From 6bf0a5cb5034a7e684dcc3500e841785237ce2dd Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 19:32:43 +0200
Subject: Adding upstream version 1:115.7.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .../304-response-should-update-csp.sub.html        | 52 ++++++++++++
 .../generic/cspro-not-enforced-in-worker.html      | 22 +++++
 .../cspro-not-enforced-in-worker.html.sub.headers  |  1 +
 .../directive-name-case-insensitive.sub.html       | 32 +++++++
 .../generic/duplicate-directive.sub.html           | 27 ++++++
 .../eval-typecheck-callout-order.tentative.html    | 28 +++++++
 ...-typecheck-callout-order.tentative.html.headers |  1 +
 .../content-security-policy/generic/fail-0_1.js    |  3 +
 .../filesystem-urls-do-not-match-self.sub.html     | 60 +++++++++++++
 .../filesystem-urls-match-filesystem.sub.html      | 57 +++++++++++++
 .../generic/generic-0_1-img-src.html               | 38 +++++++++
 .../generic/generic-0_1-script-src.html            | 38 +++++++++
 .../generic/generic-0_10.sub.html                  | 27 ++++++
 .../generic/generic-0_10_1.sub.html                | 26 ++++++
 .../generic/generic-0_2.html                       | 28 +++++++
 .../generic/generic-0_2_2.sub.html                 | 26 ++++++
 .../generic/generic-0_2_3.html                     | 26 ++++++
 .../generic/generic-0_8.sub.html                   | 27 ++++++
 .../generic/generic-0_8_1.sub.html                 | 31 +++++++
 .../generic/generic-0_9.sub.html                   | 27 ++++++
 .../generic/invalid-characters-in-policy.html      | 75 +++++++++++++++++
 .../generic/negativeTests.js                       |  3 +
 .../generic/no-default-src.sub.html                | 41 +++++++++
 .../generic/no-default-src.sub.html.sub.headers    |  6 ++
 .../only-valid-whitespaces-are-allowed.html        | 67 +++++++++++++++
 .../content-security-policy/generic/pass-0_1.js    |  3 +
 .../generic/policy-does-not-affect-child.sub.html  | 24 ++++++
 .../policy-inherited-correctly-by-plznavigate.html | 43 ++++++++++
 ...rited-correctly-by-plznavigate.html.sub.headers |  5 ++
 .../generic/positiveTest.js                        |  1 +
 .../generic/support/304-response.py                | 33 ++++++++
 .../generic/support/eval.js                        |  2 +
 .../support/load_img_and_post_result_header.html   | 11 +++
 ...oad_img_and_post_result_header.html.sub.headers |  1 +
 .../support/load_img_and_post_result_meta.sub.html | 14 ++++
 .../generic/support/log-pass.html                  |  3 +
 .../generic/support/sandboxed-eval.sub.html        |  4 +
 .../support/sandboxed-eval.sub.html.sub.headers    |  1 +
 .../generic/test-case.sub.js                       | 98 ++++++++++++++++++++++
 .../content-security-policy/generic/unreached.js   |  3 +
 .../generic/wildcardHostTest.js                    |  8 ++
 .../generic/wildcardHostTestFailure.js             |  8 ++
 .../generic/wildcardHostTestSuceeds.js             |  1 +
 .../generic/wildcardPortTest.js                    |  8 ++
 .../generic/wildcardPortTestSuceeds.js             |  1 +
 45 files changed, 1041 insertions(+)
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/304-response-should-update-csp.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/cspro-not-enforced-in-worker.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/cspro-not-enforced-in-worker.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/directive-name-case-insensitive.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/duplicate-directive.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/fail-0_1.js
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/filesystem-urls-match-filesystem.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_10.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_2.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_8.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/invalid-characters-in-policy.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/negativeTests.js
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/only-valid-whitespaces-are-allowed.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/pass-0_1.js
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/policy-does-not-affect-child.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/positiveTest.js
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/support/304-response.py
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/support/eval.js
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_header.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_header.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_meta.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/support/log-pass.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/support/sandboxed-eval.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/support/sandboxed-eval.sub.html.sub.headers
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/test-case.sub.js
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/unreached.js
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js

(limited to 'testing/web-platform/tests/content-security-policy/generic')

diff --git a/testing/web-platform/tests/content-security-policy/generic/304-response-should-update-csp.sub.html b/testing/web-platform/tests/content-security-policy/generic/304-response-should-update-csp.sub.html
new file mode 100644
index 0000000000..b16eadaedc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/304-response-should-update-csp.sub.html
@@ -0,0 +1,52 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <title>Test that a 304 response will update the CSP header</title>
+</head>
+<body>
+  <script>
+    var t1 = async_test("Test that the first frame uses nonce abc");
+    var t2 = async_test("Test that the first frame does not use nonce def");
+
+    var t3 = async_test("Test that the second frame uses nonce def");
+    var t4 = async_test("Test that the second frame does not use nonce abc");
+
+    var i1 = document.createElement('iframe');
+    // We add a random parameter to avoid previous tests cached requests.
+    // We want to make sure i1 gets a 200 code and i2 gets a 304 code.
