {
+    var d = document.createElement("div");
+    d.setAttribute("onclick", "void(0);");
+    var events = 0;
+    d.addEventListener('securitypolicyviolation', t.step_func(e => {
+      events++;
+      assert_equals(e.blockedURI, "inline");
+      assert_equals(e.target, d);
+    }));
+    document.querySelector('#block6').contentDocument.addEventListener('securitypolicyviolation', t.step_func_done(e => {
+      events++;
+      assert_equals(e.blockedURI, "inline");
+      assert_equals(e.target, d);
+      assert_equals(events, 2);
+    }));
+    document.querySelector('#block6').contentDocument.body.appendChild(d);
+  }, "Elements created in this document, but pushed into a same-origin frame trigger on that frame's document, not on this frame's document.");
+</script>
+
+<!-- Disconnected inline event handler -->
+<script nonce="abc">
+  async_test(t => {
+    var d = document.createElement("div");
+    d.setAttribute("onclick", "void(0);");
+    d.addEventListener('securitypolicyviolation', t.unreached_func());
+    d.click();
+    t.done();
+  }, "Inline event handlers for disconnected elements target the document.");
+</script>
+
+<!-- Inline event handler, disconnected after click. -->
+<a id="block8" onclick="void(0)">Click me also!</a>
+<script nonce="abc">
+  async_test(t => {
+    var a = document.querySelector('#block8');
+    a.addEventListener('securitypolicyviolation', t.unreached_func());
+    a.click();
+    a.parentNode.removeChild(a);
+    t.done();
+  }, "Inline event handlers for elements disconnected after triggering target the document.");
+</script>
+
+<!-- Disconnected in a DocumentFragment -->
+<script nonce="abc">
+  async_test(t => {
+    var f = new DocumentFragment();
+    var d = document.createElement('div');
+    d.setAttribute('onclick', 'void(0)');
+    d.addEventListener('securitypolicyviolation', t.unreached_func());
+    f.appendChild(d);
+    d.click();
+    t.done();
+  }, "Inline event handlers for elements in a DocumentFragment target the document.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html
new file mode 100644
index 0000000000..a6617a9590
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html
@@ -0,0 +1,100 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/security-features/resources/common.sub.js"></script>
+<body></body>
+<script>
+    function waitForViolation(el, effective_directive) {
+      return new Promise(resolve => {
+        el.addEventListener('securitypolicyviolation', e => {
+          if (e.effectiveDirective == effective_directive)
+            resolve(e);
+        });
+      });
+    }
+
+    async_test(t => {
+      var url = getRequestURLs("img-tag",
+                               "same-http-downgrade",
+                               "no-redirect").testUrl;
+      var i = document.createElement('img');
+      var loaded = false;
+      var reported = false;
+      waitForViolation(window, "img-src")
+        .then(t.step_func(e => {
+           reported = true;
+           if (loaded)
+             t.done();
+      }));
+      i.onload = t.step_func(_ => {
+        loaded = true;
+        if (reported)
+          t.done();
+      });
+      i.onerror = t.unreached_func(url + " should load successfully.");
+      i.src = url;
+      document.body.appendChild(i);
+    }, "Upgraded image is reported");
+
+    async_test(t => {
+      var url = getRequestURLs("iframe-tag",
+                               "same-http-downgrade",
+                               "no-redirect").testUrl;
+      var i = document.createElement('iframe');
+      var loaded = false;
+      var reported = false;
+      waitForViolation(window, "frame-src")
+        .then(t.step_func(e => {
+           reported = true;
+           if (loaded)
+             t.done();
+      }));
+      window.addEventListener("message", t.step_func(e => {
+        if (e.source == i.contentWindow) {
+          i.remove();
+          loaded = true;
+          if (reported)
+            t.done();
+        }
+      }));
+      i.src = url;
+      document.body.appendChild(i);
+    }, "Upgraded iframe is reported");
+
+    async_test(t => {
+      // Load an HTTPS iframe, then navigate it to an HTTP URL and check that the HTTP URL is both upgraded and reported.
+      var url = getRequestURLs("iframe-tag",
+                               "same-https",
+                               "no-redirect").testUrl;
+      var navigate_to = getRequestURLs("iframe-tag",
+                                       "cross-http-downgrade",
+                                       "no-redirect").testUrl;
+      var upgraded = new URL(navigate_to);
+      upgraded.protocol = "https";
+
+      var i = document.createElement('iframe');
+      var loaded = false;
+      var reported = false;
+
+      window.addEventListener("message", t.step_func(e => {
+        if (e.source == i.contentWindow) {
+          if (e.data.location == url) {
+            waitForViolation(window, "frame-src")
+              .then(t.step_func(e => {
+                reported = true;
+                if (loaded)
+                  t.done();
+            }));
+            i.contentWindow.location.href = navigate_to;
+          } else if (e.data.location == upgraded) {
+            loaded = true;
+            if (reported)
+              t.done();
+          }
+        }
+      }));
+      i.src = url;
+      document.body.appendChild(i);
+    }, "Navigated iframe is upgraded and reported");
+</script>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html.headers b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html.headers
new file mode 100644
index 0000000000..b8bec0b95e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html.headers
@@ -0,0 +1,2 @@
+Content-Security-Policy-Report-Only: frame-src https:; img-src https:
+Content-Security-Policy: upgrade-insecure-requests
diff --git a/testing/web-platform/tests/content-security-policy/spec.src.json b/testing/web-platform/tests/content-security-policy/spec.src.json
new file mode 100644
index 0000000000..b3b4d3c1f4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/spec.src.json
@@ -0,0 +1,552 @@
+{
+  "test_description_template": "Content Security Policy: Expects %(expectation)s for %(subresource)s to %(origin)s origin and %(redirection)s redirection from %(source_scheme)s context.",
+  "test_page_title_template": "Content Security Policy: %(title)s",
+  "specification": [
+    {
+      "title": "content security policy",
+      "description": "content security policy",
+      "specification_url": "https://w3c.github.io/webappsec-csp/",
+      "test_expansion": [
+        // Set "allowed" for all requests here, and set "block" for requests
+        // to be blocked by CSP in subsequent sections.
+        // (Requests blocked due to non-CSP reasons (e.g. cross-origin workers)
+        // are excluded by `excluded_tests` sections)
+        {
+          "expansion": "default",
+          "source_scheme": "*",
+          "source_context_list": "*",
+          "delivery_type": "*",
+          "delivery_value": "*",
+          "redirection": "*",
+          "origin": "*",
+          "subresource": "*",
+          "expectation": "allowed"
+        },
+
+        // script-src
+        {
+          // "script-src" blocks script-ish requests, except for ...
+          "expansion": "override",
+          "source_scheme": "*",
+          "source_context_list": "*",
+          "delivery_type": "*",
+          "delivery_value": [
+            "script-src-none",
+            "script-src-self",
+            "script-src-wildcard"
+          ],
+          "redirection": "*",
+          "origin": "*",
+          "subresource": [
+            "script-tag",
+            "sharedworker-classic",
+            "sharedworker-import",
+            "sharedworker-import-data",
+            "sharedworker-module",
+            "worker-classic",
+            "worker-import",
+            "worker-import-data",
+            "worker-module",
+            "worklet-animation",
+            "worklet-animation-import-data",
+            "worklet-audio",
+            "worklet-audio-import-data",
+            "worklet-layout",
+            "worklet-layout-import-data",
+            "worklet-paint",
+            "worklet-paint-import-data"
+          ],
+          "expectation": "blocked"
+        },
+        {
+          // non-data: URLs for "script-src *",
+          "expansion": "override",
+          "source_scheme": "*",
+          "source_context_list": "*",
+          "delivery_type": "*",
+          "delivery_value": "script-src-wildcard",
+          "redirection": "*",
+          "origin": "*",
+          "subresource": [
+            "script-tag",
+            "sharedworker-classic",
+            "sharedworker-import",
+            "sharedworker-module",
+            "worker-classic",
+            "worker-import",
+            "worker-module",
+            "worklet-animation",
+            "worklet-audio",
+            "worklet-layout",
+            "worklet-paint"
+          ],
+          "expectation": "allowed"
+        },
+        {
+          // same-origin requests (HTTP) for "script-src 'self'", or
+          "expansion": "override",
+          "source_scheme": "http",
+          "source_context_list": "*",
+          "delivery_type": "*",
+          "delivery_value": "script-src-self",
+          "redirection": ["no-redirect", "keep-origin"],
+          "origin": "same-http",
+          "subresource": [
+            "script-tag",
+            "sharedworker-classic",
+            "sharedworker-import",
+            "sharedworker-module",
+            "worker-classic",
+            "worker-import",
+            "worker-module",
+            "worklet-animation",
+            "worklet-audio",
+            "worklet-layout",
+            "worklet-paint"
+          ],
+          "expectation": "allowed"
+        },
+        {
+          // same-origin requests (HTTPS) for "script-src 'self'".
+          "expansion": "override",
+          "source_scheme": "https",
+          "source_context_list": "*",
+          "delivery_type": "*",
+          "delivery_value": "script-src-self",
+          "redirection": ["no-redirect", "keep-origin"],
+          "origin": "same-https",
+          "subresource": [
+            "script-tag",
+            "sharedworker-classic",
+            "sharedworker-import",
+            "sharedworker-module",
+            "worker-classic",
+            "worker-import",
+            "worker-module",
+            "worklet-animation",
+            "worklet-audio",
+            "worklet-layout",
+            "worklet-paint"
+          ],
+          "expectation": "allowed"
+        },
+
+        // worker-src
+        {
+          // "worker-src" blocks worker requests, except for ...
+          "expansion": "override",
+          "source_scheme": "*",
+          "source_context_list": "*",
+          "delivery_type": "*",
+          "delivery_value": [
+            "worker-src-none",
+            "worker-src-self",
+            "worker-src-wildcard"
+          ],
+          "redirection": "*",
+          "origin": "*",
+          "subresource": [
+            "sharedworker-classic",
+            "sharedworker-import",
+            "sharedworker-import-data",
+            "sharedworker-module",
+            "worker-classic",
+            "worker-import",
+            "worker-import-data",
+            "worker-module"
+          ],
+          "expectation": "blocked"
+        },
+        {
+          // non-data: URLs for "worker-src *",
+          "expansion": "override",
+          "source_scheme": "*",
+          "source_context_list": "*",
+          "delivery_type": "*",
+          "delivery_value": "worker-src-wildcard",
+          "redirection": "*",
+          "origin": "*",
+          "subresource": [
+            "sharedworker-classic",
+            "sharedworker-import",
+            "sharedworker-module",
+            "worker-classic",
+            "worker-import",
+            "worker-module"
+          ],
+          "expectation": "allowed"
+        },
+        {
+          // same-origin requests (HTTP) for "worker-src 'self'", or
+          "expansion": "override",
+          "source_scheme": "http",
+          "source_context_list": "*",
+          "delivery_type": "*",
+          "delivery_value": "worker-src-self",
+          "redirection": ["no-redirect", "keep-origin"],
+          "origin": "same-http",
+          "subresource": [
+            "sharedworker-classic",
+            "sharedworker-import",
+            "sharedworker-module",
+            "worker-classic",
+            "worker-import",
+            "worker-module"
+          ],
+          "expectation": "allowed"
+        },
+        {
+          // same-origin requests (HTTPS) for "worker-src 'self'".
+          "expansion": "override",
+          "source_scheme": "https",
+          "source_context_list": "*",
+          "delivery_type": "*",
+          "delivery_value": "worker-src-self",
+          "redirection": ["no-redirect", "keep-origin"],
+          "origin": "same-https",
+          "subresource": [
+            "sharedworker-classic",
+            "sharedworker-import",
+            "sharedworker-module",
+            "worker-classic",
+            "worker-import",
+            "worker-module"
+          ],
+          "expectation": "allowed"
+        },
+
+      ]
+    }
+  ],
+  "delivery_key": "contentSecurityPolicy",
+  "excluded_tests": [
+    {
+      // upgraded-protocol-workers
+      "expansion": "*",
+      "source_scheme": "http",
+      "source_context_list": "*",
+      "delivery_type": "*",
+      "delivery_value": "*",
+      "redirection": "*",
+      "origin": [
+        "same-https",
+        "cross-https"
+      ],
+      "subresource": [
+        "worker-classic",
+        "worker-module",
+        "sharedworker-classic",
+        "sharedworker-module"
+      ],
+      "expectation": "*"
+    },
+    {
+      // mixed-content-insecure-subresources
+      "expansion": "*",
+      "source_scheme": "https",
+      "source_context_list": "*",
+      "delivery_type": "*",
+      "delivery_value": "*",
+      "redirection": "*",
+      "origin": [
+        "same-http",
+        "same-http-downgrade",
+        "cross-http",
+        "cross-http-downgrade",
+        "same-ws",
+        "same-ws-downgrade",
+        "cross-ws",
+        "cross-ws-downgrade"
+      ],
+      "subresource": "*",
+      "expectation": "*"
+    },
+    {
+      // redirections that content security policy tests don't care
+      "expansion": "*",
+      "source_scheme": "*",
+      "source_context_list": "*",
+      "delivery_type": "*",
+      "delivery_value": "*",
+      "redirection": [
+        "keep-scheme",
+        "swap-scheme",
+        "downgrade"
+      ],
+      "origin": "*",
+      "subresource": "*",
+      "expectation": "*"
+    },
+    {
+      // origins that content security policy tests don't care
+      "expansion": "*",
+      "source_scheme": "*",
+      "source_context_list": "*",
+      "delivery_type": "*",
+      "delivery_value": "*",
+      "redirection": "*",
+      "origin": [
+        "same-http-downgrade",
+        "cross-http-downgrade",
+        "same-ws-downgrade",
+        "cross-ws-downgrade"
+      ],
+      "subresource": "*",
+      "expectation": "*"
+    },
+    {
+      // source_context_list values to be blocked by CSP (i.e. the source
+      // context itself should be blocked by CSP before sending subresource
+      // requests):
+      // - data: URLs are blocked by "worker-src *", "worker-src 'self'" or
+      //   "worker-src 'none'".
+      "expansion": "*",
+      "source_scheme": "*",
+      "source_context_list": [
+        "worker-classic-data",
+        "worker-module-data",
+        "sharedworker-classic-data",
+        "sharedworker-module-data"
+      ],
+      "delivery_type": "*",
+      "delivery_value": [
+        "worker-src-wildcard",
+        "worker-src-self",
+        "worker-src-none"
+      ],
+      "redirection": "*",
+      "subresource": "*",
+      "origin": "*",
+      "expectation": "*"
+    },
+    {
+      // Currently only requests from top-level Documents are tested, because
+      // `generic/test-case.sub.js` assumes that `securitypolicyviolation`
+      // events are fired on top-level Documents. Once
+      // `generic/test-case.sub.js` is fixed, we can enable non-top
+      // source_context_list here.
+      "expansion": "*",
+      "source_scheme": "*",
+      "source_context_list": [
+        "srcdoc-inherit",
+        "srcdoc",
+        "iframe",
+        "iframe-blank-inherit",
+        "worker-classic",
+        "worker-classic-data",
+        "worker-module",
+        "worker-module-data",
+        "sharedworker-classic",
+        "sharedworker-classic-data",
+        "sharedworker-module",
+        "sharedworker-module-data"
+      ],
+      "delivery_type": "*",
+      "delivery_value": "*",
+      "redirection": "*",
+      "subresource": "*",
+      "origin": "*",
+      "expectation": "*"
+    },
+    {
+      // Skip tests with no CSP directives.
+      "expansion": "*",
+      "source_scheme": "*",
+      "source_context_list": "*",
+      "delivery_type": "*",
+      "delivery_value": null,
+      "redirection": "*",
+      "subresource": "*",
+      "origin": "*",
+      "expectation": "*"
+    },
+    {
+      // Skip script-src-none tests, as "script-src 'none'" would prevent
+      // test scripts as well. See also comments in `get_csp_value()` in
+      // `common/security-features/tools/generate.py`.
+      "expansion": "*",
+      "source_scheme": "*",
+      "source_context_list": "*",
+      "delivery_type": "*",
+      "delivery_value": "script-src-none",
+      "redirection": "*",
+      "subresource": "*",
+      "origin": "*",
+      "expectation": "*"
+    },
+    // Only test relevant subresources.
+    // E.g. do not test <a> tag for worker-src directives.
+    {
+      // script-src: workers (block), worklets (block), scripts (block)
+      "expansion": "*",
+      "source_scheme": "*",
+      "source_context_list": "*",
+      "delivery_type": "*",
+      "delivery_value": [
+        "script-src-wildcard",
+        "script-src-self",
+        "script-src-none"
+      ],
+      "redirection": "*",
+      "subresource": [
+        "a-tag",
+        "area-tag",
+        "audio-tag",
+        "beacon",
+        "fetch",
+        "iframe-tag",
+        "img-tag",
+        "link-css-tag",
+        "link-prefetch-tag",
+        "object-tag",
+        "picture-tag",
+        "script-tag-dynamic-import",
+        "video-tag",
+        "websocket",
+        "xhr"
+      ],
+      "origin": "*",
+      "expectation": "*"
+    },
+    {
+      // worker-src: workers (block), worklets (allow), scripts (allow)
+      "expansion": "*",
+      "source_scheme": "*",
+      "source_context_list": "*",
+      "delivery_type": "*",
+      "delivery_value": [
+        "worker-src-wildcard",
+        "worker-src-self",
+        "worker-src-none"
+      ],
+      "redirection": "*",
+      "subresource": [
+        "a-tag",
+        "area-tag",
+        "audio-tag",
+        "beacon",
+        "fetch",
+        "iframe-tag",
+        "img-tag",
+        "link-css-tag",
+        "link-prefetch-tag",
+        "object-tag",
+        "picture-tag",
+        "script-tag-dynamic-import",
+        "video-tag",
+        "websocket",
+        "xhr"
+      ],
+      "origin": "*",
+      "expectation": "*"
+    },
+    {
+      // HTTP->HTTPS requests are skipped to reduce the number of tests.
