Import Cobalt 19.master.0.203780
Includes the following patches:
https://cobalt-review.googlesource.com/c/cobalt/+/5210
by errong.leng@samsung.com
https://cobalt-review.googlesource.com/c/cobalt/+/5270
by linus.wang@samsung.com
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html
new file mode 100644
index 0000000..912a29e
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>blob-urls-do-not-match-self</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline'; connect-src 'self'; child-src 'self';
+-->
+</head>
+
+<body>
+ <p>
+ blob: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content.
+ </p>
+ <script>
+ function fail() {
+ alert_assert("FAIL!");
+ }
+ var b = new Blob(['fail();'], {
+ type: 'application/javascript'
+ });
+ var script = document.createElement('script');
+ script.src = URL.createObjectURL(b);
+ document.body.appendChild(script);
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'self'%20'unsafe-inline'%20''"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers
new file mode 100644
index 0000000..cbfc8d4
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: blob-urls-do-not-match-self={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; child-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html
new file mode 100644
index 0000000..819c1a6
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>blob-urls-match-blob</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS (1/1)"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' blob:; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>
+ blob: URLs are same-origin with the page in which they were created, but match only if the blob: scheme is specified.
+ </p>
+ <script>
+ function pass() {
+ log("PASS (1/1)");
+ }
+ var b = new Blob(['pass();'], {
+ type: 'application/javascript'
+ });
+ var script = document.createElement('script');
+ script.src = URL.createObjectURL(b);
+ document.body.appendChild(script);
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers
new file mode 100644
index 0000000..be74e61
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: blob-urls-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' blob:; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html
new file mode 100644
index 0000000..66b86f1
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+ <title>combine-header-and-meta-policies</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing multiple policies:
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'
+Content-Security-Policy: img-src 'none'
+-->
+</head>
+
+<body>
+<p>Test passes if both style and image are blocked and a report is generated for the
+ style block from the header-supplied policy.</p>
+
+ <script>
+ var img = document.createElement('img');
+ img.src = '../support/fail.png';
+ img.onerror = function() {
+ log("TEST COMPLETE");
+ };
+ img.onload = function() {
+ log("FAIL");
+ };
+ document.body.appendChild(img);
+
+ </script>
+ <style>
+ body {
+ background-color: blue;
+ }
+
+ </style>
+ <script>
+ var el = document.querySelector('body');
+ test(function() {
+ assert_equals(window.getComputedStyle(el).color, "rgb(0, 0, 0)")
+ });
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'self'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers
new file mode 100644
index 0000000..b1f0e7f
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: combine-header-and-meta-policies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis
new file mode 100644
index 0000000..a14be5c
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis
@@ -0,0 +1,60 @@
+HTTP/1.1 200 OK
+Content-Type: text/html
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: combine-multiple-policies=d0140e7d-3800-4842-b66d-370840a4569a; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID=d0140e7d-3800-4842-b66d-370840a4569a
+Content-Security-Policy: img-src 'none'
+
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+ <title>combine-multiple-policies</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing multiple policies:
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; styls-src 'self'
+Content-Security-Policy: img-src 'none'
+-->
+</head>
+
+<body>
+ This test checks that we enforce all the supplied policies. This test passe if it doesn't alert fail and if the style doesn't apply.
+ Check that a SecurityPolicyViolationEvent is fired upon blocking an image.