+    i1.src = "support/304-response.py?{{$id:uuid()}}";
+
+    var i2 = document.createElement('iframe');
+    i2.src = "support/304-response.py?{{$id}}";
+
+    var load_second_frame = function() {
+      document.body.appendChild(i2);
+    }
+
+    window.onmessage = function(e) {
+      if (e.source == i1.contentWindow) {
+        if (e.data == "abc_executed") { t1.done(); return; }
+        if (e.data == "script-src 'nonce-abc' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';") { t2.done(); return; }
+
+        t1.step(function() { assert_unreached("Unexpected message received"); });
+        t2.step(function() { assert_unreached("Unexpected message received"); });
+      }
+
+      if (e.source == i2.contentWindow) {
+        if (e.data == "def_executed") { t3.done(); return; }
+        if (e.data == "script-src 'nonce-def' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';") { t4.done(); return; }
+
+        t3.step(function() { assert_unreached("Unexpected message received"); });
+        t4.step(function() { assert_unreached("Unexpected message received"); });
+      }
+
+    };
+
+    i1.onload = load_second_frame;
+    document.body.appendChild(i1);
+  </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/cspro-not-enforced-in-worker.html b/testing/web-platform/tests/content-security-policy/generic/cspro-not-enforced-in-worker.html
new file mode 100644
index 0000000000..784cdc8875
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/cspro-not-enforced-in-worker.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <!-- This tests that a report only policy is not treated as enforcing when
+         inherited by a worker. This manifests in particular for `unsafe-eval`
+         in this bug crbug.com/777076  -->
+    <script nonce="abc">
+      var t1 = async_test("Check that inline is allowed since the inherited policy is report only");
+      var t2 = async_test("Check that eval is allowed since the inherited policy is report only");
+
+      var w = new Worker("support/eval.js");
+      w.onmessage = function(e) {
+        if (e.data == "unsafe-inline allowed") t1.done();
+        else if (e.data == "unsafe-eval allowed") t2.done();
+      }
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/cspro-not-enforced-in-worker.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/cspro-not-enforced-in-worker.html.sub.headers
new file mode 100644
index 0000000000..877e192bbf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/cspro-not-enforced-in-worker.html.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy-Report-Only: script-src 'self' 'nonce-abc';
diff --git a/testing/web-platform/tests/content-security-policy/generic/directive-name-case-insensitive.sub.html b/testing/web-platform/tests/content-security-policy/generic/directive-name-case-insensitive.sub.html
new file mode 100644
index 0000000000..c65c59fb23
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/directive-name-case-insensitive.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="
+      IMg-sRC 'self' 'unsafe-inline' http://{{domains[www1]}}:{{ports[http][0]}};
+      img-src 'self' 'unsafe-inline' http://{{domains[www2]}}:{{ports[http][0]}};">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+  <script>
+    var t1 = async_test("Test that the www1 image is allowed to load");
+    var t2 = async_test("Test that the www2 image is not allowed to load");
+    var t_spv = async_test("Test that the www2 image throws a violation event");
+    window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+      assert_equals(e.violatedDirective, "img-src");
+      assert_equals(e.blockedURI, "http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png");
+    }));
+  </script>
+
+  <img src="http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/pass.png"
+       onload="t1.done();"
+       onerror="t1.step(function() { assert_unreached('www1 image should have loaded'); t1.done(); });">
+
+  <img src="http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png"
+       onerror="t2.done();"
+       onload="t2.step(function() { assert_unreached('www2 image should not have loaded'); t2.done(); });">
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/duplicate-directive.sub.html b/testing/web-platform/tests/content-security-policy/generic/duplicate-directive.sub.html
new file mode 100644
index 0000000000..0ab708356c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/duplicate-directive.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-inline'; script-src 'none'; connect-src 'self';">
+    <title>duplicate-directive</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src='../support/alertAssert.sub.js?alerts=["PASS (1/1)"]'></script>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            alert_assert("FAIL");
+        });
+        alert_assert('PASS (1/1)');
+    </script>
+</head>
+
+<body>
+    <p>
+        This tests the effect of duplicated directives. It passes if the alert_assert() is executed.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html b/testing/web-platform/tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html
new file mode 100644
index 0000000000..0be7cf29a2
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html
@@ -0,0 +1,28 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+    <title>Test for order of Type(evalInput) and host callout</title>
+</head>
+<body>
+    <div id='log'></div>
+
+    <script nonce='abc'>
+    test(function() {
+      assert_throws_js(EvalError, function() {
+        eval("0");
+      }, "eval of a string should reach host callout");
+    }, "eval of a string should be checked by CSP");
+
+    test(function() {
+      let array = ["0"];
+      assert_equals(
+        eval(array),
+        array,
+        "eval is identity when applied to non-strings");
+    }, "eval of a non-string should not be checked by CSP");
+    </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html.headers b/testing/web-platform/tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html.headers
new file mode 100644
index 0000000000..85de8bd415
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'nonce-abc'
diff --git a/testing/web-platform/tests/content-security-policy/generic/fail-0_1.js b/testing/web-platform/tests/content-security-policy/generic/fail-0_1.js
new file mode 100644
index 0000000000..5c580273dc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/fail-0_1.js
@@ -0,0 +1,3 @@
+(function () {
+  scriptsrc1.step(function() { assert_unreached('Unsafe inline script ran.') });
+})();
diff --git a/testing/web-platform/tests/content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html b/testing/web-platform/tests/content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html
new file mode 100644
index 0000000000..afb272cf36
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html
@@ -0,0 +1,60 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>filesystem-urls-do-not-match-self</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <p>
+        filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the &apos;self&apos; or &apos;*&apos; source in CSP directives because they are more akin to 'unsafe-inline' content..
+    </p>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+          log("violated-directive=" + e.violatedDirective);
+        });
+
+        if(!window.webkitRequestFileSystem) {
+            t_log = async_test();
+            t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test.");
+            t_log.phase = t_log.phases.HAS_RESULT;
+            t_log.done();
+            log("violated-directive=script-src"); // simulate needed logs to pass test
+        } else {
+            function fail() {
+                alert_assert("FAIL!");
+            }
+            window.webkitRequestFileSystem(
+                TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) {
+                    fs.root.getFile('fail.js', {
+                        create: true
+                    }, function(fileEntry) {
+                        fileEntry.createWriter(function(fileWriter) {
+                            fileWriter.onwriteend = function(e) {
+                                var script = document.createElement('script');
+                                script.src = fileEntry.toURL('application/javascript');
+                                document.body.appendChild(script);
+                            };
+                            // Create a new Blob and write it to pass.js.