+      "expansion": "*",
+      "source_scheme": "http",
+      "source_context_list": "*",
+      "delivery_type": "*",
+      "delivery_value": "*",
+      "redirection": "*",
+      "origin": [
+        "same-https",
+        "cross-https"
+      ],
+      "subresource": "*",
+      "expectation": "*"
+    },
+  ],
+  "source_context_schema": {
+    "supported_delivery_type": {
+      "top": [
+        "meta",
+        "http-rp"
+      ],
+      // The following lines are commented out, because the
+      // contentSecurityPolicy deliveries are not yet implemented in the
+      // `common/security-features/scope/` scripts.
+      "iframe": [
+        // "meta",
+        // "http-rp"
+      ],
+      "iframe-blank": [
+        // "meta"
+      ],
+      "srcdoc": [
+        // "meta"
+      ],
+      "worker-classic": [
+        // "http-rp"
+      ],
+      "worker-module": [
+        // "http-rp"
+      ],
+      "worker-classic-data": [],
+      "worker-module-data": [],
+      "sharedworker-classic": [
+        // "http-rp"
+      ],
+      "sharedworker-module": [
+        // "http-rp"
+      ],
+      "sharedworker-classic-data": [],
+      "sharedworker-module-data": []
+    }
+  },
+  "subresource_schema": {
+    "supported_delivery_type": {
+      // No per-request CSP can be specified.
+      "a-tag": [],
+      "area-tag": [],
+      "audio-tag": [],
+      "beacon": [],
+      "fetch": [],
+      "iframe-tag": [],
+      "img-tag": [],
+      "link-css-tag": [],
+      "link-prefetch-tag": [],
+      "object-tag": [],
+      "picture-tag": [],
+      "script-tag": [],
+      "script-tag-dynamic-import": [],
+      "sharedworker-classic": [],
+      "sharedworker-import": [],
+      "sharedworker-import-data": [],
+      "sharedworker-module": [],
+      "video-tag": [],
+      "websocket": [],
+      "worker-classic": [],
+      "worker-import": [],
+      "worker-import-data": [],
+      "worker-module": [],
+      "worklet-animation": [],
+      "worklet-animation-import-data": [],
+      "worklet-audio": [],
+      "worklet-audio-import-data": [],
+      "worklet-layout": [],
+      "worklet-layout-import-data": [],
+      "worklet-paint": [],
+      "worklet-paint-import-data": [],
+      "xhr": []
+    }
+  },
+  "test_expansion_schema": {
+    "delivery_type": [
+      "http-rp",
+      "meta"
+    ],
+    "delivery_value": [
+      null,
+      "script-src-none",
+      "script-src-self",
+      "script-src-wildcard",
+      "worker-src-none",
+      "worker-src-self",
+      "worker-src-wildcard"
+    ],
+    "expectation": [
+      "blocked",
+      "allowed"
+    ]
+  }
+}
diff --git a/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked.html b/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked.html
new file mode 100644
index 0000000000..567e22496c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src-attr 'unsafe-inline';
+    style-src 'none';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+      var t = async_test("Should apply the style attribute");
+      window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event"));
+    </script>
+</head>
+
+<body style="background: green">
+    <script>
+      t.step(function() {
+        assert_true(document.body.style.length > 0);
+        t.done();
+      });
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html b/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html
new file mode 100644
index 0000000000..622c3bf764
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src-attr 'none';
+    style-src 'unsafe-inline';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+      var t = async_test("Should fire a security policy violation event");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, 'style-src-attr');
+        assert_equals(e.blockedURI, 'inline');
+      }));
+    </script>
+</head>
+
+<body style="background: green">
+  <script>
+    async_test(function(test) {
+      assert_equals(document.body.style.length, 0);
+      test.done();
+    }, "The attribute style should not be applied");
+  </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html b/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html
new file mode 100644
index 0000000000..279600ea2e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src-elem 'unsafe-inline';
+    style-src-attr 'none';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+      var t = async_test("Should fire a security policy violation for the attribute");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, 'style-src-attr');
+        assert_equals(e.blockedURI, 'inline');
+      }));
+    </script>
+</head>
+
+<body style="background: green">
+  <style>
+    body {background: blue;}
+  </style>
+
+  <script>
+    async_test(function(test) {
+      assert_equals(document.body.style.length, 0);
+      assert_equals(document.styleSheets.length, 1);
+      test.done();
+    }, "The attribute style should not be applied and the inline style should be applied");
+  </script>
+
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked.html b/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked.html
new file mode 100644
index 0000000000..c15cf0bcf6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src-elem 'unsafe-inline';
+    style-src 'none';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+      var t = async_test("Inline style should be applied");
+      window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event"));
+    </script>
+</head>
+
+<body>
+    <style>
+      body {background: green;}
+    </style>
+    <script>
+      t.step(function() {
+        assert_equals(document.styleSheets.length, 1);
+        t.done();
+      });
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html b/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html
new file mode 100644
index 0000000000..a42c9de9b8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src-elem 'none';
+    script-src-attr 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+      var t = async_test("Should fire a security policy violation for the inline block");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, 'style-src-elem');
+        assert_equals(e.blockedURI, 'inline');
+      }));
+    </script>
+</head>
+
+<body style="background: green">
+  <style>
+    body {background: blue;}
+  </style>
+
+  <script>
+    async_test(function(test) {
+      assert_true(document.body.style.length > 0);
+      assert_equals(document.styleSheets.length, 0);
+      test.done();
+    }, "The inline style should not be applied and the attribute style should be applied");
+  </script>
+
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html b/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html
new file mode 100644
index 0000000000..bf5014a458
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src-elem 'none';
+    style-src 'unsafe-inline';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+      var t = async_test("Should fire a security policy violation event");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, 'style-src-elem');
+        assert_equals(e.blockedURI, 'inline');
+      }));
+    </script>
+</head>
+
+<body>
+  <style>
+    body {background: green;}
+  </style>
+  <script>
+    async_test(function(test) {
+      assert_equals(document.styleSheets.length, 0);
+      test.done();
+    }, "The inline style should not be applied");
+  </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/injected-inline-style-allowed.sub.html b/testing/web-platform/tests/content-security-policy/style-src/injected-inline-style-allowed.sub.html
new file mode 100644
index 0000000000..276f946728
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/injected-inline-style-allowed.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>injected-inline-style-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS: 2 stylesheets on the page."]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+       window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+       });
+    </script>
+
+    <div id="test1">
+        FAIL 1/2
+    </div>
+
+    <div id="test2">
+        FAIL 2/2
+    </div>
+
+    <script src="support/inject-style.js"></script>
+    <script>
+        if (document.styleSheets.length === 2)
+            log("PASS: 2 stylesheets on the page.");
+        else
+            log("FAIL: " + document.styleSheets.length + " stylesheets on the page (should be 2).");
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/injected-inline-style-blocked.sub.html b/testing/web-platform/tests/content-security-policy/style-src/injected-inline-style-blocked.sub.html
new file mode 100644
index 0000000000..9477a95978
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/injected-inline-style-blocked.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>injected-inline-style-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=style-src-elem","violated-directive=style-src-elem","PASS"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+       window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+       });
+    </script>
+
+    <div id="test1">
+        PASS 1/2
+    </div>
+    <div id="test2">
+        PASS 2/2
+    </div>
+
+    <script src="support/inject-style.js"></script>
+    <script>
+        log(document.styleSheets.length == 0 ? "PASS" : "FAIL");
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html b/testing/web-platform/tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html
new file mode 100644
index 0000000000..e99699410e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html
@@ -0,0 +1,146 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>inline-style-allowed-while-cloning-objects</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+        setup({ explicit_done: true });
+
+        var t = async_test("Test that violation report event was fired");
+        window.addEventListener("securitypolicyviolation", t.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, "style-src-attr");
+        }));
+        window.onload = function() {
+            try {
+                runTests();
+            } finally {
+                done();
+            }
+        };
+
+        function runTests() {
+            window.nodes = document.getElementById('nodes');
+            window.node1 = document.getElementById('node1');
+            window.node1.style.background = "yellow";
+            window.node1.style.color = "red";
+            window.node2 = document.getElementById('node1').cloneNode(true);
+            window.node2.id = "node2";
+            window.node3 = document.getElementById('node3');
+            window.node3.style.background = "blue";
+            window.node3.style.color = "green";
+            window.node4 = document.getElementById('node3').cloneNode(false);
+            window.node4.id = "node4";
+            window.node4.innerHTML = "Node #4";
+            nodes.appendChild(node1);
+            nodes.appendChild(node2);
+            nodes.appendChild(node3);
+            nodes.appendChild(node4);
+            test(function() {
+                assert_equals(node1.style.background.match(/yellow/)[0], "yellow")
+            });
+            test(function() {
+                assert_equals(node2.style.background.match(/yellow/)[0], "yellow")
+            });
+            test(function() {
+                assert_equals(node3.style.background.match(/blue/)[0], "blue")
+            });
+            test(function() {
+                assert_equals(node4.style.background.match(/blue/)[0], "blue")
+            });
+            test(function() {
+                assert_equals(node1.style.color, "red")
+            });
+            test(function() {
+                assert_equals(node2.style.color, "red")
+            });
+            test(function() {
+                assert_equals(node3.style.color, "green")
+            });
+            test(function() {
+                assert_equals(node4.style.color, "green")
+            });
+            test(function() {
+                assert_equals(window.getComputedStyle(node1).background, window.getComputedStyle(node2).background)
+            });
+            test(function() {
+                assert_equals(window.getComputedStyle(node3).background, window.getComputedStyle(node4).background)
+            });
+            test(function() {
+                assert_equals(window.getComputedStyle(node1).color, window.getComputedStyle(node2).color)
+            });
+            test(function() {
+                assert_equals(window.getComputedStyle(node3).color, window.getComputedStyle(node4).color)
+            });
+            window.ops = document.getElementById('ops');
+            ops.style.color = 'red';
+            window.clonedOps = ops.cloneNode(true);
+            window.violetOps = document.getElementById('violetOps');
+            violetOps.style.background = 'rgb(238, 130, 238)';
+            document.getElementsByTagName('body')[0].appendChild(clonedOps);
+            test(function() {
+                assert_equals(ops.style.background, "")
+            });
+            test(function() {
+                assert_equals(ops.style.color, "red")
+            });
+            test(function() {
+                assert_equals(clonedOps.style.background, "")
+            });
+            test(function() {
+                assert_equals(violetOps.style.background.match(/rgb\(238, 130, 238\)/)[0], "rgb(238, 130, 238)")
+            });
+            test(function() {
+                assert_equals(window.getComputedStyle(clonedOps).background, window.getComputedStyle(ops).background)
+            });
+            test(function() {
+                assert_equals(window.getComputedStyle(clonedOps).color, window.getComputedStyle(ops).color)
+            });
+            test(function() {
+                assert_equals(window.getComputedStyle(ops).background, window.getComputedStyle(violetOps).background)
+            });
+            test(function() {
+                assert_equals(window.getComputedStyle(clonedOps).background, window.getComputedStyle(violetOps).background)
+            });
+            test(function() {
+                assert_equals(ops.id, "ops")
+            });
+            test(function() {
+                assert_equals(ops.id, clonedOps.id)
+            });
+            test(function() {
+                let el = document.getElementById("svg");
+                assert_equals(el.getAttribute("style"), "");
+                el.style.background = violetOps.style.background;
+                assert_not_equals(el.style.background, "");
+                let clone = el.cloneNode(true);
+                assert_equals(el.style.background, clone.style.background)
+            }, "non-HTML namespace");
+        }
+
+    </script>
+</head>
+
+<body>
+    <p>
+            This test ensures that styles can be set by object.cloneNode()
+    </p>
+    <div id="nodes">
+        This is a div (nodes)
+        <div id="node1"> This is a div. (node 1 or 2)</div>
+        <div id="node3"> This is a div. (node 3 or 4)</div>
+    </div>
+    <div id="ops" style="background: rgb(238, 130, 238)">
+        Yet another div.
+    </div>
+    <div id="violetOps">
+        Yet another div.
+    </div>
+    <svg id="svg" style="background: rgb(238, 130, 238)"></svg>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/inline-style-allowed.sub.html b/testing/web-platform/tests/content-security-policy/style-src/inline-style-allowed.sub.html
new file mode 100644
index 0000000000..a0fbbb2c13
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/inline-style-allowed.sub.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';">
+    <title>inline-style-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+       window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+       });
+    </script>
+
+    <style>
+        .target {
+            background-color: blue;
+        }
+
+    </style>
+</head>
+
+<body class="target">
+    <script>
+        log(document.styleSheets.length > 0 ? 'PASS' : 'FAIL');
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/inline-style-attribute-allowed.sub.html b/testing/web-platform/tests/content-security-policy/style-src/inline-style-attribute-allowed.sub.html
new file mode 100644
index 0000000000..048e4067c5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/inline-style-attribute-allowed.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';">
+    <title>inline-style-attribute-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body style="background-color: blue;">
+    <script>
+       window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+       });
+    </script>
+
+    <script>
+        log(document.body.style.length > 0 ? 'PASS' : 'FAIL');
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/inline-style-attribute-blocked.sub.html b/testing/web-platform/tests/content-security-policy/style-src/inline-style-attribute-blocked.sub.html
new file mode 100644
index 0000000000..71e5a88b7a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/inline-style-attribute-blocked.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';">
+    <title>inline-style-attribute-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=style-src-attr","PASS"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+       window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+       });
+    </script>
+</head>
+<body style="background-color: blue;">
+
+    <script>
+        log(document.body.style.length > 0 ? 'FAIL' : 'PASS');
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/inline-style-attribute-on-html.sub.html b/testing/web-platform/tests/content-security-policy/style-src/inline-style-attribute-on-html.sub.html
new file mode 100644
index 0000000000..91faf09166
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/inline-style-attribute-on-html.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<script>
+    window.addEventListener('securitypolicyviolation', function(e) {
+        log("Fail");
+    });
+</script>
+<html style="background-color: blue;">
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'">
+    <title>inline-style-attribute-on-html</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <p>Even though this page has a CSP policy the blocks inline style, the style attribute on the HTML element still takes effect because it preceeds the meta element.