+ <script>
+ var img = document.createElement('img');
+ img.src = '../support/fail.png';
+ img.onerror = function() {
+ log("TEST COMPLETE");
+ };
+ img.onload = function() {
+ log("FAIL");
+ };
+ document.body.appendChild(img);
+
+ </script>
+ <style>
+ body {
+ background-color: blue;
+ }
+
+ </style>
+ <script>
+ var el = document.querySelector('body');
+ test(function() {
+ assert_equals(window.getComputedStyle(el).color, "rgb(0, 0, 0)")
+ });
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'self'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html
new file mode 100644
index 0000000..0562e0f
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-beacon-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var es = navigator.sendBeacon("http://{{host}}:{{ports[http][0]}}/cors/resources/status.py");
+ log("Pass");
+ } catch (e) {
+ log("Fail");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..bd3eda4
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-beacon-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html
new file mode 100644
index 0000000..c459790
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-beacon-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var es = navigator.sendBeacon("http://www1.{{host}}:{{ports[http][0]}}/security/contentSecurityPolicy/echo-report.php");
+ log("Fail");
+ } catch (e) {
+ log("Pass");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20'self'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..69ded8d
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-beacon-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html
new file mode 100644
index 0000000..b60487b
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-beacon-redirect-to-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline';
+-->
+ <script></script>
+</head>
+
+<body>
+ <p>The beacon should not follow the redirect to http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png and send a CSP violation report.</p>
+ <p>Verify that a CSP connect-src directive blocks redirects.</p>
+ <script>
+ navigator.sendBeacon(
+ "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png",
+ "ping");
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20'self'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..2c69d0d
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-beacon-redirect-to-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html
new file mode 100644
index 0000000..b3a65f1
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-eventsource-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var es = new EventSource("http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/simple-event-stream");
+ log("Pass");
+ } catch (e) {
+ log("Fail");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..eff5c54
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-eventsource-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html
new file mode 100644
index 0000000..5be570c
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-eventsource-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var es = new EventSource("http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/simple-event-stream");
+ // Firefox doesn't throw an exception and takes some time to close async
+ if (es.readyState == EventSource.CONNECTING) {
+ setTimeout( function() {
+ es.readyState != EventSource.CLOSED ? log("Fail") : log("Pass");
+ }, 2);
+ } else if (es.readyState == EventSource.CLOSED) {
+ log("Pass");
+ } else {
+ log("Fail");
+ }
+
+ } catch (e) {
+ log("Pass");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20'self'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..ac37816
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-eventsource-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html
new file mode 100644
index 0000000..a3ba4ba
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-eventsource-redirect-to-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS EventSource() did not follow the disallowed redirect.","TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline';
+-->
+ <script></script>
+</head>
+
+<body>
+ <script>
+ var es;
+ try {
+ es = new EventSource("/common/redirect.py?location= http://www.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/simple-event-stream");
+ } catch (e) {
+ log("FAIL " + "EventSource() should not throw an exception.");
+ }
+ es.onload = function() {
+ log("FAIL " + "EventSource() should fail to follow the disallowed redirect.");
+ log("TEST COMPLETE");
+ };
+ es.onerror = function() {
+ log("PASS " + "EventSource() did not follow the disallowed redirect.");
+ log("TEST COMPLETE");
+ };
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20'self'/security/contentSecurityPolicy/resources/redir.php"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..c63c8a9
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-eventsource-redirect-to-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}/security/contentSecurityPolicy/resources/redir.php; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html
new file mode 100644
index 0000000..4e8499b
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-websocket-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var ws = new WebSocket("ws://127.0.0.1:8880/echo");
+ log("Pass");
+ } catch (e) {
+ log("Fail");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..7074351
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-websocket-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html
new file mode 100644
index 0000000..68f86de
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-websocket-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var ws = new WebSocket("ws://localhost:8880/echo");
+ log("Fail");
+ } catch (e) {
+ log("Pass");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20ws://127.0.0.1:8880"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..69036f5
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-websocket-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html
new file mode 100644
index 0000000..a2ad121
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-xmlhttprequest-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var xhr = new XMLHttpRequest;
+ xhr.open("GET", "http://{{host}}:{{ports[http][0]}}/xmlhttprequest/resources/get.txt", true);
+ log("Pass");
+ } catch (e) {
+ log("Fail");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..dbabcad
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-xmlhttprequest-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html
new file mode 100644
index 0000000..014bb21
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-xmlhttprequest-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ var xhr = new XMLHttpRequest;
+ xhr.open("GET", "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png", true);
+ xhr.send();
+ xhr.onload = function() {
+ log("Fail");
+ }
+ xhr.onerror = function() {
+ log("Pass");
+ }
+ } catch (e) {
+ log("Pass");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20'self'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..d338034
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-xmlhttprequest-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html
new file mode 100644
index 0000000..6fc0769
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>connect-src-xmlhttprequest-redirect-to-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS XMLHttpRequest.send() did not follow the disallowed redirect.","TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline';
+-->
+ <script id="inject_here"></script>
+</head>
+
+<body>
+ <script>
+ var xhr = new XMLHttpRequest;
+ try {
+ xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+ } catch (e) {
+ log("FAIL " + "XMLHttpRequest.open() should not throw an exception.");
+ }
+ xhr.onload = function() {
+ //cons/**/ole.log(xhr.responseText);
+ if(xhr.responseText == "FAIL") {
+ log("FAIL " + "XMLHttpRequest.send() should fail to follow the disallowed redirect.");
+ } else {
+ log("PASS " + "XMLHttpRequest.send() did not follow the disallowed redirect.");
+ }
+ log("TEST COMPLETE");
+ };
+ xhr.onerror = function() {
+ log("PASS " + "XMLHttpRequest.send() did not follow the disallowed redirect.");
+ log("TEST COMPLETE");
+ };
+ xhr.send();
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20'self'/security/contentSecurityPolicy/resources/redir.php"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..452104e
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: connect-src-xmlhttprequest-redirect-to-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html
new file mode 100644
index 0000000..245d99b
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html
@@ -0,0 +1,32 @@
+<!--
+ This file is modified for Cobalt. The event handlers are set in script
+ instead of in tag attribute.