+                            var b = new Blob(['fail();'], {
+                                type: 'application/javascript'
+                            });
+                            fileWriter.write(b);
+                        });
+                    });
+                });
+        }
+
+
+    </script>
+    <div id="log"></div>
+
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/filesystem-urls-match-filesystem.sub.html b/testing/web-platform/tests/content-security-policy/generic/filesystem-urls-match-filesystem.sub.html
new file mode 100644
index 0000000000..f629228f9f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/filesystem-urls-match-filesystem.sub.html
@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' filesystem:; connect-src 'self';">
+    <title>filesystem-urls-match-filesystem</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS (1/1)"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <p>
+        filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the &apos;self&apos; or &apos;*&apos; source in CSP directives because they are more akin to 'unsafe-inline' content, but should match filesystem: source.
+    </p>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+        });
+
+        if(!window.webkitRequestFileSystem) {
+            t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test.");
+            t_log.phase = t_log.phases.HAS_RESULT;
+            t_log.done();
+            log("PASS (1/1)"); // simulate needed logs to pass test
+        } else {
+            function pass() {
+                log("PASS (1/1)");
+            }
+            window.webkitRequestFileSystem(
+                TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) {
+                    fs.root.getFile('pass.js', {
+                        create: true
+                    }, function(fileEntry) {
+                        fileEntry.createWriter(function(fileWriter) {
+                            fileWriter.onwriteend = function(e) {
+                                var script = document.createElement('script');
+                                script.src = fileEntry.toURL('application/javascript');
+                                document.body.appendChild(script);
+                            };
+                            // Create a new Blob and write it to pass.js.
+                            var b = new Blob(['pass();'], {
+                                type: 'application/javascript'
+                            });
+                            fileWriter.write(b);
+                        });
+                    });
+                });
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html
new file mode 100644
index 0000000000..71ff3219b6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html
@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>default-src should cascade to img-src directive</title>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='../support/siblingPath.js'></script>
+</head>
+<body>
+    <h1>default-src should cascade to img-src directive</h1>
+    <div id='log'></div>
+
+    <script>
+      var imgsrc = async_test("Verify cascading of default-src to img-src policy");
+      var onerrorFired = false;
+      var t_spv = async_test("Should fire violation events for every failed violation");
+
+      window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+          assert_equals(e.violatedDirective, "img-src");
+      }));
+    </script>
+
+    <img id='imgfail' src=''
+         onload='imgsrc.step(function() { assert_unreached("Image load was not blocked."); });'
+         onerror='onerrorFired = true;'>
+    <img src='../support/pass.png'
+         onload='imgsrc.step(function() { assert_true(true, "Image load was blocked."); });'>
+
+    <script>
+      document.getElementById('imgfail').src = buildSiblingPath('www1', '../support/fail.png');
+      onload = function() {
+        imgsrc.step(function() { assert_true(onerrorFired, "onerror handler for blocked img didn't fire");});
+        imgsrc.done();
+      }
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html
new file mode 100644
index 0000000000..b374b8b88e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html
@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>default-src should cascade to script-src directive</title>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='../support/siblingPath.js'></script>
+</head>
+<body>
+    <h1>default-src should cascade to script-src directive</h1>
+    <div id='log'></div>
+
+    <script>
+      var scriptsrc1 = async_test("Verify cascading of default-src to script-src policy: block");
+      var scriptsrc2 = async_test("Verify cascading of default-src to script-src policy: allow");
+      var allowedScriptRan = false;
+      var t_spv = async_test("Should fire violation events for every failed violation");
+
+      window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+          assert_equals(e.violatedDirective, "script-src-elem");
+      }));
+    </script>
+
+    <script src='pass-0_1.js'></script>
+
+    <script>
+      var inlineScript = document.createElement('script');
+      inlineScript.src = buildSiblingPath('www1', 'fail-0_1.js');
+      document.getElementById('log').appendChild(inlineScript);
+      onload = function() {
+          scriptsrc1.done();
+          scriptsrc2.step( function() { assert_true(allowedScriptRan, "allowed script didn't run") });
+          scriptsrc2.done();
+      }
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_10.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_10.sub.html
new file mode 100644
index 0000000000..62b69fb8fd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_10.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>test implicit port number matching (requires port 80)</title>
+    <meta http-equiv="Content-Security-Policy content="script-src 'self' {{domains[www]}} 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script>
+      var t = async_test("Test that script does not fire violation event");
+      window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired a violation event"));
+
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://{{domains[www]}}/content-security-policy/generic/positiveTest.js";
+      head.appendChild(script);
+    </script>
+
+    <script>
+        t.done();
+    </script>
+</head>
+<body>
+    <h1>test implicit port number matching (requires port 80)</h1>
+    <div id='log'></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html
new file mode 100644
index 0000000000..f48c1e3c56
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>implicit port number matching fails with a different port</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' www.{{host}} 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='negativeTests.js'></script>
+    <script>
+      var t_spv = async_test("Should fire violation events for every failed violation");
+      window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+          assert_equals(e.violatedDirective, "script-src-elem");
+      }));
+
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://www." + location.hostname + ":{{ports[http][1]}}/content-security-policy/generic/unreached.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>implicit port number matching fails with a different port</h1>
+    <div id='log'></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html
new file mode 100644
index 0000000000..4f295441cd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html
@@ -0,0 +1,28 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>'self' keyword positive test</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script nonce='abc'>
+      var t_spv = async_test("Should fire violation events for every failed violation");
+      window.addEventListener(
+        "securitypolicyviolation", t_spv.unreached_func("securitypolicyviolation should not be emitted"));
+
+      window.addEventListener("load", function() {
+        t_spv.done();
+      });
+    </script>
+    <script src='positiveTest.js'></script>
+    <script nonce='abc'>
+      test(function() {
+        assert_true(window.cspPositiveTest);
+      }, "Allows scripts from the same host.");
+    </script>
+</head>
+<body>
+    <h1>'self' keyword positive test</h1>
+    <div id='log'></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html
new file mode 100644
index 0000000000..6cb75e31ae