+    </p>
+    <script>
+        log(document.documentElement.style.length > 0 ? 'PASS' : 'FAIL');
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/inline-style-blocked.sub.html b/testing/web-platform/tests/content-security-policy/style-src/inline-style-blocked.sub.html
new file mode 100644
index 0000000000..3f34437dff
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/inline-style-blocked.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';">
+    <title>inline-style-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+       window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+       });
+    </script>
+    <style>
+        .target {
+            background-color: blue;
+        }
+
+    </style>
+</head>
+
+<body class="target">
+    <script>
+        log(document.styleSheets.length > 0 ? 'FAIL' : 'PASS');
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/resources/allowed.css b/testing/web-platform/tests/content-security-policy/style-src/resources/allowed.css
new file mode 100644
index 0000000000..35a8998217
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/resources/allowed.css
@@ -0,0 +1,3 @@
+#test {
+  color: green;
+}
diff --git a/testing/web-platform/tests/content-security-policy/style-src/resources/style-src-import.sub.css b/testing/web-platform/tests/content-security-policy/style-src/resources/style-src-import.sub.css
new file mode 100644
index 0000000000..bd1d6ac7ea
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/resources/style-src-import.sub.css
@@ -0,0 +1 @@
+@import "http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/style-src/style-src.css";
diff --git a/testing/web-platform/tests/content-security-policy/style-src/resources/style-src-inject-style.js b/testing/web-platform/tests/content-security-policy/style-src/resources/style-src-inject-style.js
new file mode 100644
index 0000000000..99a9c2a464
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/resources/style-src-inject-style.js
@@ -0,0 +1,5 @@
+document.write("<style>#content { margin-left: 2px; }</style>");
+
+var s = document.createElement('style');
+s.innerText = "#content { margin-right: 2px; }";
+document.getElementsByTagName('body')[0].appendChild(s);
diff --git a/testing/web-platform/tests/content-security-policy/style-src/resources/style-src.css b/testing/web-platform/tests/content-security-policy/style-src/resources/style-src.css
new file mode 100644
index 0000000000..d76606eb6d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/resources/style-src.css
@@ -0,0 +1 @@
+#content { margin-left: 2px; }
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-allowed.sub.html b/testing/web-platform/tests/content-security-policy/style-src/style-allowed.sub.html
new file mode 100644
index 0000000000..9ca9d8b387
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-allowed.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="style-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';">
+    <title>style-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+        });
+    </script>
+    <link rel="stylesheet" href="resources/blue.css">
+</head>
+
+<body>
+    <script>
+        log(document.styleSheets.length > 0 ? 'PASS' : 'FAIL');
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-blocked.html b/testing/web-platform/tests/content-security-policy/style-src/style-blocked.html
new file mode 100644
index 0000000000..07ec8d35aa
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-blocked.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src 'none'">
+    <title>style-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+      async_test(t => {
+        window.addEventListener('securitypolicyviolation',
+                                t.step_func_done(e => {
+          assert_equals(e.violatedDirective, "style-src-elem");
+        }));
+      }, "Violated directive is script-src-elem.");
+    </script>
+    <link rel="stylesheet" href="resources/blue.css">
+</head>
+<body>
+  <script>
+    test(t => {
+      assert_equals(document.styleSheets.length, 1);
+    }, "document.styleSheets should contain an item for the blocked CSS.");
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-error-event-fires.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-error-event-fires.html
new file mode 100644
index 0000000000..2c788b550c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-error-event-fires.html
@@ -0,0 +1,34 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src 'none';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+      function styleError(t) {
+        t.done();
+      }
+
+      function styleLoad(t) {
+        t.unreached_func("Should not be able to load style");
+      }
+
+      var t1 = async_test("Test error event fires on stylesheet link");
+      var t2 = async_test("Test error event fires on inline style")
+    </script>
+
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+    <link onerror="styleError(t1)" onload="styleLoad(t1)" href="/content-security-policy/style-src/resources/style-src.css" rel=stylesheet type=text/css>
+
+    <style onerror="styleError(t2)" onload="styleLoad(t2)">
+        #content { margin-left: 2px; }
+    </style>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-hash-allowed.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-hash-allowed.html
new file mode 100644
index 0000000000..720edaf2ce
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-hash-allowed.html
@@ -0,0 +1,42 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src
+                'sha256-7kQ1KhZCpEzWtsa0RSpbIL7FU3kPNhE3IJMaNeTclMU='
+                'sha384-OliBBQtittDq3qDaEttMlHG1viNf50PLjSlvXirHZHpeKApMClrTJz+7VB5RTWdN'
+                'sha512-4/SpqCV0WGbb2QZXBViFlnms4M0I+aUGg9/tIhr10twU89nlMSBLOhi3cVli39kyBZbUAlzk9xcVTMy+JDY+VA=='">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+      var t = async_test("All style elements should load because they have proper hashes");
+      document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation"));
+    </script>
+
+    <style>#content1 { margin-left: 2px; }</style>
+    <style>#content2 { margin-left: 2px; }</style>
+    <style>#content3 { margin-left: 2px; }</style>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content1">Lorem ipsum</div>
+    <div id="content2">Lorem ipsum</div>
+    <div id="content3">Lorem ipsum</div>
+
+    <script>
+      function make_assert(contentId) {
+        var contentEl = document.getElementById(contentId);
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_equals(marginLeftVal, "2px")
+      }
+      t.step(function() {
+        make_assert("content1");
+        make_assert("content2");
+        make_assert("content3");
+        t.done();
+      });
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-hash-blocked.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-hash-blocked.html
new file mode 100644
index 0000000000..c49e85b603
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-hash-blocked.html
@@ -0,0 +1,48 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src
+                'sha256-7kQ1KhZCpEzWtsa0RSpbIL7FU3kPNhE3IJMaNeTclMU='">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+      var t1 = async_test("Should load the style with a correct hash");
+      var t2 = async_test("Should not load style that does not match hash");
+      var t_spv = async_test("Should fire a securitypolicyviolation event");
+
+      document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+        assert_equals("style-src-elem", e.violatedDirective);
+      }));
+    </script>
+
+    <style>#content1 { margin-left: 2px; }</style>
+    <style>#content2 { margin-left: 2px; }</style>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content1">Lorem ipsum</div>
+    <div id="content2">Lorem ipsum</div>
+
+    <script>
+      function make_assert(contentId, assertTrue) {
+        var contentEl = document.getElementById(contentId);
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        if (assertTrue) assert_equals(marginLeftVal, "2px");
+        else assert_not_equals(marginLeftVal, "2px");
+      }
+
+      t1.step(function() {
+        make_assert("content1", true);
+        t1.done();
+      });
+
+      t2.step(function() {
+        make_assert("content2", false);
+        t2.done();
+      });
+
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-hash-case-insensitive.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-hash-case-insensitive.html
new file mode 100644
index 0000000000..4dcdc9f1e8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-hash-case-insensitive.html
@@ -0,0 +1,55 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src
+                'SHA256-7kQ1KhZCpEzWtsa0RSpbIL7FU3kPNhE3IJMaNeTclMU='
+                'SHA384-OliBBQtittDq3qDaEttMlHG1viNf50PLjSlvXirHZHpeKApMClrTJz+7VB5RTWdN'
+                'SHA512-4/SpqCV0WGbb2QZXBViFlnms4M0I+aUGg9/tIhr10twU89nlMSBLOhi3cVli39kyBZbUAlzk9xcVTMy+JDY+VA=='
+                'sHa256-7+4S4EQgq4w2e2BwX1xnE3sW12GIuGqtQRYDLLhOyaE='
+                'shA384-YmZjKJCd/pjU8gq/sFCON/NHfkHLAZqI0a4JxyX67Ark36qJAvPnEWACZrZlhR62'
+                'Sha512-/fwXanQOq033J+QFjepcRHT0DDD6fsQJGvoeBjpEM2PBV9ETzYYGXdkwH+TMqfiRnYsHAa/sPqQd2W4FoYYlOw=='
+                ">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+      var t = async_test("All style elements should load because they have proper hashes");
+      document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation"));
+    </script>
+
+    <style>#content1 { margin-left: 2px; }</style>
+    <style>#content2 { margin-left: 2px; }</style>
+    <style>#content3 { margin-left: 2px; }</style>
+    <style>#content4 { margin-left: 2px; }</style>
+    <style>#content5 { margin-left: 2px; }</style>
+    <style>#content6 { margin-left: 2px; }</style>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content1">Lorem ipsum</div>
+    <div id="content2">Lorem ipsum</div>
+    <div id="content3">Lorem ipsum</div>
+    <div id="content4">Lorem ipsum</div>
+    <div id="content5">Lorem ipsum</div>
+    <div id="content6">Lorem ipsum</div>
+
+    <script>
+      function make_assert(contentId) {
+        var contentEl = document.getElementById(contentId);
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_equals(marginLeftVal, "2px")
+      }
+      t.step(function() {
+        make_assert("content1");
+        make_assert("content2");
+        make_assert("content3");
+        make_assert("content4");
+        make_assert("content5");
+        make_assert("content6");
+        t.done();
+      });
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-hash-default-src-allowed.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-hash-default-src-allowed.html
new file mode 100644
index 0000000000..d8a1c17183
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-hash-default-src-allowed.html
@@ -0,0 +1,42 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; default-src
+                'sha256-7kQ1KhZCpEzWtsa0RSpbIL7FU3kPNhE3IJMaNeTclMU='
+                'sha384-OliBBQtittDq3qDaEttMlHG1viNf50PLjSlvXirHZHpeKApMClrTJz+7VB5RTWdN'
+                'sha512-4/SpqCV0WGbb2QZXBViFlnms4M0I+aUGg9/tIhr10twU89nlMSBLOhi3cVli39kyBZbUAlzk9xcVTMy+JDY+VA=='">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+      var t = async_test("All style elements should load because they have proper hashes")
+      document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation"));
+    </script>
+
+    <style>#content1 { margin-left: 2px; }</style>
+    <style>#content2 { margin-left: 2px; }</style>
+    <style>#content3 { margin-left: 2px; }</style>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content1">Lorem ipsum</div>
+    <div id="content2">Lorem ipsum</div>
+    <div id="content3">Lorem ipsum</div>
+
+    <script>
+      function make_assert(contentId) {
+        var contentEl = document.getElementById(contentId);
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_equals(marginLeftVal, "2px")
+      }
+      t.step(function() {
+        make_assert("content1");
+        make_assert("content2");
+        make_assert("content3");
+        t.done();
+      });
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-imported-style-allowed.sub.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-imported-style-allowed.sub.html
new file mode 100644
index 0000000000..5bc0dfdf83
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-imported-style-allowed.sub.html
@@ -0,0 +1,30 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src 'self' http://{{domains[www1]}}:{{ports[http][0]}}">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+        var t = async_test("Imported style that violates policy should not load");
+        document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation"));
+    </script>
+
+    <link href="/content-security-policy/style-src/resources/style-src-import.sub.css" rel=stylesheet type=text/css>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+    <script>
+      t.step(function() {
+        var contentEl = document.getElementById("content");
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_not_equals(marginLeftVal, "2px")
+        t.done();
+      });
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-imported-style-blocked.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-imported-style-blocked.html
new file mode 100644
index 0000000000..75c71a263d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-imported-style-blocked.html
@@ -0,0 +1,38 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src 'self';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+      var t = async_test("@import stylesheet should not load because it does not match style-src");
+      var t_spv = async_test("Should fire a securitypolicyviolation event");
+
+      document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+        assert_equals("style-src-elem", e.violatedDirective);
+      }));
+
+      var l = document.createElement("link");
+      l.setAttribute("href", "/content-security-policy/style-src/resources/style-src-import.sub.css");
+      l.setAttribute("rel", "stylesheet");
+      l.setAttribute("type", "text/css");
+      document.head.appendChild(l);
+    </script>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+    <script>
+      t.step(function() {
+        var contentEl = document.getElementById("content");
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_not_equals(marginLeftVal, "2px");
+        t.done();
+      });
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-injected-inline-style-allowed-with-content-hash.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-injected-inline-style-allowed-with-content-hash.html
new file mode 100644
index 0000000000..c7b482b580
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-injected-inline-style-allowed-with-content-hash.html
@@ -0,0 +1,46 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='; script-src 'self' 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+      var t = async_test("Inline injected style without text content should be allowed");
+      document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation"));
+      t.done();
+
+      const style_null_child = document.createElement("style");
+      document.head.appendChild(style_null_child);
+      test(function() {
+        assert_not_equals(style_null_child.sheet, undefined, "style_null_child should have a stylesheet");
+        assert_class_string(style_null_child.sheet, "CSSStyleSheet");
+      }, "Inline style sheet should be created with null child node");
+
+      const style_empty_child = document.createElement("style");
+      style_empty_child.appendChild(document.createTextNode(""));
+      document.head.appendChild(style_empty_child);
+      test(function() {
+        assert_not_equals(style_empty_child.sheet, undefined, "style_empty_child should have a stylesheet");
+        assert_class_string(style_empty_child.sheet, "CSSStyleSheet");
+      }, "Inline style should be created with empty-string child node");
+
+      const { sheet } = style_empty_child;
+      sheet.insertRule("#content { margin-left: 2px; }");
+    </script>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+    <script>
+      test(function() {
+        var contentEl = document.getElementById("content");
+        var background_color = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_equals(background_color, "2px");
+      }, "Inline style should be applied");
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-injected-inline-style-allowed.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-injected-inline-style-allowed.html
new file mode 100644
index 0000000000..0a691f683c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-injected-inline-style-allowed.html
@@ -0,0 +1,34 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; style-src 'unsafe-inline'">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+
+    <script>
+        var t = async_test("Injected inline style should load with 'unsafe-inline'");
+        document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation"));
+    </script>
+
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+    <script src='/content-security-policy/style-src/resources/style-src-inject-style.js'></script>
+
+    <script>
+      t.step(function() {
+        onload = t.step_func_done(function(e) {
+          var contentEl = document.getElementById("content");
+          var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+          assert_equals(marginLeftVal, "2px");
+          var marginRightVal = getComputedStyle(contentEl).getPropertyValue('margin-right');
+          assert_equals(marginRightVal, "2px");
+        });
+      });
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-injected-inline-style-blocked.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-injected-inline-style-blocked.html
new file mode 100644
index 0000000000..d601fab125
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-injected-inline-style-blocked.html
@@ -0,0 +1,40 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; style-src 'self'">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+
+    <script>
+      var t = async_test("Injected style attributes should not be applied");
+      var t_spv = async_test("Should fire a securitypolicyviolation event");
+
+      document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+        assert_equals("style-src-elem", e.violatedDirective);
+      }));
+    </script>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+    <script src='/content-security-policy/style-src/resources/style-src-inject-style.js'></script>
+
+    <script>
+      onload = t.step_func_done(function(e) {
+        var contentEl = document.getElementById("content");
+
+        // the 'style-src-inject-style.js' script attempts to set attributes in two ways,
+        // once the left and once the right margin
+        // this is why in this test we check both to make sure neither way worked
+
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_not_equals(marginLeftVal, "2px");
+        var marginRightVal = getComputedStyle(contentEl).getPropertyValue('margin-right');
+        assert_not_equals(marginRightVal, "2px");
+      });
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-injected-stylesheet-allowed.sub.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-injected-stylesheet-allowed.sub.html
new file mode 100644
index 0000000000..8611e83f39
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-injected-stylesheet-allowed.sub.html
@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; style-src http://{{domains[www1]}}:{{ports[http][0]}};">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+
+    <script>
+      var t = async_test("Programatically injected stylesheet should load");
+      document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation"));
+    </script>
+
+    <script>
+      var head = document.getElementsByTagName('head')[0];
+      var link = document.createElement('link');
+      link.setAttribute('rel', 'stylesheet');
+      link.setAttribute('type', 'text/css');
+      link.setAttribute('href', 'http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/style-src/resources/style-src.css');
+
+      onload = t.step_func_done(function(e) {
+        var contentEl = document.getElementById("content");
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_equals(marginLeftVal, "2px");
+      });
+
+      head.appendChild(link);
+    </script>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html
new file mode 100644
index 0000000000..2c60efed26
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html
@@ -0,0 +1,39 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; style-src 'self';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+
+    <script>
+      var t = async_test("Programatically injected stylesheet should not load");
+      var t_spv = async_test("Should fire a securitypolicyviolation event");
+
+      document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+        assert_equals("style-src-elem", e.violatedDirective);
+      }));
+    </script>
+
+    <script>
+      var head = document.getElementsByTagName('head')[0];
+      var link = document.createElement('link');
+      link.setAttribute('rel', 'stylesheet');
+      link.setAttribute('type', 'text/css');
+      link.setAttribute('href', 'http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/style-src/resources/style-src.css');
+
+      onload = t.step_func_done(function(e) {
+        var contentEl = document.getElementById("content");
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_not_equals(marginLeftVal, "2px");
+      });
+
+      head.appendChild(link);
+    </script>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-allowed.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-allowed.html
new file mode 100644
index 0000000000..ead8d24c94
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-allowed.html
@@ -0,0 +1,34 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+      var t = async_test("Inline style should apply with 'unsafe-inline'");
+      document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation"));
+    </script>
+
+    <style>
+        #content {
+            margin-left: 2px;
+        }
+    </style>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+    <script>
+      t.step(function() {
+        var contentEl = document.getElementById("content");
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_equals(marginLeftVal, "2px");
+        t.done();
+      }, "Inline style should not be applied");
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-attribute-allowed.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-attribute-allowed.html
new file mode 100644
index 0000000000..aad6465d55
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-attribute-allowed.html
@@ -0,0 +1,24 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+
+    <script>
+      var t = async_test("Inline style attribute should apply with 'unsafe-inline'");
+      document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation"));
+      onload = t.step_func_done(function(e) {
+        var contentEl = document.getElementById("content");
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_equals(marginLeftVal, "2px");
+      });
+    </script>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content" style="margin-left: 2px">Lorem ipsum</div>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html
new file mode 100644
index 0000000000..ef43ae4172
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html
@@ -0,0 +1,28 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; style-src 'self';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+
+    <script>
+      var t = async_test("Inline style attribute should not be applied without 'unsafe-inline'");
+      var t_spv = async_test("Should fire a securitypolicyviolation event");
+
+      document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+        assert_equals("style-src-attr", e.violatedDirective);
+      }));
+      onload = t.step_func_done(function(e) {
+        var contentEl = document.getElementById("content");
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_not_equals(marginLeftVal, "2px");
+      });
+    </script>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content" style="margin-left: 2px">Lorem ipsum</div>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-blocked.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-blocked.html
new file mode 100644
index 0000000000..889ec31e92
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-blocked.html
@@ -0,0 +1,38 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src 'self';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+      var t = async_test("Inline style element should not load without 'unsafe-inline'");
+      var t_spv = async_test("Should fire a securitypolicyviolation event");
+
+      document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+        assert_equals("style-src-elem", e.violatedDirective);
+      }));
+    </script>
+    <style>
+        /* none of this should be applied */
+        #content {
+            margin-left: 2px;
+        }
+    </style>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+    <script>
+      t.step(function() {
+        var contentEl = document.getElementById("content");
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_not_equals(marginLeftVal, "2px");
+        t.done();
+      });
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-nonce-allowed.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-nonce-allowed.html
new file mode 100644
index 0000000000..91e1997065
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-nonce-allowed.html
@@ -0,0 +1,34 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src 'nonce-nonceynonce';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+        var t = async_test("Style with correct nonce should load");
+        document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation"));
+    </script>
+
+    <style nonce="nonceynonce">
+        #content {
+            margin-left: 2px;
+        }
+    </style>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+    <script>
+      t.step(function() {
+        var contentEl = document.getElementById("content");
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_equals(marginLeftVal, "2px");
+        t.done();
+      });