+-->
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>default-src-inline-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script>
+ <!-- enforcing policy:
+default-src 'self' about: 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+<body>
+ <script>
+ document.body.onload = function() {
+ alert_assert('PASS 2 of 2');
+ }
+ alert_assert('PASS 1 of 2');
+
+ </script>
+ <!--iframe src="javascript:alert_assert('PASS 2 of 3')"></iframe-->
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..f223f06
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: default-src-inline-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: default-src 'self' about: 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html
new file mode 100644
index 0000000..ad66a9d
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>default-src-inline-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <!-- enforcing policy:
+default-src 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if the inline scripts don't create failing tests and a CSP report is sent.
+ <script>
+ test(function() {
+ assert_unreached('FAIL inline script ran')
+ });
+
+ </script>
+ <script src="resources/document-write-alert-fail.js"></script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=default-src%20'self'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..63ea706
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: default-src-inline-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: default-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/duplicate-directive.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/duplicate-directive.sub.html
new file mode 100644
index 0000000..4336b72
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/duplicate-directive.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>duplicate-directive</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS (1/1)"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline'; script-src 'none'; connect-src 'self';
+-->
+
+ <script>
+ alert_assert('PASS (1/1)');
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This tests the effect of duplicated directives. It passes if the alert_assert() is executed.
+ </p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers
new file mode 100644
index 0000000..eefd719
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: duplicate-directive={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; script-src 'none'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-allowed.sub.html
new file mode 100644
index 0000000..88da806
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-allowed.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS (1 of 2)","PASS (2 of 2)"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ eval("alert_assert('PASS (1 of 2)')");
+
+ </script>
+ <script>
+ window.eval("alert_assert('PASS (2 of 2)')");
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..6bf55a1
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html
new file mode 100644
index 0000000..599b01c
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-blocked-and-sends-report</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS: eval() blocked."]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'self'; report-uri resources/save-report.php?test=eval-blocked-and-sends-report.html; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ eval("alert_assert('FAIL')");
+ } catch (e) {
+ log('PASS: eval() blocked.');
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'self'%20'unsafe-inline'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers
new file mode 100644
index 0000000..f197e41
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-blocked-and-sends-report={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html
new file mode 100644
index 0000000..449f9d1
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html
@@ -0,0 +1,10 @@
+
+<iframe src="about:blank"></iframe>
+Eval should be blocked in the iframe, but inline script should be allowed.
+<script>
+ window.onload = function() {
+ frames[0].log("<script>alert_assert(/PASS/); eval('alert_assert(/FAIL/);');<\/script>");
+ frames[0].document.close();
+ }
+
+</script>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers
new file mode 100644
index 0000000..224f25b
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-blocked-in-about-blank-iframe={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked.sub.html
new file mode 100644
index 0000000..229667e
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS EvalError","PASS EvalError"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ eval("alert_assert('FAIL (1 of 2)')");
+ } catch (e) {
+ log("PASS EvalError");
+ }
+
+ </script>
+ <script>
+ try {
+ window.eval("alert_assert('FAIL (1 of 2)')");
+ } catch (e) {
+ log("PASS EvalError");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'unsafe-inline'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..124f56b
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html
new file mode 100644
index 0000000..66fa95d
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-scripts-setInterval-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';
+-->
+</head>
+<pre>
+<script>
+ {
+}
+var id_string = setInterval("clearInterval(id_string); alert_assert('PASS 1 of 2')", 0);
+if (id_string == 0)
+ log('FAIL: Return value for string (should not be 0): ' + id_string);
+var id_function = setInterval(function() {
+ clearInterval(id_function);
+ alert_assert('PASS 2 of 2');
+}, 0);
+if (id_function == 0)
+ document.write('FAIL: Return value for function (should not be 0): ' + id_function);
+</script>