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>'self' fails with a different port</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='negativeTests.js'></script>
+    <script>
+      var t_spv = async_test("Should fire violation events for every failed violation");
+      window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+          assert_equals(e.violatedDirective, "script-src-elem");
+      }));
+
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://" + location.hostname + ":{{ports[http][1]}}/content-security-policy/generic/unreached.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>'self' fails with a different port</h1>
+    <div id='log'></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html
new file mode 100644
index 0000000000..d9c230d2a5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>'self' fails with a different host (including sub-host e.g. foo.com as self with content from bar.foo.com)</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='negativeTests.js'></script>
+    <script>
+      var t_spv = async_test("Should fire violation events for every failed violation");
+      window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+          assert_equals(e.violatedDirective, "script-src-elem");
+      }));
+
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://www." + location.hostname + ":" + location.port + "/content-security-policy/generic/unreached.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>'self' fails with a different host (including sub-host e.g. foo.com as self with content from bar.foo.com)</h1>
+    <div id='log'></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_8.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_8.sub.html
new file mode 100644
index 0000000000..a9a76c825e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_8.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>test wildcard host name matching (asterisk as a subdomain of the current domain)</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' *.{{host}}:{{ports[http][0]}} 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='wildcardHostTest.js'></script>
+    <script>
+      var t = async_test("Test that script does not fire violation event");
+      window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired a violation event"));
+      window.addEventListener("load", t.step_func(function() {
+        assert_true(window.wildcardHostTestRan);
+        t.done();
+      }));
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://www." + location.hostname + ":" + location.port + "/content-security-policy/generic/wildcardHostTestSuceeds.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>test wildcard host name matching (asterisk as a subdomain of the current domain)</h1>
+    <div id='log'></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html
new file mode 100644
index 0000000000..c326af0e54
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>test wildcard host name matching (asterisk as part of a subdomain is not accepted)</title>
+    <script>
+      var t_spv = async_test("Should fire violation events for every failed violation");
+      var spvEvent;
+      window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) {
+          spvEvent = e;
+      }));
+      addEventListener("load", t_spv.step_func_done(function() {
+          assert_true(!!spvEvent);
+          assert_equals(spvEvent.violatedDirective, "script-src-elem");
+      }));
+
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://www." + location.hostname + ":" + location.port + "/content-security-policy/generic/wildcardHostTestSuceeds.js";
+      head.appendChild(script);
+    </script>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' *w.{{host}}:{{ports[http][0]}} w*.{{host}}:{{ports[http][0]}} 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='wildcardHostTestFailure.js'></script>
+</head>
+<body>
+    <h1>test wildcard host name matching (asterisk as part of a subdomain is not accepted)</h1>
+    <div id='log'></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html
new file mode 100644
index 0000000000..564927bd7e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>test wildcard port number matching</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' {{host}}:* 'unsafe-inline';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='wildcardPortTest.js'></script>
+    <script>
+      var t = async_test("Test that script does not fire violation event");
+      window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired a violation event"));
+      window.addEventListener("load", function() {
+        t.done();
+      });
+
+      var head = document.getElementsByTagName('head')[0];
+      var script = document.createElement('script');
+      script.type = 'text/javascript';
+      script.src = "http://" + location.hostname + ":{{ports[http][1]}}/content-security-policy/generic/wildcardPortTestSuceeds.js";
+      head.appendChild(script);
+    </script>
+</head>
+<body>
+    <h1>test wildcard port number matching</h1>
+    <div id='log'></div>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/invalid-characters-in-policy.html b/testing/web-platform/tests/content-security-policy/generic/invalid-characters-in-policy.html
new file mode 100644
index 0000000000..e46449117f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/invalid-characters-in-policy.html
@@ -0,0 +1,75 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      // Make sure that csp works properly in normal situations
+      {
+        "csp": "",
+        "expected": true,
+        "name": "Should load image without any CSP",
+      },
+      {
+        "csp": "img-src 'none';",
+        "expected": false,
+        "name": "Should not load image with 'none' CSP",
+      },
+
+      // Now test with non-ASCII characters.
+      {
+        "csp": "img-src 'none' \u00A1invalid-source; style-src 'none'",
+        "expected": true,
+        "name": "Non-ASCII character in directive value should drop the whole directive.",
+      },
+      {
+        "csp": "img-src ‘none’;",
+        "expected": true,
+        "name": "Non-ASCII quote character in directive value should drop the whole directive.",
+      },
+      {
+        "csp": "img-src 'none'; style-src \u00A1invalid-source 'none'",
+        "expected": false,
+        "name": "Non-ASCII character in directive value should not affect other directives.",
+      },
+      {
+        "csp": "img-src 'none'; style\u00A1-src 'none'",
+        "expected": false,
+        "name": "Non-ASCII character in directive name should not affect other directives.",
+      },
+    ];
+
+    tests.forEach(test => {
+      async_test(t => {
+        var url = "support/load_img_and_post_result_meta.sub.html?csp="
+            + encodeURIComponent(test.csp);
+        test_image_loads_as_expected(test, t, url);
+      }, test.name + " - meta tag");
+
+      async_test(t => {
+        var url = "support/load_img_and_post_result_header.html?csp="
+            + encodeURIComponent(test.csp);
+        test_image_loads_as_expected(test, t, url);
+      }, test.name + " - HTTP header");
+    });
+
+    function test_image_loads_as_expected(test, t, url) {
+      var i = document.createElement('iframe');
+      i.src = url;
+      window.addEventListener('message', t.step_func(function(e) {
+        if (e.source != i.contentWindow) return;
+        if (test.expected) {
+          assert_equals(e.data, "img loaded");
+        } else {
+          assert_equals(e.data, "img not loaded");
+        }
+        t.done();
+      }));
+      document.body.appendChild(i);
+    }
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/negativeTests.js b/testing/web-platform/tests/content-security-policy/generic/negativeTests.js
new file mode 100644
index 0000000000..44b4d7f683
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/negativeTests.js
@@ -0,0 +1,3 @@
+var t1 = async_test("Prevents access to external scripts.");
+
+onload = function() {t1.done();}
diff --git a/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html
new file mode 100644
index 0000000000..9a89ec05ad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>no default src doesn't behave exactly like *</title>
+    <meta name="timeout" content="long">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]">    </script>
+    <script src='positiveTest.js'></script>
+    <!-- enforcing policy: foobar; report-uri ...