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html
new file mode 100644
index 0000000000..e5c0174f6f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html
@@ -0,0 +1,71 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src 'nonce-nonceynonce';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+      var t_spv = async_test("Should fire a securitypolicyviolation event");
+
+      document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+        assert_equals("style-src-elem", e.violatedDirective);
+      }));
+    </script>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+    <script>
+        function verifyStep1() {
+            var marginLeft = getComputedStyle(document.querySelector("#content")).getPropertyValue('margin-left');
+            assert_not_equals(marginLeft, '2px', "Content still does not have a 2px margin-left after initial style.");
+        }
+
+        function setupStep2() {
+            var sty = document.createElement("style");
+            sty.nonce = "not-nonceynonce";
+            sty.innerHTML = "#content { margin-left: 2px; }";
+            sty.onerror = styleError;
+            document.body.appendChild(sty);
+        }
+        function verifyStep2() {
+            var marginLeft = getComputedStyle(document.querySelector("#content")).getPropertyValue('margin-left');
+            assert_not_equals(marginLeft, '2px', "Content still does not have a 2px margin-left after inserted style.");
+        }
+
+        function setupStep3() {
+            var e = document.getElementById('style1');
+            e.innerHTML = "#content { margin-left: 2px; }";
+        }
+        function verifyStep3() {
+            var marginLeft = getComputedStyle(document.querySelector("#content")).getPropertyValue('margin-left');
+            assert_not_equals(marginLeft, '2px', "Content still does not have a 2px margin-left after changing style.");
+            test.done();
+        }
+
+        var verifySteps = [ verifyStep1, verifyStep2, verifyStep3 ];
+        var setupSteps = [ setupStep2, setupStep3 ];
+
+        var test = async_test("Test that paragraph remains unmodified and error events received.");
+
+        function styleError() {
+            test.step(function() {
+                verifySteps.shift()();
+                var nextSetup = setupSteps.shift();
+                if (nextSetup)
+                    nextSetup();
+            });
+        }
+    </script>
+
+    <style id="style1" nonce="not-nonceynonce"
+           onerror="styleError();">
+        #content {
+            margin-left: 2px;
+        }
+    </style>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html
new file mode 100644
index 0000000000..0d9eee8c62
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html
@@ -0,0 +1,37 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src 'self' 'nonce-nonceynonce'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+      var t = async_test("Should not load inline style element with invalid nonce");
+      var t_spv = async_test("Should fire a securitypolicyviolation event");
+
+      document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+        assert_equals("style-src-elem", e.violatedDirective);
+      }));
+    </script>
+    <style nonce="not-nonceynonce">
+        #content {
+            margin-left: 2px;
+        }
+    </style>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+    <script>
+      t.step(function() {
+        var contentEl = document.getElementById("content");
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_not_equals(marginLeftVal, "2px");
+        t.done();
+      });
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html
new file mode 100644
index 0000000000..027c61d8c6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Multiple policies with different hashing algorithms still work.</title>
+  <meta name="timeout" content="long">
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    var t = async_test("Test that style loads if allowed by proper hash values");
+    document.addEventListener("securitypolicyviolation", t.unreached_func("Should not have triggered a security event"));
+  </script>
+
+  <!-- test will time out if this style is not allowed to load -->
+  <style onload="t.done();" onerror="t.unreached_func('Should have loaded the style');">p {color:blue;}</style>
+
+  <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers b/testing/web-platform/tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers
new file mode 100644
index 0000000000..e31aa5aa27
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers
@@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: style-src-multiple-policies-multiple-hashing-algorithms={{$id:uuid()}}; Path=/content-security-policy/style-src/
+Content-Security-Policy: style-src 'sha256-rB6kiow2O3eFUeTNyyLeK3wV0+l7vNB90J1aqllKvjg='; script-src 'unsafe-inline' 'self'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+Content-Security-Policy: style-src 'sha384-DAShdG5sejEaOdWfT+TQMRP5mHssKiUNjFggNnElIvIoj048XQlacVRs+za2AM1a'; script-src 'unsafe-inline' 'self'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-none-blocked.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-none-blocked.html
new file mode 100644
index 0000000000..481da87d58
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-none-blocked.html
@@ -0,0 +1,33 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src 'none';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+      var t = async_test("Should not stylesheet when style-src is 'none'");
+      var t_spv = async_test("Should fire a securitypolicyviolation event");
+
+      document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+        assert_equals("style-src-elem", e.violatedDirective);
+      }));
+    </script>
+    <link href="/content-security-policy/style-src/resources/style-src.css" rel=stylesheet type=text/css>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+    <script>
+      t.step(function() {
+        var contentEl = document.getElementById("content");
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_not_equals(marginLeftVal, "2px");
+        t.done();
+      });
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-star-allowed.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-star-allowed.html
new file mode 100644
index 0000000000..11d7e2c717
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-star-allowed.html
@@ -0,0 +1,29 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src *;">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+        var t = async_test("* should allow any style");
+        document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation"));
+    </script>
+
+    <link href="/content-security-policy/style-src/resources/style-src.css" rel=stylesheet type=text/css>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+    <script>
+      t.step(function() {
+        var contentEl = document.getElementById("content");
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_equals(marginLeftVal, "2px");
+        t.done();
+      });
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-stylesheet-nonce-allowed.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-stylesheet-nonce-allowed.html
new file mode 100644
index 0000000000..a65b8561fe
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-stylesheet-nonce-allowed.html
@@ -0,0 +1,30 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src 'nonce-nonceynonce';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+        var t = async_test("Stylesheet link should load with correct nonce");
+        document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation"));
+    </script>
+
+    <link nonce="nonceynonce" href="/content-security-policy/style-src/resources/style-src.css" rel=stylesheet type=text/css>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+    <script>
+      t.step(function() {
+        var contentEl = document.getElementById("content");
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_equals(marginLeftVal, "2px");
+        t.done();
+      });
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html b/testing/web-platform/tests/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html
new file mode 100644
index 0000000000..ad6860e648
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html
@@ -0,0 +1,33 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src 'nonce-nonceynonce';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+      var t = async_test("Should not load stylesheet without correct nonce");
+      var t_spv = async_test("Should fire a securitypolicyviolation event");
+
+      document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+        assert_equals("style-src-elem", e.violatedDirective);
+      }));
+    </script>
+    <link nonce="not-nonceynonce" href="/content-security-policy/style-src/resources/style-src.css" rel=stylesheet type=text/css>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+    <script>
+      t.step(function() {
+        var contentEl = document.getElementById("content");
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_not_equals(marginLeftVal, "2px");
+        t.done();
+      });
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/stylehash-allowed.sub.html b/testing/web-platform/tests/content-security-policy/style-src/stylehash-allowed.sub.html
new file mode 100644
index 0000000000..f192b5bf48
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/stylehash-allowed.sub.html
@@ -0,0 +1,81 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="style-src 'self' 'sha256-pAKi9r4/WB7fHydbE3F3t8i8602ij2JN8zHJpL2T5BM=' 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw=' 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcSt' 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9KqwvCSapSz5CVoUGHQcxv43UQg=='; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>stylehash-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("Fail");
+        });
+
+        var t_alert = async_test('Expecting alerts: ["PASS (1/4): The \'#p1\' element\'s text is green, which means the style was correctly applied.","PASS (2/4): The \'#p2\' element\'s text is green, which means the style was correctly applied.","PASS (3/4): The \'#p3\' element\'s text is green, which means the style was correctly applied.","PASS (4/4): The \'#p4\' element\'s text is green, which means the style was correctly applied."]');
+        var expected_alerts = ["PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied.", "PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied.", "PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied.", "PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied."];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_equals(expected_alerts[i], msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <!-- enforcing policy:
+style-src 'sha256-pAKi9r4/WB7fHydbE3F3t8i8602ij2JN8zHJpL2T5BM=' 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw=' 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcSt' 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9KqwvCSapSz5CVoUGHQcxv43UQg=='; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+    <p id="p1">This tests the result of a valid style hash. It passes if this text is green, and a &quot;PASS&quot; alert for p1 is fired.</p>
+    <p id="p2">This tests the result of a valid style hash. It passes if this text is green, and a &quot;PASS&quot; alert for p2 is fired.</p>
+    <p id="p3">This tests the result of a valid style hash. It passes if this text is green, and a &quot;PASS&quot; alert for p3 is fired.</p>
+    <p id="p4">This tests the result of a valid style hash. It passes if this text is green, and a &quot;PASS&quot; alert for p4 is fired.</p>
+    <style>p#p1 { color: green; }</style>
+    <style>p#p2 { color: green; }</style>
+    <style>p#p3 { color: green; }</style>
+    <style>p#p4 { color: green; }</style>
+    <script>
+        var color = window.getComputedStyle(document.querySelector('#p1')).color;
+        if (color === "rgb(0, 128, 0)")
+            alert_assert("PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied.");
+        else
+            alert_assert("FAIL (1/4): The '#p1' element's text is " + color + ", which means the style was incorrectly applied.");
+        var color = window.getComputedStyle(document.querySelector('#p2')).color;
+        if (color === "rgb(0, 128, 0)")
+            alert_assert("PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied.");
+        else
+            alert_assert("FAIL (2/4): The '#p2' element's text is " + color + ", which means the style was incorrectly applied.");
+        var color = window.getComputedStyle(document.querySelector('#p3')).color;
+        if (color === "rgb(0, 128, 0)")
+            alert_assert("PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied.");
+        else
+            alert_assert("FAIL (3/4): The '#p3' element's text is " + color + ", which means the style was incorrectly applied.");
+        var color = window.getComputedStyle(document.querySelector('#p4')).color;
+        if (color === "rgb(0, 128, 0)")
+            alert_assert("PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied.");
+        else
+            alert_assert("FAIL (4/4): The '#p4' element's text is " + color + ", which means the style was incorrectly applied.");
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/stylehash-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/style-src/stylehash-basic-blocked.sub.html
new file mode 100644
index 0000000000..927fa330bf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/stylehash-basic-blocked.sub.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="style-src 'self' 'sha256-FSRZotz4y83Ib8ZaoVj9eXKaeWXVUawM8zAPfYeYySs='; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>stylehash-basic-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("violated-directive=" + e.violatedDirective);
+        });
+
+        var t_alert = async_test('Expecting alerts: ["PASS: The \'p\' element\'s text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"]');
+        var expected_alerts = ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"];
+
+        function alert_assert(msg) {
+            t_alert.step(function() {
+                if (msg.match(/^FAIL/i)) {
+                    assert_unreached(msg);
+                    t_alert.done();
+                }
+                for (var i = 0; i < expected_alerts.length; i++) {
+                    if (expected_alerts[i] == msg) {
+                        assert_equals(expected_alerts[i], msg);
+                        expected_alerts.splice(i, 1);
+                        if (expected_alerts.length == 0) {
+                            t_alert.done();
+                        }
+                        return;
+                    }
+                }
+                assert_unreached('unexpected alert: ' + msg);
+                t_log.done();
+            });
+        }
+
+    </script>
+    <style>p { color: green; }</style>
+    <style>p { color: red; }</style>
+    <style>p { color: purple; }</style>
+    <style>p { color: blue; }</style>
+</head>
+
+<body>
+    <p>
+        This tests the effect of a valid style-hash value, with one valid style and several invalid ones. It passes if the valid style is applied and a CSP violation is generated.
+    </p>
+    <script>
+        var color = window.getComputedStyle(document.querySelector('p')).color;
+        if (color === "rgb(0, 128, 0)")
+            alert_assert("PASS: The 'p' element's text is green, which means the style was correctly applied.");
+        else
+            alert_assert("FAIL: The 'p' element's text is " + color + ", which means the style was incorrectly applied.");
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/stylehash-default-src.sub.html b/testing/web-platform/tests/content-security-policy/style-src/stylehash-default-src.sub.html
new file mode 100644
index 0000000000..236fbdd060
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/stylehash-default-src.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    <title>stylehash allowed from default-src</title>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'sha256-SXMrww9+PS7ymkxYbv91id+HfXeO7p1uCY0xhNb4MIw='; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+        setup({ single_test: true });
+        window.addEventListener('securitypolicyviolation', function(e) {
+            assert_unreached("securitypolicyviolat was fired");
+        });
+    </script>
+    </head>
+
+    <body>
+    <p id="p">Test</p>
+    <style>p#p { color: green; }</style>
+    <script>
+    var color = window.getComputedStyle(document.querySelector('#p')).color;
+    assert_equals(color, "rgb(0, 128, 0)");
+    done();
+    </script>
+
+    <div id="log"></div>
+    </body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/stylenonce-allowed.sub.html b/testing/web-platform/tests/content-security-policy/style-src/stylenonce-allowed.sub.html
new file mode 100644
index 0000000000..fcedc15ec6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/stylenonce-allowed.sub.html
@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="style-src 'self' 'nonce-noncynonce' 'nonce-noncy+/nonce='; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>stylenonce-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+        var t_spv = async_test("Should fire securitypolicyviolation");
+        window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, "style-src-elem");
+        }));
+
+    </script>
+
+    <style nonce="noncynonce">
+        #test1 {
+            color: green;
+        }
+
+    </style>
+    <style>
+        #test1 {
+            color: red;
+        }
+
+    </style>
+    <style nonce="noncynonce">
+        #test2 {
+            color: green;
+        }
+
+    </style>
+</head>
+
+<body>
+    <p id="test1">This text should be green.</p>
+    <p id="test2">This text should also be green.</p>
+    <script>
+        var el = document.querySelector('#test1');
+        test(function() {
+            assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)")
+        });
+        var el = document.querySelector('#test2');
+        test(function() {
+            assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)")
+        });
+
+    </script>
+    <p>Style correctly allowed via a 'nonce-*' expression in 'style-src' should be applied to the page.</p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/stylenonce-blocked.sub.html b/testing/web-platform/tests/content-security-policy/style-src/stylenonce-blocked.sub.html
new file mode 100644
index 0000000000..4b2381fc33
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/stylenonce-blocked.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>stylenonce-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <link rel="stylesheet" type="text/css" href="../style-src/resources/allowed.css">
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+        var t_spv = async_test("Should fire securitypolicyviolation");
+        window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, "style-src-elem");
+        }));
+    </script>
+    <style nonce="noncynonce">
+        #test {
+            color: red;
+        }
+
+    </style>
+</head>
+
+<body>
+    <p id="test">This text should be green.</p>
+    <script>
+        var el = document.querySelector('#test');
+        test(function() {
+            assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)")
+        });
+
+    </script>
+    <p>Style that does not match a 'nonce-*' expression in 'style-src' should not be applied to the page.</p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/style-src/support/inject-style.js b/testing/web-platform/tests/content-security-policy/style-src/support/inject-style.js
new file mode 100644
index 0000000000..532645a455
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/style-src/support/inject-style.js
@@ -0,0 +1,5 @@
+document.write("<style>#test1 { display: none; }</style>");
+
+var s = document.createElement('style');
+s.textContent = "#test2 { display: none; }";
+document.body.appendChild(s);
diff --git a/testing/web-platform/tests/content-security-policy/support/alert-pass.js b/testing/web-platform/tests/content-security-policy/support/alert-pass.js
new file mode 100644
index 0000000000..d3f811ec1b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/alert-pass.js
@@ -0,0 +1 @@
+alert_assert("PASS");
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/support/alertAssert.sub.js b/testing/web-platform/tests/content-security-policy/support/alertAssert.sub.js
new file mode 100644
index 0000000000..3877b2679d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/alertAssert.sub.js
@@ -0,0 +1,43 @@
+// note, this template substitution is XSS, but no way to avoid it in this framework
+var expected_alerts = {{GET[alerts]}};
+var timeout= "{{GET[timeout]}}";
+if (timeout == "") {
+  timeout = 2;
+}
+
+if(expected_alerts.length == 0) {
+  function alert_assert(msg) {
+   test(function () { assert_unreached(msg) });
+ }
+} else {
+ var t_alert = async_test('Expecting alerts: {{GET[alerts]}}');
+ step_timeout(function() {
+   if(t_alert.phase != t_alert.phases.COMPLETE) {
+     t_alert.step(function() { assert_unreached('Alert timeout, expected alerts ' + expected_alerts  + ' not fired.') });
+     t_alert.done();
+    }
+ }, timeout * 1000);
+ var alert_assert = function (msg) {
+     t_alert.step(function () {
+         if(msg && msg instanceof Error) {
+             msg = msg.message;
+         }
+         if (msg && msg.match(/^FAIL/i)) {
+             assert_unreached(msg);
+             t_alert.done();
+         }
+         for (var i = 0; i < expected_alerts.length; i++) {
+             if (expected_alerts[i] == msg) {
+                 assert_equals(expected_alerts[i], msg);
+                 expected_alerts.splice(i, 1);
+                 if (expected_alerts.length == 0) {
+                     t_alert.done();
+                 }
+                 return;
+             }
+         }
+         assert_unreached('unexpected alert: ' + msg);
+         t_log.done();
+     });
+ }.bind(this);
+}
diff --git a/testing/web-platform/tests/content-security-policy/support/checkReport.sub.js b/testing/web-platform/tests/content-security-policy/support/checkReport.sub.js
new file mode 100644
index 0000000000..9cc242662b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/checkReport.sub.js
@@ -0,0 +1,138 @@
+(function () {
+
+  // Get values from the substitution engine.
+  // We can't just pull these from the document context
+  // because this script is intended to be transcluded into
+  // another document, and we want the GET values used to request it,
+  // not the values for the including document
+
+  // XXX these are unencoded, so there's an unavoidable
+  // injection vulnerability in constructing this file...
+  // need to upgrade the template engine.
+  var reportField  = "{{GET[reportField]}}";
+  var reportValue  = "{{GET[reportValue]}}";
+  var reportExists = "{{GET[reportExists]}}";
+  var noCookies = "{{GET[noCookies]}}";
+  var reportCookieName = "{{GET[reportCookieName]}}"
+  var testName = "{{GET[testName]}}"
+  var cookiePresent = "{{GET[cookiePresent]}}"
+  var reportCount = "{{GET[reportCount]}}"
+
+  var location = window.location;
+  if (reportCookieName == "") {
+    // fallback on test file name if cookie name not specified
+    reportCookieName = location.pathname.split('/')[location.pathname.split('/').length - 1].split('.')[0];
+  }
+
+  var reportID = "{{GET[reportID]}}";
+
+  if (reportID == "") {
+    var cookies = document.cookie.split(';');
+    for (var i = 0; i < cookies.length; i++) {
+      var cookieName = cookies[i].split('=')[0].trim();
+      var cookieValue = cookies[i].split('=')[1].trim();
+
+      if (cookieName == reportCookieName) {
+        reportID = cookieValue;
+        var cookieToDelete = cookieName + "=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=" + document.location.pathname.substring(0, document.location.pathname.lastIndexOf('/') + 1);
+        document.cookie = cookieToDelete;
+        break;
+      }
+    }
+  }
+
+  // There is no real way to test (in this particular layer) that a CSP report
+  // has *not* been sent, at least not without some major reworks and
+  // involvement from all the platform participants. So the current "solution"
+  // is to wait for some reasonable amount of time and if no report has been
+  // received to conclude that no report has been generated. These timeouts must
+  // not exceed the test timeouts set by vendors otherwise the test would fail.
+  var timeout = document.querySelector("meta[name=timeout][content=long]") ? 20 : 3;
+  var reportLocation = location.protocol + "//" + location.host + "/reporting/resources/report.py?op=retrieve_report&timeout=" + timeout + "&reportID=" + reportID;
+
+  if (testName == "") testName = "Violation report status OK.";
+  var reportTest = async_test(testName);
+
+  function assert_field_value(field, value, field_name) {
+    assert_true(field.indexOf(value.split(" ")[0]) != -1,
+                field_name + " value of  \"" + field + "\" did not match " +
+                value.split(" ")[0] + ".");
+  }
+
+  reportTest.step(function () {
+
+    var report = new XMLHttpRequest();
+    report.onload = reportTest.step_func(function () {
+      var data = JSON.parse(report.responseText);
+
+      if (data.error) {
+        assert_equals("false", reportExists, data.error);
+      } else {
+        if (reportExists === "false") {
+          assert_equals(data.length, 0,
+                        "CSP report sent, but not expecting one.");
+        } else {
+          // With the 'report-uri' directive, the report is contained in
+          // `data[0]["csp-report"]`. With the 'report-to' directive, the report
+          // is contained in `data[0]["body"]`.
+          const reportBody = data[0]["body"]
+                ? data[0]["body"]
+                : data[0]["csp-report"];
+
+          assert_true(reportBody !== undefined,
+                      "No CSP report sent, but expecting one.");
+          // Firefox expands 'self' or origins in a policy to the actual origin value
+          // so "www.example.com" becomes "http://www.example.com:80".
+          // Accomodate this by just testing that the correct directive name
+          // is reported, not the details...