+    -->
+</head>
+<body>
+    <h1>no default src doesn't behave exactly like *</h1>
+    This page has a CSP header but an unknown directive.
+    This should have no impact on an img loaded from a data:
+    uri, or an inline script, although that would be blocked by a default-src policy of *.
+    <br>
+    <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAKgAAABACAIAAAABPqsMAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH1QoMCC8h3if5rgAAAB10RVh0Q29tbWVudABDcmVhdGVkIHdpdGggVGhlIEdJTVDvZCVuAAAGD0lEQVR42u2aa0yTVxiA39ILxa4KIkKrVCCIitzrqkAXQiXDSFjQHyZDBRRdtoDzgooao5uaoInID4hRJFC8RBOzxQuKigyYokuDSB0WlaJQlQrITRCwte1+nKVhpbT9aGUue59fb84573dO+uR7v/drS4OfAPkf4oQfAYpHUDyC4hEUj6B4BMUjKB5B8QiKR1A8guIRFI+geATFIygeQfEIikdQPEIVxmd1GsN+w9hBrV7bN9Kn7FHWqmqLHxY3vW2ycIWtS7Yeiz9G4h0VO47eO2rj1p4cz7WhayW+kuCZwdNdpjsznIe0Q53vO1X9qsbOxrr2uprWmrb+Nofn/lvQPqs/W5oVb0KBrCDrVpZGpzE7++iHR8Ezg0ms6FIsPL7Qho+Ali3O3h+zn81gW1n5M82BuVjqqZEpyjyVeMrs1CL+IqN1AAj0CBTNElm9YGFiYc7SHKvmHJ6Lpd7K/cF0YvK5/KV+S3eLd/tP9weAlNAUaYO0qrXKJGtd2DoS6A16J5oTGZG9llnYKDEgcUPEBhI/636WL8uvelHV1t82rB1mM9geHA8fV58QzxAhTxjjE+PAXCz15ku92cLIZXFr1tWEe4UDwLk/z635dc3oWWe6s3q72o3tBgD7qvYdiD0AAH0jfbxc3sjHkfF2LF9dvsx/GQDcbLmZdCHJwkrH5mKpp8CAZiC7IpvEUd5RJrMrFqwg1pU9ykO/H2rpbQEAV7brygUrLVxz8ezFJNh2cxtVc/bkonhq3Ht5jwReX3iNV+elDVIDGKQNUpNxs0x1nkoCZY+S6mHsyUXxE30oGP7R/3tP9Y7ziyNP91J5KQCUNpTqDXoAkPhKBNME412ne6ibBEEzg6iewZ5cFE8NY4XveN8xejw1LJV0cxXPK169ewUAL9+9vP38NgA40ZxSQ1OtlpDCxMI50+ZMrPxMIBfFU4DD5ByOO2zyoRPSwtJIUPyw2DhojNPC0mhg/jU67488AxgAQMgTNv/YfPXbq5miTNEskQvDxep57MnFrt56V890YvK4vFif2D1f7QlwDyCDcafjKl9UkjhmTkx1WjUA9Az38HP5H3Qfxvb5saWx1a3VZjfdsmRL7te5pGAY0Rl0ii7FnbY7l55cqnxRSZ4ajs1F8WbEW8bkXU6aJCXFvEBWsKl80+iVBcsLMr7MAIDT8tOpl8Yt+JGzIw9KDkp8JWYLg7JHmXUr68rTKw7PRfEUxJ98cHJz+Wbjbc1lcdXb1RwmBwCEhcJ6df3oxUKesO67OgAY0g55HfUa0AxYuLJgmmD53OVigTiCFxHgHkCn0UfP7rq960jtkU+Ri+LH/ZGmf6S/pbelVlVb0lDS2Nk4ejY9PL3omyIAkHfIw06EjU2Xfy8P8QwBgI1XNxbVF9l4EheGi5AvTJibkB6R7jHFAwAMYBAXi016C4fn4jPe1p807q6/G+0dbWMTHl0cTfVIbmy3suQy8jZxUXFx1cVVk5OLXb0lAtwDbLROXgWNvaHt9I70ZlzPILFYIJ60XBRvCcvfytm/ntDU9fc/AEjdnrTcTwrjv2udTqOnhKaQOOlC0uWnl8dbmTA3oSy5DABSQlP2/rZXZ9BR2mjejHkksNwbOjwX73jzxPvH87l8AOh433Gt+ZqFlTeUN9SDagDgc/nx/vGUdpnCnJIXn0fiB+0PJi0X73jrdfvso7Mf9R8trNQZdGfkZ3ZG7yRZ15uvG6dUW1W1qtp6db2iS9HW36YeUA9qBrV6LYfJ8XPzk/hKMkWZfm5+ZLHJS4E9udjVT7Crd3dxb89qZ9FZABB0POhx12PL6+fPmN+U0QQAGp2Gn8vvHu6m9JWR2bbcnlws9RNkdchqYl32WmbVOgA8efvk/qv7AMCis5KDkyntpdFpcu7mJP+SPIFz2pOLpd5SnS9pKLExpeRhSeTsSABYH74+X5ZPBgV5gijvqAheRKBHoI+rD4/L47K4TDpzWDv8ZvCNoktR3Vp9vvF8+0D72Avak4ulHsFSj6B4BMUjKB5B8QiKR1A8guIRFI+geATFo3gExSMoHkHxCIpHUDyC4hEUj6B45HPmL9so2ZKs94sNAAAAAElFTkSuQmCC'>
+    <script>
+      setup({ explicit_done: true });
+
+      test(function() {
+        assert_true(window.cspPositiveTest);
+      }, "Allows scripts from the same host.");
+    </script>
+
+    <div id='log'></div>
+
+    <script>
+      var script = document.createElement('script');
+      script.src = '../support/checkReport.sub.js?reportExists=false';
+      script.async = true;
+      script.defer = true;
+      script.addEventListener('load', function() {
+        done();
+      });
+      document.body.appendChild(script);
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers
new file mode 100644
index 0000000000..b40d6ffbab
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: no-default-src={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: foobar; report-uri  /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/only-valid-whitespaces-are-allowed.html b/testing/web-platform/tests/content-security-policy/generic/only-valid-whitespaces-are-allowed.html
new file mode 100644
index 0000000000..9b3636c9fe
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/only-valid-whitespaces-are-allowed.html
@@ -0,0 +1,67 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    var tests = [
+      // Make sure that csp works properly in normal situations
+      { "csp": "", "expected": true, "name": "Should load image without any CSP" },
+      { "csp": "img-src 'none';", "expected": false, "name": "Should not load image with 'none' CSP" },
+      // Ensure ASCII whitespaces are properly parsed
+      // ASCII whitespace is U+0009 TAB, U+000A LF, U+000C FF, U+000D CR, or U+0020 SPACE.
+
+      // between directive name and value
+      { "csp": "img-src\u0009'none';", "expected": false, "name": "U+0009 TAB   should be properly parsed between directive name and value" },
+      { "csp": "img-src\u000C'none';", "expected": false, "name": "U+000C FF    should be properly parsed between directive name and value" },