+
+          if (reportBody[reportField] !== undefined) {
+            assert_field_value(reportBody[reportField], reportValue, reportField);
+          } else {
+            assert_equals(reportField, "", "Expected report field could not be found in report.");
+          }
+        }
+      }
+
+      reportTest.done();
+    });
+
+    report.open("GET", reportLocation, true);
+    report.send();
+  });
+
+  if (noCookies || cookiePresent) {
+      var cookieTest = async_test("Test report cookies.");
+      var cookieReport = new XMLHttpRequest();
+      cookieReport.onload = cookieTest.step_func(function () {
+        var data = JSON.parse(cookieReport.responseText);
+        if (noCookies) {
+          assert_equals(data.reportCookies, "None", "Report should not contain any cookies");
+        }
+
+        if (cookiePresent) {
+          assert_true(data.reportCookies.hasOwnProperty(cookiePresent), "Report should contain cookie: " + cookiePresent);
+        }
+        cookieTest.done();
+      });
+      var cReportLocation = location.protocol + "//" + location.host + "/reporting/resources/report.py?op=retrieve_cookies&timeout=" + timeout + "&reportID=" + reportID;
+      cookieReport.open("GET", cReportLocation, true);
+      cookieReport.send();
+  }
+
+  if (reportCount != "") {
+      var reportCountTest = async_test("Test number of sent reports.");
+      var reportCountReport = new XMLHttpRequest();
+      reportCountReport.onload = reportCountTest.step_func(function () {
+        var data = JSON.parse(reportCountReport.responseText);
+
+        assert_equals(data.report_count, +reportCount, "Report count was not what was expected.");
+
+        reportCountTest.done();
+      });
+      var cReportLocation = location.protocol + "//" + location.host + "/reporting/resources/report.py?op=retrieve_count&timeout=" + timeout + "&reportID=" + reportID;
+      reportCountReport.open("GET", cReportLocation, true);
+      reportCountReport.send();
+  }
+
+})();
diff --git a/testing/web-platform/tests/content-security-policy/support/dedicated-worker-helper.js b/testing/web-platform/tests/content-security-policy/support/dedicated-worker-helper.js
new file mode 100644
index 0000000000..8441ab0de7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/dedicated-worker-helper.js
@@ -0,0 +1,5 @@
+var url = new URL("../support/ping.js", document.baseURI).toString();
+if (document.getElementById("foo").hasAttribute("blocked-worker"))
+  assert_worker_is_blocked(url, document.getElementById("foo").getAttribute("data-desc-fallback"));
+else
+  assert_worker_is_loaded(url, document.getElementById("foo").getAttribute("data-desc-fallback"));
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/support/document-write-alert-fail.js b/testing/web-platform/tests/content-security-policy/support/document-write-alert-fail.js
new file mode 100644
index 0000000000..5e78ca0dac
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/document-write-alert-fail.js
@@ -0,0 +1 @@
+document.write("<script>test(function () { assert_unreached('FAIL inline script from document.write ran') });</script>");
diff --git a/testing/web-platform/tests/content-security-policy/support/echo-policy.py b/testing/web-platform/tests/content-security-policy/support/echo-policy.py
new file mode 100644
index 0000000000..3a4b2f3d2e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/echo-policy.py
@@ -0,0 +1,3 @@
+def main(request, response):
+    policy = request.GET.first(b"policy")
+    return [(b"Content-Type", b"text/html"), (b"Content-Security-Policy", policy)], b"<!DOCTYPE html><title>Echo.</title>"
diff --git a/testing/web-platform/tests/content-security-policy/support/fail.asis b/testing/web-platform/tests/content-security-policy/support/fail.asis
new file mode 100644
index 0000000000..96196615bd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/fail.asis
@@ -0,0 +1,5 @@
+HTTP/1.1 200 OK
+Content-Type: text/plain
+Access-Control-Allow-Origin: *
+
+FAIL
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/support/fail.html b/testing/web-platform/tests/content-security-policy/support/fail.html
new file mode 100644
index 0000000000..fedcc31bd3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/fail.html
@@ -0,0 +1,3 @@
+<script>
+  test(function() { assert_unreached("FAIL")});
+</script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/support/fail.js b/testing/web-platform/tests/content-security-policy/support/fail.js
new file mode 100644
index 0000000000..9632567a6e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/fail.js
@@ -0,0 +1 @@
+test(function() { assert_unreached("FAIL")});
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/support/fail.png b/testing/web-platform/tests/content-security-policy/support/fail.png
new file mode 100644
index 0000000000..b593380333
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/fail.png
diff --git a/testing/web-platform/tests/content-security-policy/support/file-prefetch-allowed.html b/testing/web-platform/tests/content-security-policy/support/file-prefetch-allowed.html
new file mode 100644
index 0000000000..bd60d262ad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/file-prefetch-allowed.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <!-- CSP directive 'prefetch-src' is not supported via meta tag though -->
+  <meta http-equiv="Content-Security-Policy" content="prefetch-src 'self'">
+</head>
+<body>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/support/fonts.css b/testing/web-platform/tests/content-security-policy/support/fonts.css
new file mode 100644
index 0000000000..848961c8dc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/fonts.css
@@ -0,0 +1,8 @@
+@font-face {
+  font-family: 'Ahem';
+  src: url('/fonts/Ahem.ttf');
+}
+
+body {
+  font-family: 'Ahem', Fallback, sans-serif;
+}
diff --git a/testing/web-platform/tests/content-security-policy/support/import-scripts.js b/testing/web-platform/tests/content-security-policy/support/import-scripts.js
new file mode 100644
index 0000000000..8325ebb3fb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/import-scripts.js
@@ -0,0 +1,3 @@
+self.a = false;
+importScripts('/content-security-policy/support/var-a.js');
+postMessage({ 'executed': self.a });
diff --git a/testing/web-platform/tests/content-security-policy/support/inject-image.js b/testing/web-platform/tests/content-security-policy/support/inject-image.js
new file mode 100644
index 0000000000..a10d50a983
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/inject-image.js
@@ -0,0 +1,4 @@
+// This script block will trigger a violation report.
+var i = document.createElement('img');
+i.src = '/content-security-policy/support/fail.png';
+document.body.appendChild(i);
diff --git a/testing/web-platform/tests/content-security-policy/support/inject-image.sub.js b/testing/web-platform/tests/content-security-policy/support/inject-image.sub.js
new file mode 100644
index 0000000000..acf04f325f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/inject-image.sub.js
@@ -0,0 +1,3 @@
+var i = document.createElement('img');
+i.src = "http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/fail.png";
+document.body.appendChild(i);
diff --git a/testing/web-platform/tests/content-security-policy/support/logTest.sub.js b/testing/web-platform/tests/content-security-policy/support/logTest.sub.js
new file mode 100644
index 0000000000..29b8a271f5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/logTest.sub.js
@@ -0,0 +1,41 @@
+// note, this template substitution is XSS, but no way to avoid it in this framework
+var expected_logs = {{GET[logs]}};
+var timeout = "{{GET[timeout]}}";
+if (timeout == "") {
+  timeout = 2;
+}
+
+if (expected_logs.length == 0) {
+    function log_assert(msg) {
+        test(function () { assert_unreached(msg) });
+    }
+} else {
+    var t_log = async_test('Expecting logs: {{GET[logs]}}');
+    step_timeout(function() {
+      if(t_log.phase != t_log.phases.COMPLETE){
+        t_log.step(function () { assert_unreached('Logging timeout, expected logs ' + expected_logs + ' not sent.') });
+        t_log.done();
+      }
+    }, timeout * 1000);
+    function log(msg) {
+        //cons/**/ole.log(msg);
+        t_log.step(function () {
+            if (msg.match(/^FAIL/i)) {
+                assert_unreached(msg);
+                t_log.done();
+            }
+            for (var i = 0; i < expected_logs.length; i++) {
+                if (expected_logs[i] == msg) {
+                    assert_equals(expected_logs[i], msg);
+                    expected_logs.splice(i, 1);
+                    if (expected_logs.length == 0) {
+                        t_log.done();
+                    }
+                    return;
+                 }
+             }
+             assert_unreached('unexpected log: ' + msg);
+             t_log.done();
+        });
+    }
+}
diff --git a/testing/web-platform/tests/content-security-policy/support/manifest.json b/testing/web-platform/tests/content-security-policy/support/manifest.json
new file mode 100644
index 0000000000..97da19c5ca
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/manifest.json
@@ -0,0 +1,5 @@
+{
+    "name": "Dummy manifest",
+    "start_url": "/start.html"
+}
+                                                                               
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/support/nonce-should-be-blocked.js b/testing/web-platform/tests/content-security-policy/support/nonce-should-be-blocked.js
new file mode 100644
index 0000000000..501f7a9208
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/nonce-should-be-blocked.js
@@ -0,0 +1 @@
+t.unreached_func(document.currentScript.getAttribute('src') + " should not execute.")();
diff --git a/testing/web-platform/tests/content-security-policy/support/pass.png b/testing/web-platform/tests/content-security-policy/support/pass.png
new file mode 100644
index 0000000000..2fa1e0ac06
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/pass.png
diff --git a/testing/web-platform/tests/content-security-policy/support/pass2.png b/testing/web-platform/tests/content-security-policy/support/pass2.png
new file mode 100644
index 0000000000..2fa1e0ac06
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/pass2.png
diff --git a/testing/web-platform/tests/content-security-policy/support/ping.js b/testing/web-platform/tests/content-security-policy/support/ping.js
new file mode 100644
index 0000000000..750ae45f96
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/ping.js
@@ -0,0 +1,12 @@
+if (typeof ServiceWorkerGlobalScope === "function") {
+  self.onmessage = function (e) { e.source.postMessage("ping"); };
+} else if (typeof SharedWorkerGlobalScope === "function") {
+  onconnect = function (e) {
+    var port = e.ports[0];
+
+    port.onmessage = function () { port.postMessage("ping"); }
+    port.postMessage("ping");
+  };
+} else if (typeof DedicatedWorkerGlobalScope === "function") {
+  self.postMessage("ping");
+}
diff --git a/testing/web-platform/tests/content-security-policy/support/post-message.js b/testing/web-platform/tests/content-security-policy/support/post-message.js
new file mode 100644
index 0000000000..69daa31d2f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/post-message.js
@@ -0,0 +1 @@
+postMessage("importScripts allowed");
diff --git a/testing/web-platform/tests/content-security-policy/support/postmessage-fail.html b/testing/web-platform/tests/content-security-policy/support/postmessage-fail.html
new file mode 100644
index 0000000000..a0308ad98b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/postmessage-fail.html
@@ -0,0 +1,4 @@
+<script>
+    window.parent.postMessage('FAIL', '*');
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/support/postmessage-pass-to-opener.html b/testing/web-platform/tests/content-security-policy/support/postmessage-pass-to-opener.html
new file mode 100644
index 0000000000..e1bdf7102f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/postmessage-pass-to-opener.html
@@ -0,0 +1,3 @@
+<script>
+  window.top.opener.postMessage('PASS', '*');
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/support/postmessage-pass.html b/testing/web-platform/tests/content-security-policy/support/postmessage-pass.html
new file mode 100644
index 0000000000..700167b5db
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/postmessage-pass.html
@@ -0,0 +1,4 @@
+<script>
+    window.parent.postMessage('PASS', '*');
+
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/support/prefetch-helper.js b/testing/web-platform/tests/content-security-policy/support/prefetch-helper.js
new file mode 100644
index 0000000000..c0c0be9157
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/prefetch-helper.js
@@ -0,0 +1,85 @@
+setup(_ => {
+  assert_implements_optional(
+    document.createElement('link').relList.supports('prefetch'),
+    "Browser supports prefetch.");
+  assert_implements_optional(
+    "PerformanceResourceTiming" in window,
+    "Browser supports performance APIs.");
+});
+
+function assert_resource_not_downloaded(test, url) {
+  // CSP failures generate resource timing entries, so let's make sure that
+  // download sizes are 0.
+  const entries = performance.getEntriesByName(url, 'resource');
+  for (const entry of entries) {
+    assert_equals(entry.transferSize, 0, 'transferSize');
+    assert_equals(entry.encodedBodySize, 0, 'encodedBodySize');
+    assert_equals(entry.decodedBodySize, 0, 'decodedBodySize');
+  }
+}
+
+function assert_link_prefetches(test, link) {
+  assert_no_csp_event_for_url(test, link.href);
+
+  link.onerror = test.unreached_func('onerror should not fire.');
+
+  // Test is finished when either the `load` event fires, or we get a performance
+  // entry showing that the resource loaded successfully.
+  link.onload = test.step_func(test.step_func_done());
+  waitUntilResourceDownloaded(link.href).then(test.step_func_done());
+
+  document.head.appendChild(link);
+}
+
+function assert_link_does_not_prefetch(test, link) {
+  let cspEvent = false;
+  let errorEvent = false;
+
+  waitUntilCSPEventForURL(test, link.href)
+      .then(test.step_func(e => {
+        cspEvent = true;
+        assert_equals(e.violatedDirective, "prefetch-src");
+        assert_equals(e.effectiveDirective, "prefetch-src");
+
+        if (errorEvent)
+          test.done();
+      }));
+
+  link.onerror = test.step_func(e => {
+    errorEvent = true;
+    if (cspEvent)
+      test.done();
+  });
+  link.onload = test.unreached_func('onload should not fire.');
+
+  document.head.appendChild(link);
+}
+
+async function try_to_prefetch(href, test) {
+  const url = new URL(href, location.href);
+  url.searchParams.set(
+      'pipe',
+      '|header(Cache-Control, max-age=604800)' +
+          '|header(Access-Control-Allow-Origin, *)' +
+          '|header(Timing-Allow-Origin, *)');
+  url.searchParams.set('uuid', token());
+
+  const link = document.createElement('link');
+  link.rel = 'prefetch';
+  link.href = url.toString();
+  link.crossOrigin = 'anonymous';
+  test.add_cleanup(() => link.remove());
+
+  const didPrefetch = new Promise(resolve => {
+    const observer = new PerformanceObserver(list => {
+      const entries = list.getEntriesByName(link.href);
+      if (entries.length) {
+        resolve(entries[0]);
+      }
+    });
+    observer.observe({entryTypes: ['resource']})
+  });
+  document.head.appendChild(link);
+  const entry = await didPrefetch;
+  return entry.requestStart > 0 && entry.decodedBodySize > 0;
+}
diff --git a/testing/web-platform/tests/content-security-policy/support/prefetch-subresource.css b/testing/web-platform/tests/content-security-policy/support/prefetch-subresource.css
new file mode 100644
index 0000000000..4c4fa46442
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/prefetch-subresource.css
@@ -0,0 +1,3 @@
+/* This CSS file sends some headers:
+ *     Link: </content-security-policy/support/fail.png>;rel=prefetch
+ */
diff --git a/testing/web-platform/tests/content-security-policy/support/prefetch-subresource.css.headers b/testing/web-platform/tests/content-security-policy/support/prefetch-subresource.css.headers
new file mode 100644
index 0000000000..eaf7b16638
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/prefetch-subresource.css.headers
@@ -0,0 +1 @@
+Link: </content-security-policy/support/fail.png>;rel=prefetch
diff --git a/testing/web-platform/tests/content-security-policy/support/prefetch-with-csp.html b/testing/web-platform/tests/content-security-policy/support/prefetch-with-csp.html
new file mode 100644
index 0000000000..8185a3abee
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/prefetch-with-csp.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+  <html>
+    <head>
+      <link id="prefetch" rel="prefetch" href="pass.png">
+    </head>
+    <body>
+      <script>
+        const bc = new BroadcastChannel(new URLSearchParams(location.search).get("uid"));
+        document.getElementById("prefetch").addEventListener("error", e => bc.postMessage(false));
+        const observer = new PerformanceObserver(entries => {
+          const found = entries.getEntriesByName(new URL("pass.png", location.href).href);
+          if (found.length)
+            bc.postMessage(found[0].encodedBodySize > 0);
+        });
+        observer.observe({entryTypes: ["resource"]});
+      </script>
+    </body>
+  </html>
diff --git a/testing/web-platform/tests/content-security-policy/support/resource.py b/testing/web-platform/tests/content-security-policy/support/resource.py
new file mode 100644
index 0000000000..4d73d5bf76
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/resource.py
@@ -0,0 +1,5 @@
+def main(request, response):
+    headers = []
+    headers.append((b"Access-Control-Allow-Origin", b"*"))
+
+    return headers, b"{ \"result\": \"success\" }"
diff --git a/testing/web-platform/tests/content-security-policy/support/service-worker-helper.js b/testing/web-platform/tests/content-security-policy/support/service-worker-helper.js
new file mode 100644
index 0000000000..b5f65c96a0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/service-worker-helper.js
@@ -0,0 +1,5 @@
+var url = new URL("../support/ping.js", document.baseURI).toString();
+if (document.getElementById("foo").hasAttribute("blocked-worker"))
+  assert_service_worker_is_blocked(url, document.getElementById("foo").getAttribute("data-desc-fallback"));
+else
+  assert_service_worker_is_loaded(url, document.getElementById("foo").getAttribute("data-desc-fallback"));
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/support/shared-worker-helper.js b/testing/web-platform/tests/content-security-policy/support/shared-worker-helper.js
new file mode 100644
index 0000000000..2a3873873f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/shared-worker-helper.js
@@ -0,0 +1,5 @@
+var url = new URL("../support/ping.js", document.baseURI).toString();
+if (document.getElementById("foo").hasAttribute("blocked-worker"))
+  assert_shared_worker_is_blocked(url, document.getElementById("foo").getAttribute("data-desc-fallback"));
+else
+  assert_shared_worker_is_loaded(url, document.getElementById("foo").getAttribute("data-desc-fallback"));
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/support/siblingPath.js b/testing/web-platform/tests/content-security-policy/support/siblingPath.js
new file mode 100644
index 0000000000..f4012f04dd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/siblingPath.js
@@ -0,0 +1,5 @@
+ buildSiblingPath = function(hostPrefix, relativePath, newPort) {
+  var port = newPort ? newPort : document.location.port;
+  var path = document.location.pathname.substring(0, document.location.pathname.lastIndexOf('/') + 1);
+  return (document.location.protocol + '//' + hostPrefix + "." + document.location.hostname + ':' + port + path + relativePath);
+};
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/support/testharness-helper.js b/testing/web-platform/tests/content-security-policy/support/testharness-helper.js
new file mode 100644
index 0000000000..5c36e286da
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/testharness-helper.js
@@ -0,0 +1,142 @@
+function assert_no_csp_event_for_url(test, url) {
+  self.addEventListener("securitypolicyviolation", test.step_func(e => {
+    if (e.blockedURI !== url)
+      return;
+    assert_unreached("SecurityPolicyViolation event fired for " + url);
+  }));
+}
+
+function assert_no_event(test, obj, name) {
+  obj.addEventListener(name, test.unreached_func("The '" + name + "' event should not have fired."));
+}
+
+function waitUntilCSPEventForURLOrLine(test, url, line) {
+  return new Promise((resolve, reject) => {
+    self.addEventListener("securitypolicyviolation", test.step_func(e => {
+      if (e.blockedURI == url && (!line || line == e.lineNumber))
+        resolve(e);
+    }));
+  });
+}
+
+function waitUntilCSPEventForURL(test, url) {
+  return waitUntilCSPEventForURLOrLine(test, url);
+}
+
+function waitUntilCSPEventForEval(test, line) {
+  return waitUntilCSPEventForURLOrLine(test, "eval", line);
+}
+
+function waitUntilCSPEventForTrustedTypes(test) {
+  return waitUntilCSPEventForURLOrLine(test, "trusted-types-sink");
+}
+
+function waitUntilEvent(obj, name) {
+  return new Promise((resolve, reject) => {
+    obj.addEventListener(name, resolve);
+  });
+}
+
+// Given the URL of a worker that pings its opener upon load, this
+// function builds a test that asserts that the ping is received,
+// and that no CSP event fires.
+function assert_worker_is_loaded(url, description, expected_message = "ping") {
+  async_test(t => {
+    assert_no_csp_event_for_url(t, url);
+    var w = new Worker(url);
+    assert_no_event(t, w, "error");
+    waitUntilEvent(w, "message")
+      .then(t.step_func_done(e => {
+        assert_equals(e.data, expected_message);
+      }));
+  }, description);
+}
+
+function assert_shared_worker_is_loaded(url, description, expected_message = "ping") {
+  async_test(t => {
+    assert_no_csp_event_for_url(t, url);
+    var w = new SharedWorker(url);
+    assert_no_event(t, w, "error");
+    waitUntilEvent(w.port, "message")
+      .then(t.step_func_done(e => {
+        assert_equals(e.data, expected_message);
+      }));
+    w.port.start();
+  }, description);
+}
+
+function assert_service_worker_is_loaded(url, description) {
+  promise_test(t => {
+    assert_no_csp_event_for_url(t, url);
+    return Promise.all([
+      waitUntilEvent(navigator.serviceWorker, "message")
+        .then(e => {
+          assert_equals(e.data, "ping");
+        }),
+      navigator.serviceWorker.register(url, { scope: url })
+        .then(r => {
+          var sw = r.active || r.installing || r.waiting;
+          t.add_cleanup(_ => r.unregister());
+          sw.postMessage("pong?");
+        })
+    ]);
+  }, description);
+}
+
+// Given the URL of a worker that pings its opener upon load, this
+// function builds a test that asserts that the constructor throws
+// a SecurityError, and that a CSP event fires.
+function assert_worker_is_blocked(url, description) {
+  async_test(t => {
+    // If |url| is a blob, it will be stripped down to "blob" for reporting.
+    var reportedURL = new URL(url).protocol == "blob:" ? "blob" : url;
+    waitUntilCSPEventForURL(t, reportedURL)
+      .then(t.step_func_done(e => {
+        assert_equals(e.blockedURI, reportedURL);
+        assert_equals(e.violatedDirective, "worker-src");
+        assert_equals(e.effectiveDirective, "worker-src");
+      }));
+
+    // TODO(mkwst): We shouldn't be throwing here. We should be firing an
+    // `error` event on the Worker. https://crbug.com/663298
+    assert_throws_dom("SecurityError", function () {
+      var w = new Worker(url);
+    });
+  }, description);
+}
+
+function assert_shared_worker_is_blocked(url, description) {
+  async_test(t => {
+    // If |url| is a blob, it will be stripped down to "blob" for reporting.
+    var reportedURL = new URL(url).protocol == "blob:" ? "blob" : url;
+    waitUntilCSPEventForURL(t, reportedURL)
+      .then(t.step_func_done(e => {
+        assert_equals(e.blockedURI, reportedURL);
+        assert_equals(e.violatedDirective, "worker-src");
+        assert_equals(e.effectiveDirective, "worker-src");
+      }));
+
+    // TODO(mkwst): We shouldn't be throwing here. We should be firing an
+    // `error` event on the SharedWorker. https://crbug.com/663298
+    assert_throws_dom("SecurityError", function () {
+      var w = new SharedWorker(url);
+    });
+  }, description);
+}
+
+function assert_service_worker_is_blocked(url, description) {
+  promise_test(t => {
+    assert_no_event(t, navigator.serviceWorker, "message");
+    // If |url| is a blob, it will be stripped down to "blob" for reporting.
+    var reportedURL = new URL(url).protocol == "blob:" ? "blob" : url;
+    return Promise.all([
+      waitUntilCSPEventForURL(t, reportedURL)
+        .then(t.step_func_done(e => {
+          assert_equals(e.blockedURI, reportedURL);
+          assert_equals(e.violatedDirective, "worker-src");
+          assert_equals(e.effectiveDirective, "worker-src");
+        })),
+      promise_rejects_dom(t, "SecurityError", navigator.serviceWorker.register(url, { scope: url }))
+    ]);
+  }, description);
+}
diff --git a/testing/web-platform/tests/content-security-policy/support/var-a.js b/testing/web-platform/tests/content-security-policy/support/var-a.js
new file mode 100644
index 0000000000..5fc5fde204
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/support/var-a.js
@@ -0,0 +1 @@
+self.a = true;
diff --git a/testing/web-platform/tests/content-security-policy/svg/including.sub.svg b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg
new file mode 100644
index 0000000000..51215d9044
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg
@@ -0,0 +1,19 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="6cm" height="5cm" viewBox="0 0 600 500"
+     xmlns="http://www.w3.org/2000/svg" version="1.1"
+     xmlns:xlink="http://www.w3.org/1999/xlink">
+  <desc>using SVG as a resource doc should apply this doc's CSP</desc>
+
+  <use xlink:href="scripted.svg#postmessagescript" />
+
+  <circle cx="300" cy="225" r="100" fill="lawngreen"/>
+
+  <text x="300" y="250"
+        font-family="Verdana"
+        font-size="50"
+        text-anchor="middle">
+      PASS
+    </text>
+</svg>
diff --git a/testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers
new file mode 100644
index 0000000000..0f3f281d90
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: including={{$id:uuid()}}; Path=/content-security-policy/svg
+Content-Security-Policy: script-src 'none';
diff --git a/testing/web-platform/tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html b/testing/web-platform/tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html
new file mode 100644
index 0000000000..aa4f156953
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Object inside SVG foreignobject respect csp</title>
+    <meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+      async_test(function(t) {
+        document.addEventListener("securitypolicyviolation", t.step_func(function(e) {
+          if (e.blockedURI != "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/media/flash.swf")
+            return;
+
+          assert_equals(e.violatedDirective, "object-src");
+          t.done();
+        }));
+      }, "Should throw a securitypolicyviolation");
+    </script>
+</head>
+<body>
+    <svg>
+        <foreignObject>
+            <embed type="application/x-shockwave-flash" src="/content-security-policy/support/media/flash.swf">
+        </foreignObject>
+    </svg>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/svg/scripted.svg b/testing/web-platform/tests/content-security-policy/svg/scripted.svg
new file mode 100644
index 0000000000..5482831fa8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/scripted.svg
@@ -0,0 +1,20 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="6cm" height="5cm" viewBox="0 0 600 500"
+     xmlns="http://www.w3.org/2000/svg" version="1.1">
+  <desc>Example script01 - redirect</desc>
+
+  <script id="postmessagescript" type="application/ecmascript"> <![CDATA[
+    location = "/content-security-policy/support/postmessage-fail.html";
+  ]]> </script>
+
+  <circle cx="300" cy="225" r="100" fill="lawngreen"/>
+
+  <text x="300" y="250"
+        font-family="Verdana"
+        font-size="50"
+        text-anchor="middle">
+      PASS
+    </text>
+</svg>
diff --git a/testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers b/testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers
new file mode 100644
index 0000000000..0e90e147ad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripted={{$id:uuid()}}; Path=/content-security-policy/svg
+Content-Security-Policy: script-src 'none';
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html b/testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html
new file mode 100644
index 0000000000..962cd88036
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>svg-from-guid</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                log("TEST COMPLETE");
+            }, 1);
+        });
+    </script>
+</head>
+
+<body>
+    <p>Tests that an SVG loaded in an iframe with a policy enforces it, not
+    the policy enforced by this parent frame.  The SVG should render and
+    not redirect to a different resource.</p>
+    <!--
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="6cm" height="5cm" viewBox="0 0 600 500"
+     xmlns="http://www.w3.org/2000/svg" version="1.1">
+  <desc>Example script01 - redirect</desc>
+
+  <script id="postmessagescript" type="application/ecmascript"> <![CDATA[
+    location = "/content-security-policy/support/postmessage-fail.html";
+  ]]> </script>
+
+  <circle cx="300" cy="225" r="100" fill="lawngreen"/>
+
+  <text x="300" y="250"
+        font-family="Verdana"
+        font-size="50"
+        text-anchor="middle">
+      PASS
+    </text>
+</svg>
+    -->
+    <iframe name="test_target" id="test_iframe" src="data:image/svg+xml;charset=utf-8;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pg0KPCFET0NUWVBFIHN2ZyBQVUJMSUMgIi0vL1czQy8vRFREIFNWRyAxLjEvL0VOIg0KICAiaHR0cDovL3d3dy53My5vcmcvR3JhcGhpY3MvU1ZHLzEuMS9EVEQvc3ZnMTEuZHRkIj4NCjxzdmcgd2lkdGg9IjZjbSIgaGVpZ2h0PSI1Y20iIHZpZXdCb3g9IjAgMCA2MDAgNTAwIg0KICAgICB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZlcnNpb249IjEuMSI+DQogIDxkZXNjPkV4YW1wbGUgc2NyaXB0MDEgLSByZWRpcmVjdDwvZGVzYz4NCg0KICA8c2NyaXB0IGlkPSJwb3N0bWVzc2FnZXNjcmlwdCIgdHlwZT0iYXBwbGljYXRpb24vZWNtYXNjcmlwdCI+IDwhW0NEQVRBWw0KICAgIGxvY2F0aW9uID0gIi9jb250ZW50LXNlY3VyaXR5LXBvbGljeS9ibGluay1jb250cmliL3Jlc291cmNlcy9wb3N0bWVzc2FnZS1mYWlsLmh0bWwiOw0KICBdXT4gPC9zY3JpcHQ+DQoNCiAgPGNpcmNsZSBjeD0iMzAwIiBjeT0iMjI1IiByPSIxMDAiIGZpbGw9Imxhd25ncmVlbiIvPg0KDQogIDx0ZXh0IHg9IjMwMCIgeT0iMjUwIg0KICAgICAgICBmb250LWZhbWlseT0iVmVyZGFuYSINCiAgICAgICAgZm9udC1zaXplPSI1MCINCiAgICAgICAgdGV4dC1hbmNob3I9Im1pZGRsZSI+DQogICAgICBQQVNTDQogICAgPC90ZXh0Pg0KPC9zdmc+"></iframe>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html b/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html
new file mode 100644
index 0000000000..16d03407fd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>svg-policy-with-resource</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+        var t_spv = async_test("Should fire violation event");
+        window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, "script-src-elem");
+        }));
+    </script>
+
+</head>
+
+<body>
+    <p>Tests that an SVG loaded in an iframe with a policy enforces it, not
+    the policy enforced by this parent frame.  The SVG should render and
+    not redirect to a different resource.</p>
+    <div id="log"></div>
+    <?xml version="1.0" standalone="no"?>
+
+    <svg width="6cm" height="5cm" viewBox="0 0 600 500"
+        xmlns="http://www.w3.org/2000/svg" version="1.1">
+
+        <script type="application/ecmascript"
+            xlink:href="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/.js">
+        </script>
+
+      <circle cx="300" cy="225" r="100" fill="lawngreen"/>
+
+      <text x="300" y="250"
+            font-family="Verdana"
+            font-size="50"
+            text-anchor="middle">
+          PASS
+      </text>
+    </svg>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html b/testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html
new file mode 100644
index 0000000000..3ca6262405
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>svg-policy-with-resource</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                log("TEST COMPLETE");
+            }, 0);
+        });
+    </script>
+</head>
+
+<body>
+    <p>Tests that an SVG loaded in an iframe with a policy enforces it, not
+    the policy enforced by this parent frame.  The SVG should render and
+    not redirect to a different resource.</p>
+    <iframe name="test_target" id="test_iframe" src="scripted.svg"></iframe>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html b/testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html
new file mode 100644
index 0000000000..88ba0b3e65
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>svg-policy-with-resource</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                log("TEST COMPLETE");
+            }, 0);
+        });
+    </script>
+</head>
+
+<body>
+    <p>Tests that an SVG loaded in an iframe with a policy enforces it, not
+    the policy enforced by this parent frame.  The SVG should render and
+    not redirect to a different resource.</p>
+    <iframe name="test_target" id="test_iframe" src="scripted.svg"></iframe>
+    <object type="image/svg+xml" data="scripted.svg"></object>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-allowed.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-allowed.sub.html
new file mode 100644
index 0000000000..186996311b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-allowed.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';">
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>eval-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src='../support/alertAssert.sub.js?alerts=["PASS (1 of 2)","PASS (2 of 2)"]'></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+        });
+
+        eval("alert_assert('PASS (1 of 2)')");
+
+        window.eval("alert_assert('PASS (2 of 2)')");
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html
new file mode 100644
index 0000000000..998a616652
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>eval-blocked-and-sends-report</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS: eval() blocked.","violated-directive=script-src"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        try {
+            eval("alert_assert('FAIL')");
+        } catch (e) {
+            log('PASS: eval() blocked.');
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html
new file mode 100644
index 0000000000..054e75b527
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+  <meta http-equiv="Content-Security-Policy"
+        content="script-src 'self' 'unsafe-inline';">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+
+<p>
+  Eval should be blocked in the iframe, but inline script should be allowed.
+</p>
+
+<script>
+  promise_test(async t => {
+    const document_loaded = new Promise(resolve => window.onload = resolve);
+    await document_loaded;
+
+    const eval_error = new Promise(resolve => {
+      window.addEventListener('message', function(e) {
+        assert_not_equals(e.data, 'FAIL', 'eval was executed in the frame');
+        if (e.data === 'PASS')
+          resolve();
+      });
+    });
+    const csp_violation_report = new Promise(resolve => {
+      window.addEventListener('message', function(e) {
+        if (e.data["violated-directive"]) {
+          assert_equals(e.data["violated-directive"], "script-src");
+          resolve();
+        }
+      });
+    });
+
+    frames[0].document.write(`
+      <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+          parent.postMessage({ 'violated-directive': e.violatedDirective });
+        });
+        try {
+          eval('parent.postMessage(\"FAIL\", \"*\");');
+        } catch (e) {
+          if (e instanceof EvalError)
+            parent.postMessage(\"PASS\", \"*\");
+        }
+      </sc` + `ript>`
+    );
+    frames[0].document.close();
+
+    await eval_error;
+    await csp_violation_report;
+  });
+</script>
+<iframe src="about:blank"></iframe>
+
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked.sub.html
new file mode 100644
index 0000000000..7546082ee4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>eval-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS EvalError","PASS EvalError", "violated-directive=script-src"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        try {
+            eval("alert_assert('FAIL (1 of 2)')");
+        } catch (e) {
+            log("PASS EvalError");
+        }
+
+        try {
+            window.eval("alert_assert('FAIL (1 of 2)')");
+        } catch (e) {
+            log("PASS EvalError");
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-in-iframe.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-in-iframe.html
new file mode 100644
index 0000000000..bca5decd25
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-in-iframe.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>eval-in-iframe</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/utils.js"></script>
+</head>
+
+<body>
+    <p>This test checks that the CSP of calleeRealm only (and not of
+    the callerRealm) is checked for allowing eval.</p>
+    <script>
+      let tests = [
+        { "directive": "script-src", "csp": "script-src 'unsafe-inline'" },
+        { "directive": "default-src", "csp": "default-src 'unsafe-inline'" },
+      ];
+
+      tests.forEach(test => {
+        let child = document.createElement('iframe');
+        child.src = '/content-security-policy/unsafe-eval/support' +
+          '/echo-eval-with-policy.py?policy=' + encodeURIComponent(test.csp);
+        document.body.appendChild(child);
+        let msg = new Promise(resolve => {
+          window.addEventListener('message', e => {
+            if (e.source == child.contentWindow)
+              resolve(e.data);
+          });
+        });
+
+        promise_test(async t => {
+          assert_equals((await msg).evalInIframe, "blocked");
+        }, `(${test.directive}) Eval code should not execute ` +
+                     `from iframe in iframe`);
+        promise_test(async t => {
+          assert_equals((await msg).evalInParent, "allowed");
+        }, `(${test.directive}) Eval code should execute ` +
+                     `from iframe in parent`);
+        promise_test(async t => {
+          assert_throws_js(child.contentWindow.EvalError, _ =>
+            child.contentWindow.eval('1+1'));
+        }, `(${test.directive}) Eval code should not execute ` +
+                     `from parent in iframe`);
+      });
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html
new file mode 100644
index 0000000000..19eac79812
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';">
+    <title>eval-scripts-setInterval-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS 1 of 2","PASS 2 of 2"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+<pre>
+<script>
+  window.addEventListener('securitypolicyviolation', function(e) {
+    log("Fail");
+  });
+
+  var id_string = setInterval("clearInterval(id_string); log('PASS 1 of 2')", 0);
+  if (id_string == 0)
+    log('FAIL: Return value for string (should not be 0): ' + id_string);
+
+  var id_function = setInterval(function() {
+    clearInterval(id_function);
+    log('PASS 2 of 2');
+  }, 0);
+
+  if (id_function == 0)
+    log('FAIL');
+</script>
+</pre>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html
new file mode 100644
index 0000000000..2107ab8c33
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>eval-scripts-setInterval-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS","violated-directive=script-src"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+<script>
+  window.addEventListener('securitypolicyviolation', function(e) {
+    log("violated-directive=" + e.violatedDirective);
+  });
+
+  var id = setInterval("alert_assert('FAIL')", 0);
+  if (id != 0)
+    log('FAIL: Return value for string (should be 0): ' + id);
+
+  var id = setInterval(function() {
+    clearInterval(id);
+    log('PASS');
+  }, 0);
+
+  if (id == 0)
+    log('FAIL');
+</script>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html
new file mode 100644
index 0000000000..ba89c4e2f3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';">
+    <title>eval-scripts-setTimeout-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS 1 of 2","PASS 2 of 2"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+<script>
+  window.addEventListener('securitypolicyviolation', function(e) {
+    log("Fail");
+  });
+
+  var id = setTimeout("log('PASS 1 of 2')", 0);
+  if (id == 0)
+    log('FAIL');
+  var id = setTimeout(function() {
+    log('PASS 2 of 2');
+  }, 0);
+  if (id == 0)
+    log('FAIL');
+</script>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html
new file mode 100644
index 0000000000..2b6335e597
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>eval-scripts-setTimeout-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS","violated-directive=script-src"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+<script>
+  window.addEventListener('securitypolicyviolation', function(e) {
+    log("violated-directive=" + e.violatedDirective);
+  });
+
+  var id = setTimeout("alert_assert('FAIL')", 0);
+  if (id != 0)
+    log('FAIL');
+
+  var id = setTimeout(function() {
+    log('PASS');
+  }, 0);
+
+  if (id == 0)
+    log('FAIL');
+</script>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html
new file mode 100644
index 0000000000..8e6661b21c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';">
+    <title>function-constructor-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+        });
+
+        (new Function("log('PASS')"))();
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html
new file mode 100644
index 0000000000..1a7d320b68
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>function-constructor-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS EvalError","violated-directive=script-src"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        try {
+            (new Function("log('FAIL')"))();
+        } catch (e) {
+            log("PASS EvalError");
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py b/testing/web-platform/tests/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py
new file mode 100644
index 0000000000..b9b3cfe03a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py
@@ -0,0 +1,30 @@
+def main(request, response):
+    policy = request.GET.first(b"policy")
+    return [(b"Content-Type", b"text/html"), (b"Content-Security-Policy", policy)], b"""
+<!DOCTYPE html>
+<html>
+<script>
+function check_eval(context) {
+  context.eval_check_variable = 0;
+  try {
+    id = context.eval("eval_check_variable + 1");
+  } catch (e) {
+    if (e instanceof EvalError) {
+      if (context.eval_check_variable === 0)
+        return "blocked";
+      else
+        return "EvalError exception, but eval was executed";
+    } else {
+      return "Unexpected exception: " + e.message;
+    }
+  }
+  return "allowed";
+}
+
+window.parent.postMessage({
+  evalInIframe: check_eval(window),
+  evalInParent: check_eval(parent),
+});
+</script>
+</html>
+"""
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html
new file mode 100644
index 0000000000..0c2a43a6e6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    runTest(true, '<a href>', '');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html
new file mode 100644
index 0000000000..f2b3e1ff72
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-hashes' 'nonce-abc'
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    // script-src-attr CSP should not have effects because navigation CSP
+    // checks are done against script-src-elem.