+      { "csp": "img-src\u000A'none';", "expected": false, "name": "U+000A LF    should be properly parsed between directive name and value" },
+      { "csp": "img-src\u000D'none';", "expected": false, "name": "U+000D CR    should be properly parsed between directive name and value" },
+      { "csp": "img-src\u0020'none';", "expected": false, "name": "U+0020 SPACE should be properly parsed between directive name and value" },
+
+      // inside directive value
+      { "csp": "img-src http://example.com\u0009http://example2.com;", "expected": false, "name": "U+0009 TAB   should be properly parsed inside directive value" },
+      { "csp": "img-src http://example.com\u000Chttp://example2.com;", "expected": false, "name": "U+000C FF    should be properly parsed inside directive value" },
+      { "csp": "img-src http://example.com\u000Ahttp://example2.com;", "expected": false, "name": "U+000A LF    should be properly parsed inside directive value" },
+      { "csp": "img-src http://example.com\u000Dhttp://example2.com;", "expected": false, "name": "U+000D CR    should be properly parsed inside directive value" },
+      { "csp": "img-src http://example.com\u0020http://example2.com;", "expected": false, "name": "U+0020 SPACE should be properly parsed inside directive value" },
+
+      // Ensure nbsp (U+00A0) is not considered a valid whitespace
+      // https://github.com/webcompat/web-bugs/issues/18902 has more details about why this particularly relevant
+      { "csp": "img-src\u00A0'none';", "expected": true, "name": "U+00A0 NBSP  should not be parsed between directive name and value" },
+      { "csp": "img-src http://example.com\u00A0http://example2.com;", "expected": true, "name": "U+00A0 NBSP  should not be parsed inside directive value" },
+    ];
+
+    tests.forEach(test => {
+      async_test(t => {
+        var url = "support/load_img_and_post_result_meta.sub.html?csp=" + encodeURIComponent(test.csp);
+        test_image_loads_as_expected(test, t, url);
+      }, test.name + " - meta tag");
+
+      // We can't test csp delivered in an HTTP header if we're testing CR/LF characters
+      if (test.csp.indexOf("\u000A") == -1 && test.csp.indexOf("\u000D") == -1) {
+        async_test(t => {
+          var url = "support/load_img_and_post_result_header.html?csp=" + encodeURIComponent(test.csp);
+          test_image_loads_as_expected(test, t, url);
+        }, test.name + " - HTTP header");
+      }
+    });
+
+    function test_image_loads_as_expected(test, t, url) {
+      var i = document.createElement('iframe');
+      i.src = url;
+      window.addEventListener('message', t.step_func(function(e) {
+        if (e.source != i.contentWindow) return;
+        if (test.expected) {
+          assert_equals(e.data, "img loaded");
+        } else {
+          assert_equals(e.data, "img not loaded");
+        }
+        t.done();
+      }));
+      document.body.appendChild(i);
+    }
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/pass-0_1.js b/testing/web-platform/tests/content-security-policy/generic/pass-0_1.js
new file mode 100644
index 0000000000..3a08dd5621
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/pass-0_1.js
@@ -0,0 +1,3 @@
+(function () {
+   allowedScriptRan = true;
+})();
diff --git a/testing/web-platform/tests/content-security-policy/generic/policy-does-not-affect-child.sub.html b/testing/web-platform/tests/content-security-policy/generic/policy-does-not-affect-child.sub.html
new file mode 100644
index 0000000000..e36ca477b5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/policy-does-not-affect-child.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc';">
+    <title>object-src-url-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+  <script nonce='abc'>
+    window.onmessage = function(e) {
+      log(e.data);
+    }
+  </script>
+  <iframe src="support/log-pass.html"></iframe>
+  <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html b/testing/web-platform/tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html
new file mode 100644
index 0000000000..e21bede418
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html
@@ -0,0 +1,43 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <!-- This tests a bug that can occur when content layer CSP is not told
+       about the CSP inherited from the parent document which leads to it not
+       applying it to content layer CSP checks (such as frame-src with
+       PlzNavigate on).
+       Also see crbug.com/778658. -->
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    var t = async_test("iframe still inherits correct CSP");
+
+    window.onmessage = t.step_func_done(function(e) {
+      assert_equals(e.data, "frame-src");
+    });
+
+    function doDocWrite() {
+      x = document.getElementById('x');
+      x.location = "";
+
+      // While document.write is deprecated I did not find another way to reproduce
+      // the original exploit.
+      x.contentDocument.write(
+        '<script>window.addEventListener("securitypolicyviolation", function(e) {' +
+        '  window.top.postMessage(e.violatedDirective, "*");' +
+        '});</scr' + 'ipt>' +
+        '<iframe src="../support/fail.html"></iframe>'
+      );
+      x.contentDocument.close();
+
+      var s = document.createElement('script');
+      s.async = true;
+      s.defer = true;
+      s.src = '../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-src%20%27none%27';
+      document.lastChild.appendChild(s);
+    }
+  </script>
+  <iframe id="x" onload="doDocWrite()" srcdoc="<a href='about:blank'>123</a>"></iframe>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html.sub.headers
new file mode 100644
index 0000000000..73fb991fb1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: policy-inherited-correctly-by-plznavigate={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: frame-src 'none'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/positiveTest.js b/testing/web-platform/tests/content-security-policy/generic/positiveTest.js
new file mode 100644
index 0000000000..15053e055d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/positiveTest.js
@@ -0,0 +1 @@
+window.cspPositiveTest = true;
diff --git a/testing/web-platform/tests/content-security-policy/generic/support/304-response.py b/testing/web-platform/tests/content-security-policy/generic/support/304-response.py
new file mode 100644
index 0000000000..f9756555f7
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/support/304-response.py
@@ -0,0 +1,33 @@
+def main(request, response):
+    if request.headers.get(b"If-None-Match"):
+        # we are now receing the second request, we will send back a different CSP
+        # with the 304 response
+        response.status = 304
+        headers = [(b"Content-Type", b"text/html"),
+                   (b"Content-Security-Policy", b"script-src 'nonce-def' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';"),
+                   (b"Cache-Control", b"private, max-age=0, must-revalidate"),
+                   (b"ETag", b"123456")]
+        return headers, u""
+    else:
+        headers = [(b"Content-Type", b"text/html"),
+                   (b"Content-Security-Policy", b"script-src 'nonce-abc' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';"),
+                   (b"Cache-Control", b"private, max-age=0, must-revalidate"),
+                   (b"Etag", b"123456")]
+        return headers, u'''
+<!DOCTYPE html>
+<html>
+<head>
+    <script>
+        window.addEventListener("securitypolicyviolation", function(e) {
+            top.postMessage(e.originalPolicy, '*');
+        });
+    </script>
+    <script nonce="abc">
+        top.postMessage('abc_executed', '*');
+    </script>
+    <script nonce="def">
+        top.postMessage('def_executed', '*');
+    </script>
+</head>
+</html>
+'''
diff --git a/testing/web-platform/tests/content-security-policy/generic/support/eval.js b/testing/web-platform/tests/content-security-policy/generic/support/eval.js
new file mode 100644
index 0000000000..d8ba2a5589
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/support/eval.js
@@ -0,0 +1,2 @@
+postMessage('unsafe-inline allowed');
+eval("postMessage('unsafe-eval allowed')");
diff --git a/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_header.html b/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_header.html
new file mode 100644
index 0000000000..c7a2e75dba
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_header.html
@@ -0,0 +1,11 @@
+<html>
+<body>
+  <script>
+    var img = document.createElement("img");
+    img.src = "/content-security-policy/support/pass.png";
+    img.onload = function() { parent.postMessage('img loaded', '*'); }
+    img.onerror = function() { parent.postMessage('img not loaded', '*'); }
+    document.body.appendChild(img);
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_header.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_header.html.sub.headers
new file mode 100644
index 0000000000..e9bf21bab4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_header.html.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: {{GET[csp]}}
diff --git a/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_meta.sub.html b/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_meta.sub.html
new file mode 100644
index 0000000000..ac0cf39dd0
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/support/load_img_and_post_result_meta.sub.html
@@ -0,0 +1,14 @@
+<html>
+<head>
+  <meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}">
+</head>
+<body>
+  <script>
+    var img = document.createElement("img");
+    img.src = "/content-security-policy/support/pass.png";
+    img.onload = function() { parent.postMessage('img loaded', '*'); }
+    img.onerror = function() { parent.postMessage('img not loaded', '*'); }
+    document.body.appendChild(img);
+  </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/support/log-pass.html b/testing/web-platform/tests/content-security-policy/generic/support/log-pass.html
new file mode 100644
index 0000000000..4334ea4c66
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/support/log-pass.html
@@ -0,0 +1,3 @@
+<script>
+   window.parent.postMessage('PASS', '*');
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/generic/support/sandboxed-eval.sub.html b/testing/web-platform/tests/content-security-policy/generic/support/sandboxed-eval.sub.html
new file mode 100644
index 0000000000..9480e521de
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/support/sandboxed-eval.sub.html
@@ -0,0 +1,4 @@
+<script>
+  window.parent.postMessage('PASS (1/2): Script can execute', '*');
+  eval("window.parent.postMessage('PASS (2/2): Eval works', '*')");
+</script>
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/generic/support/sandboxed-eval.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/support/sandboxed-eval.sub.html.sub.headers
new file mode 100644
index 0000000000..c7e4e7cc5b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/support/sandboxed-eval.sub.html.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: sandbox allow-scripts
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/generic/test-case.sub.js b/testing/web-platform/tests/content-security-policy/generic/test-case.sub.js
new file mode 100644
index 0000000000..d9a6494dd3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/test-case.sub.js
@@ -0,0 +1,98 @@
+function TestCase(scenarios, sanityChecker) {
+  function runTest(scenario) {
+    sanityChecker.checkScenario(scenario, subresourceMap);
+
+    const urls = getRequestURLs(scenario.subresource,
+                                scenario.origin,
+                                scenario.redirection);
+
+    /** @type {Subresource} */
+    const subresource = {
+      subresourceType: scenario.subresource,
+      url: urls.testUrl,
+      policyDeliveries: scenario.subresource_policy_deliveries,
+    };
+
+    let violationEventResolve;
+    // Resolved with an array of securitypolicyviolation events.