+    // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
+    runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html
new file mode 100644
index 0000000000..642d9768a5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'unsafe-hashes' 'nonce-abc'
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    runTest(true, '<a href target=_blank>', '');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html
new file mode 100644
index 0000000000..a321521e04
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    runTest(true, '<a href target=_blank>', '');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html
new file mode 100644
index 0000000000..2fbda19924
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is allowed to run");
+
+        window.onmessage = t1.step_func_done(function(e) {
+          assert_equals(e.data, "pass");
+        });
+
+        window.open('support/child_window_location_navigate.sub.html' +
+              '?csp=' + encodeURI("script-src 'unsafe-hashes' 'nonce-abc' 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y='") +
+              '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')"));
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html
new file mode 100644
index 0000000000..970290e3f6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html
@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=';">
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is allowed to run");
+
+        window.onmessage = t1.step_func_done(function(e) {
+          assert_equals(e.data, "pass");
+        });
+
+        window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
+
+        window.open("javascript:opener.postMessage('pass', '*')");
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html
new file mode 100644
index 0000000000..0f0dc67aa3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
+    'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    runTest(false, '<a href>', ' due to missing unsafe-hashes');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html
new file mode 100644
index 0000000000..6b863e7a99
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-attr 'nonce-abc'
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    // script-src-attr CSP should not have effects because navigation CSP
+    // checks are done against script-src-elem.
+    // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
+    runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html
new file mode 100644
index 0000000000..23e9bdc187
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc'
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    runTest(false, '<a href target=_blank>', ' due to missing unsafe-hashes');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html
new file mode 100644
index 0000000000..81805a1f87
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    runTest(false, '<a href target=_blank>', ' due to missing unsafe-hashes');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html
new file mode 100644
index 0000000000..d7a786078a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.onmessage = t1.step_func_done(function(e) {
+          assert_equals(e.data, "fail");
+        });
+
+        window.open('support/child_window_location_navigate.sub.html' +
+              '?csp=' + encodeURI("script-src 'nonce-abc' 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y='") +
+              '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')"));
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html
new file mode 100644
index 0000000000..12c9b09985
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html
@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=';">
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.onmessage = t1.unreached_func("Should have not received any message");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'script-src-elem');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+
+        window.open("javascript:opener.postMessage('pass', '*')");
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html
new file mode 100644
index 0000000000..6558a03aed
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    runTest(false, '<a href>', ' due to wrong hash');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html
new file mode 100644
index 0000000000..fa394b1d0a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-hashes' 'nonce-abc'
+    'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    // script-src-attr CSP should not have effects because navigation CSP
+    // checks are done against script-src-elem.
+    // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
+    runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html
new file mode 100644
index 0000000000..8ca49da775
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'unsafe-hashes' 'nonce-abc'
+    'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    runTest(false, '<a href target=_blank>', ' due to wrong hash');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html
new file mode 100644
index 0000000000..257899af29
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    runTest(false, '<a href target=_blank>', ' due to wrong hash');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html
new file mode 100644
index 0000000000..96ff062101
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.onmessage = t1.step_func_done(function(e) {
+          assert_equals(e.data, "fail");
+        });
+
+        window.open('support/child_window_location_navigate.sub.html' +
+              '?csp=' + encodeURI("script-src 'unsafe-hashes' 'nonce-abc' 'sha256-VjH6k67F4kobUnNDOBE85QiJ9cuZMiYT6desKXvezVg='") +
+              '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')"));
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html
new file mode 100644
index 0000000000..c653d4f617
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html
@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-VjH6k67F4kobUnNDOBE85QiJ9cuZMiYT6desKXvezVg=';">
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.onmessage = t1.unreached_func("Should have not received any message");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'script-src-elem');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+
+        window.open("javascript:opener.postMessage('pass', '*')");
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html
new file mode 100644
index 0000000000..7d50941d36
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' 'sha256-wmuLCpoj8EMqfQlPnt5NIMgKkCK62CxAkAiewI0zZps='; img-src *;">
+    <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title>
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the inline event handler is allowed to run");
+
+        window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
+    </script>
+    <img src='../support/pass.png'
+         onload='t1.done();'>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html
new file mode 100644
index 0000000000..7ba9d30bcf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'sha256-Cb9N8BP42Neca22vQ9VaXlPU8oPF8HPxZHxRVcnLZJ4='; img-src *;">
+    <title>Event handlers should not be allowed if a matching hash is present without 'unsafe-hashes'</title>
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the inline event handler is not allowed to run");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'script-src-attr');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+    </script>
+    <img src='../support/pass.png'
+         onload='t1.unreached_func("Should not have executed handler");'>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html
new file mode 100644
index 0000000000..2de6a48eb2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' 'sha256-thisdoesnotmatch'; img-src *;">
+    <title>Event handlers should be not allowed if a matching hash is not present</title>
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the inline event handler is not allowed to run");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'script-src-attr');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+    </script>
+    <img src='../support/pass.png'
+         onload='t1.unreached_func("Should not have executed handler");'>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html
new file mode 100644
index 0000000000..568c469b06
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html
@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="img-src *;
+                      style-src 'unsafe-hashes' 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=';">
+    <!--
+      'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green'
+      -->
+    <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script>
+        var t1 = async_test("Test that the inline style attribute is loaded");
+
+        self.check_for_style = t1.step_func_done(function() {
+          assert_equals("green", document.getElementById('test').style.background);
+        });
+
+        window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
+    </script>
+    <img src='../support/pass.png' id='test' style='background: green'
+         onload='check_for_style()'>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html
new file mode 100644
index 0000000000..e8070acba9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html
@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="img-src *;
+                      style-src 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=';">
+    <!--
+      'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green'
+      -->
+    <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script>
+        var t1 = async_test("Test that the inline style attribute is blocked");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'style-src-attr');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+
+    </script>
+    <img src='../support/pass.png' id='test' style='background: green'>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html
new file mode 100644
index 0000000000..be27637224
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html
@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="img-src *;
+                      style-src 'unsafe-hashes' 'sha256-UI8QfroYhb0WX073XBuM+RTPntpjZfkyFLsMw5vQfd0=';">
+    <!--
+      'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green'
+      -->
+    <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script>
+        var t1 = async_test("Test that the inline style attribute is blocked");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'style-src-attr');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+
+    </script>
+    <img src='../support/pass.png' id='test' style='background: green'>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html
new file mode 100644
index 0000000000..3068822f37
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html
@@ -0,0 +1,21 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}">
+</head>
+
+<body>
+
+  <span id="escape">{{GET[url]}}</span>
+
+  <script nonce='abc'>
+    window.addEventListener('securitypolicyviolation', function(e) {
+      opener.postMessage('fail', '*');
+    });
+
+    window.location.href = document.getElementById("escape").textContent;
+  </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js
new file mode 100644
index 0000000000..26db3289ea
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js
@@ -0,0 +1,40 @@
+// Typical CSP hashes are:
+// 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=' ==> javascript:opener.navigated();
+// 'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=' ==> javascript:navigated();
+
+function runTest(navigationShouldAllowed, navigationMethod, description) {
+  const t1 = async_test(
+    'javascript: navigation using ' + navigationMethod + ' should be ' +
+    (navigationShouldAllowed ? 'allowed' : 'refused') + description);
+
+  if (navigationShouldAllowed) {
+    window.navigated = () => t1.done();
+    window.addEventListener('securitypolicyviolation',
+        t1.unreached_func('Should have not raised any event'));
+  } else {
+    window.navigated =
+        t1.unreached_func('Should not have run javascript: URL');
+    window.addEventListener('securitypolicyviolation',
+        t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'script-src-elem');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+  }
+
+  if (navigationMethod === '<a href target=_blank>') {
+    const a = document.createElement('a');
+    a.setAttribute('target', '_blank');
+    a.setAttribute('rel', 'opener');
+    a.setAttribute('href', 'javascript:opener.navigated();');
+    document.body.appendChild(a);
+    a.click();
+  }
+  else if (navigationMethod === '<a href>') {
+    const a = document.createElement('a');
+    a.setAttribute('href', 'javascript:navigated();');
+    document.body.appendChild(a);
+    a.click();
+  } else {
+    t1.unreached_func('Invalid navigationMethod: ' + navigationMethod)();
+  }
+}
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-blocks-wasm.any.js b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-blocks-wasm.any.js
new file mode 100644
index 0000000000..15e9d87ce9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-blocks-wasm.any.js
@@ -0,0 +1,8 @@
+// META: global=window,worker
+
+promise_test(t => {
+  return promise_rejects_js(
+      t, WebAssembly.CompileError,
+      WebAssembly.instantiate(
+          new Uint8Array([0, 0x61, 0x73, 0x6d, 0x1, 0, 0, 0])));
+});
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-blocks-wasm.any.js.headers b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-blocks-wasm.any.js.headers
new file mode 100644
index 0000000000..d3790b6fbe
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-blocks-wasm.any.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: default-src 'self' 'unsafe-inline'
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-unsafe-eval-allows-wasm.any.js b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-unsafe-eval-allows-wasm.any.js
new file mode 100644
index 0000000000..68a145caae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-unsafe-eval-allows-wasm.any.js
@@ -0,0 +1,6 @@
+// META: global=window,worker
+
+promise_test(t => {
+  return WebAssembly.instantiate(
+      new Uint8Array([0, 0x61, 0x73, 0x6d, 0x1, 0, 0, 0]));
+});
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-unsafe-eval-allows-wasm.any.js.headers b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-unsafe-eval-allows-wasm.any.js.headers
new file mode 100644
index 0000000000..1a1d90cf7c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-unsafe-eval-allows-wasm.any.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any.js b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any.js
new file mode 100644
index 0000000000..68a145caae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any.js
@@ -0,0 +1,6 @@
+// META: global=window,worker
+
+promise_test(t => {
+  return WebAssembly.instantiate(
+      new Uint8Array([0, 0x61, 0x73, 0x6d, 0x1, 0, 0, 0]));
+});
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any.js.headers b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any.js.headers
new file mode 100644
index 0000000000..2cb4ec4c87
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: default-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/postMessage-wasm-module.html b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/postMessage-wasm-module.html
new file mode 100644
index 0000000000..9d5e1e0ff3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/postMessage-wasm-module.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>eval-in-iframe</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/utils.js"></script>
+</head>
+<body>
+    <iframe src="/content-security-policy/wasm-unsafe-eval/support/iframe.html">
+    </iframe>
+
+    <script>
+        async_test(t => {
+          self.addEventListener('message', t.step_func_done(({data}) => {
+            assert_equals(data.violatedDirective, "script-src");
+            assert_equals(data.originalPolicy, "default-src 'unsafe-inline'")
+            assert_equals(data.blockedURI, "wasm-eval")
+          }));
+        }, "Got the expected securitypolicyviolation in the iframe");
+
+        const iframe = document.querySelector('iframe');
+        iframe.addEventListener('load', () => {
+            let m = new WebAssembly.Module(
+                new Uint8Array([0, 0x61, 0x73, 0x6d, 0x1, 0, 0, 0]));
+            iframe.contentWindow.postMessage(m);
+        });
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-blocks-wasm.any.js b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-blocks-wasm.any.js
new file mode 100644
index 0000000000..15e9d87ce9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-blocks-wasm.any.js
@@ -0,0 +1,8 @@
+// META: global=window,worker
+
+promise_test(t => {
+  return promise_rejects_js(
+      t, WebAssembly.CompileError,
+      WebAssembly.instantiate(
+          new Uint8Array([0, 0x61, 0x73, 0x6d, 0x1, 0, 0, 0])));
+});
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-blocks-wasm.any.js.headers b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-blocks-wasm.any.js.headers
new file mode 100644
index 0000000000..de46ceb5a1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-blocks-wasm.any.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js
new file mode 100644
index 0000000000..360e00c715
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js
@@ -0,0 +1,18 @@
+// META: global=window,worker
+let code = new Uint8Array([0x53, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0]);
+async_test(t => {
+  self.addEventListener('securitypolicyviolation', t.step_func_done(e => {
+    assert_equals(e.violatedDirective, "script-src");
+    assert_equals(e.originalPolicy, "default-src 'self' 'unsafe-inline'")
+    assert_equals(e.blockedURI, "wasm-eval")
+  }));
+}, "Securitypolicyviolation event looks like it should");
+
+promise_test(t => {
+  return promise_rejects_js(
+      t, WebAssembly.CompileError,
+      WebAssembly.instantiate(code));
+});
+
+
+
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js.headers b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js.headers
new file mode 100644
index 0000000000..d3790b6fbe
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: default-src 'self' 'unsafe-inline'
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-unsafe-eval-allows-wasm.any.js b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-unsafe-eval-allows-wasm.any.js
new file mode 100644
index 0000000000..68a145caae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-unsafe-eval-allows-wasm.any.js
@@ -0,0 +1,6 @@
+// META: global=window,worker
+
+promise_test(t => {
+  return WebAssembly.instantiate(
+      new Uint8Array([0, 0x61, 0x73, 0x6d, 0x1, 0, 0, 0]));
+});
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-unsafe-eval-allows-wasm.any.js.headers b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-unsafe-eval-allows-wasm.any.js.headers
new file mode 100644
index 0000000000..7b26c292f3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-unsafe-eval-allows-wasm.any.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any.js b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any.js
new file mode 100644
index 0000000000..68a145caae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any.js
@@ -0,0 +1,6 @@
+// META: global=window,worker
+
+promise_test(t => {
+  return WebAssembly.instantiate(
+      new Uint8Array([0, 0x61, 0x73, 0x6d, 0x1, 0, 0, 0]));
+});
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any.js.headers b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any.js.headers
new file mode 100644
index 0000000000..3463403572
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/support/iframe.html b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/support/iframe.html
new file mode 100644
index 0000000000..4d8b937558
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/support/iframe.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+</head>
+<body>
+  <h1>iframe</h1>
+  <script>
+    self.addEventListener('securitypolicyviolation', e => {
+      window.parent.postMessage({ violatedDirective: e.violatedDirective,
+      originalPolicy: e.originalPolicy, blockedURI: e.blockedURI });
+    });
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/support/iframe.html.headers b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/support/iframe.html.headers
new file mode 100644
index 0000000000..bc3a72a880
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/support/iframe.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: default-src 'unsafe-inline'
diff --git a/testing/web-platform/tests/content-security-policy/webrtc/webrtc-allowed-default-src-none.html b/testing/web-platform/tests/content-security-policy/webrtc/webrtc-allowed-default-src-none.html
new file mode 100644
index 0000000000..5b0f8cc9c5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/webrtc/webrtc-allowed-default-src-none.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'none'; script-src 'self' 'unsafe-inline'">
+    <title>webrtc allowed with default-src 'none'</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="webrtc.js"></script>
+</head>
+
+<body>
+    <script>
+        expectAllow();
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/webrtc/webrtc-allowed-explicit.html b/testing/web-platform/tests/content-security-policy/webrtc/webrtc-allowed-explicit.html
new file mode 100644
index 0000000000..835f650d5f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/webrtc/webrtc-allowed-explicit.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="webrtc 'allow';">
+    <title>webrtc allowed with an explicit webrtc allowed policy</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="webrtc.js"></script>
+</head>
+
+<body>
+    <script>
+        expectAllow();
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/webrtc/webrtc-allowed-nopolicy.html b/testing/web-platform/tests/content-security-policy/webrtc/webrtc-allowed-nopolicy.html
new file mode 100644
index 0000000000..bc49a63a43
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/webrtc/webrtc-allowed-nopolicy.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>webrtc allowed with no policy</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="webrtc.js"></script>
+</head>
+
+<body>
+    <script>
+        expectAllow();
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/webrtc/webrtc-blocked-explicit.html b/testing/web-platform/tests/content-security-policy/webrtc/webrtc-blocked-explicit.html
new file mode 100644
index 0000000000..dbd56f2f2c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/webrtc/webrtc-blocked-explicit.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="webrtc 'block';">
+    <title>webrtc blocked with an explicit webrtc blocked policy</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="webrtc.js"></script>
+</head>
+
+<body>
+    <script>
+        expectBlock();
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/webrtc/webrtc-blocked-unknown.html b/testing/web-platform/tests/content-security-policy/webrtc/webrtc-blocked-unknown.html
new file mode 100644
index 0000000000..1605c0a642
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/webrtc/webrtc-blocked-unknown.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="webrtc 'unrecognized';">
+    <title>webrtc blocked with an unrecognized explicit webrtc policy</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="webrtc.js"></script>
+</head>
+
+<body>
+    <script>
+        expectBlock();
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/webrtc/webrtc.js b/testing/web-platform/tests/content-security-policy/webrtc/webrtc.js
new file mode 100644
index 0000000000..a4075557ad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/webrtc/webrtc.js
@@ -0,0 +1,56 @@
+
+// Creates two RTCPeerConnection and tries to connect them. Returns
+// "allowed" if the connection is permitted, "blocked" if it is
+// blocked on both sides and "inconsistent" in the event that the
+// result is not the same on both sides (should never happen).
+async function tryConnect() {
+    const pc1 = new RTCPeerConnection();
+    const pc2 = new RTCPeerConnection();
+
+    // Returns a promise which resolves to a boolean which is true
+    // if and only if pc.iceConnectionState settles in the "failed"
+    // state, and never transitions to any state other than "new"
+    // or "failed."
+    const pcFailed = (pc) => {
+        return new Promise((resolve, _reject) => {
+            pc.oniceconnectionstatechange = (e) => {
+                resolve(pc.iceConnectionState == "failed");
+            };
+        });
+    }
+    pc1Failed = pcFailed(pc1);
+    pc2Failed = pcFailed(pc2);
+
+    // Creating a data channel is necessary to induce negotiation:
+    const channel = pc1.createDataChannel('test');
+
+    // Usual webrtc signaling dance:
+    pc1.onicecandidate = ({candidate}) => pc2.addIceCandidate(candidate);
+    pc2.onicecandidate = ({candidate}) => pc1.addIceCandidate(candidate);
+    const offer = await pc1.createOffer();
+    await pc1.setLocalDescription(offer);
+    await pc2.setRemoteDescription(pc1.localDescription);
+    const answer = await pc2.createAnswer();
+    await pc2.setLocalDescription(answer);
+    await pc1.setRemoteDescription(pc2.localDescription);
+
+    const failed1 = await pc1Failed;
+    const failed2 = await pc2Failed;
+    if(failed1 && failed2) {
+        return 'blocked';
+    } else if(!failed1 && !failed2) {
+        return 'allowed';
+    } else {
+        return 'inconsistent';
+    }
+}
+
+async function expectAllow() {
+    promise_test(async () => assert_equals(await tryConnect(), 'allowed'));
+}
+
+async function expectBlock() {
+    promise_test(async () => assert_equals(await tryConnect(), 'blocked'));
+}
+
+// vim: set ts=4 sw=4 et :
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/dedicated-child.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-child.sub.html
new file mode 100644
index 0000000000..cff8f953af
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-child.sub.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="child-src http://{{host}}:{{ports[http][0]}} blob:">
+<script>
+  var url = new URL("../support/ping.js", document.baseURI).toString();
+  assert_worker_is_loaded(url, "Same-origin dedicated worker allowed by host-source expression.");
+
+  var b = new Blob(["postMessage('ping');"], {type: "text/javascript"});
+  var url = URL.createObjectURL(b);
+  assert_worker_is_loaded(url, "blob: dedicated worker allowed by 'blob:'.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/dedicated-fallback.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-fallback.sub.html
new file mode 100644
index 0000000000..25602573fb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-fallback.sub.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="worker-src http://{{host}}:{{ports[http][0]}} blob:; child-src 'none'">
+<script>
+  var url = new URL("../support/ping.js", document.baseURI).toString();
+  assert_worker_is_loaded(url, "Same-origin dedicated worker allowed by host-source expression.");
+
+  var b = new Blob(["postMessage('ping');"], {type: "text/javascript"});
+  var url = URL.createObjectURL(b);
+  assert_worker_is_loaded(url, "blob: dedicated worker allowed by 'blob:'.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/dedicated-list.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-list.sub.html
new file mode 100644
index 0000000000..fc4f912324
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-list.sub.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="worker-src http://{{host}}:{{ports[http][0]}} blob:">
+<script>
+  var url = new URL("../support/ping.js", document.baseURI).toString();
+  assert_worker_is_loaded(url, "Same-origin dedicated worker allowed by host-source expression.");
+
+  var b = new Blob(["postMessage('ping');"], {type: "text/javascript"});
+  var url = URL.createObjectURL(b);
+  assert_worker_is_loaded(url, "blob: dedicated worker allowed by 'blob:'.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/dedicated-none.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-none.sub.html
new file mode 100644
index 0000000000..62c550788a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-none.sub.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+<script>
+  var url = new URL("../support/ping.js", document.baseURI).toString();
+  assert_worker_is_blocked(url, "Same-origin dedicated worker blocked by host-source expression.");
+
+  var b = new Blob(["postMessage('ping');"], {type: "text/javascript"});
+  var url = URL.createObjectURL(b);
+  assert_worker_is_blocked(url, "blob: dedicated worker blocked by 'blob:'.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/dedicated-self.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-self.sub.html
new file mode 100644
index 0000000000..ba0cd1bb43
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-self.sub.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+<script>
+  var url = new URL("../support/ping.js", document.baseURI).toString();
+  assert_worker_is_loaded(url, "Same-origin dedicated worker allowed by 'self'.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html
new file mode 100644
index 0000000000..f9f68fe749
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html
@@ -0,0 +1,9 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Web platform test for dedicated worker allowed by worker-src self</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="../support/testharness-helper.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="child-src 'none'; script-src 'self'; default-src 'none'; ">
+<script src="../support/dedicated-worker-helper.js" blocked-worker id="foo" data-desc-fallback="Same-origin dedicated worker allowed by worker-src 'self'."></script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub.html
new file mode 100644
index 0000000000..c16a9a543e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub.html
@@ -0,0 +1,9 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Web platform test for dedicated worker allowed by child-src self</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="../support/testharness-helper.js"></script>
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
+<meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
+<script src="../support/dedicated-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin dedicated worker allowed by child-src 'self'."></script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/dedicated-worker-src-default-fallback.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-worker-src-default-fallback.sub.html
new file mode 100644
index 0000000000..5bded3f59a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-worker-src-default-fallback.sub.html
@@ -0,0 +1,8 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Web platform test for dedicated worker allowed by default-src self</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
+<script src="../support/dedicated-worker-helper.js" id="foo" data-desc-fallback="Same-origin dedicated worker allowed by default-src 'self'."></script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/dedicated-worker-src-script-fallback.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-worker-src-script-fallback.sub.html
new file mode 100644
index 0000000000..ca92207676
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-worker-src-script-fallback.sub.html
@@ -0,0 +1,8 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Web platform test for dedicated worker allowed by script-src self</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'; default-src 'none'; ">
+<script src="../support/dedicated-worker-helper.js" id="foo" data-desc-fallback="Same-origin dedicated worker allowed by script-src 'self'."></script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub.html
new file mode 100644
index 0000000000..69e96473bc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub.html
@@ -0,0 +1,9 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Web platform test for dedicated worker allowed by worker-src self</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="../support/testharness-helper.js"></script>
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
+<meta http-equiv="Content-Security-Policy" content="worker-src 'self'; child-src 'none'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
+<script src="../support/dedicated-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin dedicated worker allowed by worker-src 'self'."></script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/service-child.https.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/service-child.https.sub.html
new file mode 100644
index 0000000000..3315a554b3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/service-child.https.sub.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="child-src https://{{host}}:{{ports[https][0]}}">
+<script>
+  var url = new URL("../support/ping.js", document.baseURI).toString();
+  assert_service_worker_is_loaded(url, "Same-origin service worker allowed by host-source expression.");
+</script>
+
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/service-fallback.https.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/service-fallback.https.sub.html
new file mode 100644
index 0000000000..314d8831d8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/service-fallback.https.sub.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="worker-src https://{{host}}:{{ports[https][0]}}; child-src 'none'">
+<script>
+  var url = new URL("../support/ping.js", document.baseURI).toString();
+  assert_service_worker_is_loaded(url, "Same-origin service worker allowed by host-source expression.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/service-list.https.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/service-list.https.sub.html
new file mode 100644
index 0000000000..9e2cd903f2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/service-list.https.sub.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="worker-src https://{{host}}:{{ports[https][0]}}">
+<script>
+  var url = new URL("../support/ping.js", document.baseURI).toString();
+  assert_service_worker_is_loaded(url, "Same-origin service worker allowed by host-source expression.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/service-none.https.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/service-none.https.sub.html
new file mode 100644
index 0000000000..467a8ce2cf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/service-none.https.sub.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+<script>
+  var url = new URL("../support/ping.js", document.baseURI).toString();
+  assert_service_worker_is_blocked(url, "Same-origin service worker blocked by 'none'.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/service-self.https.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/service-self.https.sub.html
new file mode 100644
index 0000000000..d725e73012
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/service-self.https.sub.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+<script>
+  var url = new URL("../support/ping.js", document.baseURI).toString();
+  assert_service_worker_is_loaded(url, "Same-origin service worker allowed by 'self'.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/service-worker-src-child-fallback-blocked.https.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/service-worker-src-child-fallback-blocked.https.sub.html
new file mode 100644
index 0000000000..979abd580d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/service-worker-src-child-fallback-blocked.https.sub.html
@@ -0,0 +1,9 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Web platform test for service worker allowed by child-src self</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="../support/testharness-helper.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="child-src 'none'; script-src 'self'; default-src 'none'; ">
+<script src="../support/service-worker-helper.js" blocked-worker id="foo" data-desc-fallback="Same-origin service worker allowed by child-src 'self'."></script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub.html
new file mode 100644
index 0000000000..4d6f2f333a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub.html
@@ -0,0 +1,9 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Web platform test for service worker allowed by child-src self</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="../support/testharness-helper.js"></script>
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
+<meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
+<script src="../support/service-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin service worker allowed by child-src 'self'."></script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/service-worker-src-default-fallback.https.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/service-worker-src-default-fallback.https.sub.html
new file mode 100644
index 0000000000..f9df743909
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/service-worker-src-default-fallback.https.sub.html
@@ -0,0 +1,8 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Web platform test for service worker allowed by default-src self</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
+<script src="../support/service-worker-helper.js" id="foo" data-desc-fallback="Same-origin service worker allowed by default-src 'self'."></script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/service-worker-src-script-fallback.https.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/service-worker-src-script-fallback.https.sub.html
new file mode 100644
index 0000000000..ce03f24f17
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/service-worker-src-script-fallback.https.sub.html
@@ -0,0 +1,8 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Web platform test for service worker allowed by script-src self</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'; default-src 'none'; ">
+<script src="../support/service-worker-helper.js" id="foo" data-desc-fallback="Same-origin service worker allowed by script-src 'self'."></script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html
new file mode 100644
index 0000000000..575911207e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html
@@ -0,0 +1,9 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Web platform test for service worker allowed by worker-src self</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="../support/testharness-helper.js"></script>
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
+<meta http-equiv="Content-Security-Policy" content="worker-src 'self'; child-src 'none'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
+<script src="../support/service-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin service worker allowed by worker-src 'self'."></script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/shared-child.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/shared-child.sub.html
new file mode 100644
index 0000000000..93dd38b6f8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/shared-child.sub.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="child-src http://{{host}}:{{ports[http][0]}} blob:">
+<script>
+  var url = new URL("../support/ping.js", document.baseURI).toString();
+  assert_shared_worker_is_loaded(url, "Same-origin dedicated worker allowed by 'self'.");
+
+  var b = new Blob(["onconnect = e => { e.ports[0].postMessage('ping'); }"], {type: "text/javascript"});
+  var url = URL.createObjectURL(b);
+  assert_shared_worker_is_loaded(url, "blob: dedicated worker allowed by 'blob:'.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/shared-fallback.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/shared-fallback.sub.html
new file mode 100644
index 0000000000..cfe9190a43
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/shared-fallback.sub.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="worker-src http://{{host}}:{{ports[http][0]}} blob:; child-src 'none'">
+<script>
+  var url = new URL("../support/ping.js", document.baseURI).toString();
+  assert_shared_worker_is_loaded(url, "Same-origin dedicated worker allowed by 'self'.");
+
+  var b = new Blob(["onconnect = e => { e.ports[0].postMessage('ping'); }"], {type: "text/javascript"});
+  var url = URL.createObjectURL(b);
+  assert_shared_worker_is_loaded(url, "blob: dedicated worker allowed by 'blob:'.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/shared-list.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/shared-list.sub.html
new file mode 100644
index 0000000000..6c985c76eb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/shared-list.sub.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="worker-src http://{{host}}:{{ports[http][0]}} blob:">
+<script>
+  var url = new URL("../support/ping.js", document.baseURI).toString();
+  assert_shared_worker_is_loaded(url, "Same-origin dedicated worker allowed by 'self'.");
+
+  var b = new Blob(["onconnect = e => { e.ports[0].postMessage('ping'); }"], {type: "text/javascript"});
+  var url = URL.createObjectURL(b);
+  assert_shared_worker_is_loaded(url, "blob: dedicated worker allowed by 'blob:'.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/shared-none.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/shared-none.sub.html
new file mode 100644
index 0000000000..b443f321d3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/shared-none.sub.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="worker-src 'none'">
+<script>
+  var url = new URL("../support/ping.js", document.baseURI).toString();
+  assert_shared_worker_is_blocked(url, "Same-origin shared worker blocked by 'none'.");
+
+  var b = new Blob(["onconnect = e => { e.ports[0].postMessage('ping'); }"], {type: "text/javascript"});
+  var url = URL.createObjectURL(b);
+  assert_shared_worker_is_blocked(url, "blob: shared worker blocked by 'none'.");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/shared-self.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/shared-self.sub.html
new file mode 100644
index 0000000000..e6b368aab1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/shared-self.sub.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
+<script>
+  var url = new URL("../support/ping.js", document.baseURI).toString();
+  assert_shared_worker_is_loaded(url, "Same-origin dedicated worker allowed by 'self'.");
+</script>
+
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html
new file mode 100644
index 0000000000..00dbdb4fc2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html
@@ -0,0 +1,9 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Web platform test for shared worker allowed by child-src self</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="../support/testharness-helper.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="child-src 'none'; script-src 'self'; default-src 'none'; ">
+<script src="../support/shared-worker-helper.js" blocked-worker id="foo" data-desc-fallback="Same-origin shared worker allowed by child-src 'self'."></script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/shared-worker-src-child-fallback.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/shared-worker-src-child-fallback.sub.html
new file mode 100644
index 0000000000..1e6a1df54b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/shared-worker-src-child-fallback.sub.html
@@ -0,0 +1,9 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Web platform test for shared worker allowed by child-src self</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="../support/testharness-helper.js"></script>
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
+<meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
+<script src="../support/shared-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin shared worker allowed by child-src 'self'."></script>
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/shared-worker-src-default-fallback.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/shared-worker-src-default-fallback.sub.html
new file mode 100644
index 0000000000..4a07db76aa
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/shared-worker-src-default-fallback.sub.html
@@ -0,0 +1,8 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Web platform test for shared worker allowed by default-src self</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
+<script src="../support/shared-worker-helper.js" id="foo" data-desc-fallback="Same-origin shared worker allowed by default-src 'self'."></script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/shared-worker-src-script-fallback.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/shared-worker-src-script-fallback.sub.html
new file mode 100644
index 0000000000..0a854da3ad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/shared-worker-src-script-fallback.sub.html
@@ -0,0 +1,8 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Web platform test for shared worker allowed by script-src self</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="../support/testharness-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'; default-src 'none'; ">
+<script src="../support/shared-worker-helper.js" id="foo" data-desc-fallback="Same-origin shared worker allowed by script-src 'self'."></script>
+\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html b/testing/web-platform/tests/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html
new file mode 100644
index 0000000000..dc8370bdbe
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html
@@ -0,0 +1,9 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Web platform test for shared worker allowed by worker-src self</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="../support/testharness-helper.js"></script>
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
+<meta http-equiv="Content-Security-Policy" content="worker-src 'self'; child-src 'none'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
+<script src="../support/shared-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin shared worker allowed by worker-src 'self'."></script>
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-07 17:32:43 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-07 17:32:43 +0000
commit	6bf0a5cb5034a7e684dcc3500e841785237ce2dd (patch)
tree	a68f146d7fa01f0134297619fbe7e33db084e0aa /testing/web-platform/tests/content-security-policy
parent	Initial commit. (diff)
download	thunderbird-6bf0a5cb5034a7e684dcc3500e841785237ce2dd.tar.xz thunderbird-6bf0a5cb5034a7e684dcc3500e841785237ce2dd.zip