+    const violationEventPromise = new Promise(resolve => {
+        violationEventResolve = resolve;
+      });
+
+    promise_test(async t => {
+      await xhrRequest(urls.announceUrl);
+
+      // Currently only requests from top-level Documents are tested
+      // (specified by `spec.src.json`) and thus securitypolicyviolation
+      // events are assumed to be fired on the top-level Document here.
+      // When adding non-top-level Document tests, securitypolicyviolation
+      // events should be caught in appropriate contexts.
+      const violationEvents = [];
+      const listener = e => { violationEvents.push(e); };
+      document.addEventListener('securitypolicyviolation', listener);
+
+      try {
+        // Send out the real resource request.
+        // This should tear down the key if it's not blocked.
+        const mainPromise = invokeRequest(subresource, scenario.source_context_list);
+        if (scenario.expectation === 'allowed') {
+          await mainPromise;
+        } else {
+          await mainPromise
+              .then(t.unreached_func('main promise resolved unexpectedly'))
+              .catch(_ => {});
+        }
+      } finally {
+        // Always perform post-processing/clean up for
+        // 'securitypolicyviolation' events and resolve
+        // `violationEventPromise`, to prevent timeout of the
+        // promise_test() below.
+
+        // securitypolicyviolation events are fired in a queued task in
+        // https://w3c.github.io/webappsec-csp/#report-violation
+        // so wait for queued tasks to run using setTimeout().
+        let timeout = 0;
+        if (scenario.subresource.startsWith('worklet-') &&
+            navigator.userAgent.includes("Firefox/")) {
+          // https://bugzilla.mozilla.org/show_bug.cgi?id=1808911
+          // In Firefox sometimes violations from Worklets are delayed.
+          timeout = 10;
+        }
+        await new Promise(resolve => setTimeout(resolve, timeout));
+
+        // Pass violation events to `violationEventPromise` (which will be tested
+        // in the subsequent promise_test()) and clean up the listener.
+        violationEventResolve(violationEvents);
+        document.removeEventListener('securitypolicyviolation', listener);
+      }
+
+      // Send request to check if the key has been torn down.
+      const assertResult = await xhrRequest(urls.assertUrl);
+
+      // Now check if the value has been torn down. If it's still there,
+      // we have blocked the request by content security policy.
+      assert_equals(assertResult.status, scenario.expectation,
+        "The resource request should be '" + scenario.expectation + "'.");
+
+    }, scenario.test_description);
+
+    promise_test(async _ => {
+        const violationEvents = await violationEventPromise;
+        if (scenario.expectation === 'allowed') {
+          assert_array_equals(violationEvents, [],
+              'no violation events should be fired');
+        } else {
+          assert_equals(violationEvents.length, 1,
+              'One violation event should be fired');
+        }
+      }, scenario.test_description + ": securitypolicyviolation");
+  }  // runTest
+
+  function runTests() {
+    for (const scenario of scenarios) {
+      runTest(scenario);
+    }
+  }
+
+  return {start: runTests};
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/unreached.js b/testing/web-platform/tests/content-security-policy/generic/unreached.js
new file mode 100644
index 0000000000..893fb5eba1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/unreached.js
@@ -0,0 +1,3 @@
+onload = function() {
+      t1.step(function() {assert_unreached("Script should not have ran.");});
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js
new file mode 100644
index 0000000000..da3e2790f5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js
@@ -0,0 +1,8 @@
+wildcardHostTestRan = false;
+
+onload = function() {
+  test(function() {
+        assert_true(wildcardHostTestRan, 'Script should have ran.')},
+        "Wildcard host matching works."
+    );
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js
new file mode 100644
index 0000000000..75ec8cf80e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js
@@ -0,0 +1,8 @@
+wildcardHostTestRan = false;
+
+onload = function() {
+  test(function() {
+        assert_false(wildcardHostTestRan, 'Script should not have ran.')},
+        "Wildcard host matching works."
+    );
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js
new file mode 100644
index 0000000000..8b115d7fc4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js
@@ -0,0 +1 @@
+wildcardHostTestRan = true;
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js
new file mode 100644
index 0000000000..3cd1d2eaed
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js
@@ -0,0 +1,8 @@
+wildcardPortTestRan = false;
+
+onload = function() {
+  test(function() {
+        assert_true(wildcardPortTestRan, 'Script should have ran.')},
+        "Wildcard port matching works."
+    );
+}
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js
new file mode 100644
index 0000000000..0138deb2ee
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js
@@ -0,0 +1 @@
+wildcardPortTestRan = true;
\ No newline at end of file
-- 
cgit v1.2.3