+</pre>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..f13ba4c
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-scripts-setInterval-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html
new file mode 100644
index 0000000..5d42d20
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-scripts-setInterval-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+<pre>
+<script>
+ {
+}
+var id = setInterval("alert_assert('FAIL')", 0);
+if (id != 0)
+ log('FAIL: Return value for string (should be 0): ' + id);
+</script>
+<script>
+var id = setInterval(function() {
+ clearInterval(id);
+ alert_assert('PASS');
+}, 0);
+if (id == 0)
+ document.write('FAIL: Return value for function (should not be 0): ' + id);
+</script>
+</pre>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..1bd6b63
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-scripts-setInterval-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html
new file mode 100644
index 0000000..9b2e595
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-scripts-setTimeout-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';
+-->
+</head>
+<pre>
+<script>
+ {
+}
+var id = setTimeout("alert_assert('PASS 1 of 2')", 0);
+if (id == 0)
+ log('FAIL: Return value for string (should not be 0): ' + id);
+var id = setTimeout(function() {
+ alert_assert('PASS 2 of 2');
+}, 0);
+if (id == 0)
+ document.write('FAIL: Return value for function (should not be 0): ' + id);
+</script>
+</pre>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..4d664d6
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-scripts-setTimeout-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html
new file mode 100644
index 0000000..92233e3
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-scripts-setTimeout-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+<pre>
+<script>
+ {
+}
+var id = setTimeout("alert_assert('FAIL')", 0);
+if (id != 0)
+ log('FAIL: Return value for string (should be 0): ' + id);
+</script>
+<script>
+var id = setTimeout(function() {
+ alert_assert('PASS');
+}, 0);
+if (id == 0)
+ document.write('FAIL: Return value for function (should not be 0): ' + id);
+</script>
+</pre>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..81537fe
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: eval-scripts-setTimeout-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html
new file mode 100644
index 0000000..f9e814a
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>filesystem-urls-do-not-match-self</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>
+ filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content..
+ </p>
+ <script>
+ if(!window.webkitRequestFileSystem) {
+ t_log = async_test();
+ t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ function fail() {
+ alert_assert("FAIL!");
+ }
+ window.webkitRequestFileSystem(
+ TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) {
+ fs.root.getFile('fail.js', {
+ create: true
+ }, function(fileEntry) {
+ fileEntry.createWriter(function(fileWriter) {
+ fileWriter.onwriteend = function(e) {
+ var script = document.createElement('script');
+ script.src = fileEntry.toURL('application/javascript');
+ document.body.appendChild(script);
+ };
+ // Create a new Blob and write it to pass.js.
+ var b = new Blob(['fail();'], {
+ type: 'application/javascript'
+ });
+ fileWriter.write(b);
+ });
+ });
+ });
+ var s = document.createElement('script');
+ s.async = true;
+ s.defer = true;
+ s.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'self'%20'unsafe-inline'%20'*'"
+ document.lastChild.appendChild(s);
+ }
+
+
+ </script>
+ <div id="log"></div>
+
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers
new file mode 100644
index 0000000..a68e2a3
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: filesystem-urls-do-not-match-self={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html
new file mode 100644
index 0000000..99e8592
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>filesystem-urls-match-filesystem</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS (1/1)"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>
+ filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content, but should match filesystem: source.
+ </p>
+ <script>
+ if(!window.webkitRequestFileSystem) {
+ t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ function pass() {
+ log("PASS (1/1)");
+ }
+ window.webkitRequestFileSystem(
+ TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) {
+ fs.root.getFile('pass.js', {
+ create: true
+ }, function(fileEntry) {
+ fileEntry.createWriter(function(fileWriter) {
+ fileWriter.onwriteend = function(e) {
+ var script = document.createElement('script');
+ script.src = fileEntry.toURL('application/javascript');
+ document.body.appendChild(script);
+ };
+ // Create a new Blob and write it to pass.js.
+ var b = new Blob(['pass();'], {
+ type: 'application/javascript'
+ });
+ fileWriter.write(b);
+ });
+ });
+ });
+ var s = document.createElement('script');
+ s.async = true;
+ s.defer = true;
+ s.src = "../support/checkReport.sub.js?reportExists=false"
+ document.lastChild.appendChild(s);
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers
new file mode 100644
index 0000000..f9956ed
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: filesystem-urls-match-filesystem={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' filesystem:; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html
new file mode 100644
index 0000000..a363ce9
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>frame-src-about-blank-allowed-by-default</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+
+ <!-- enforcing policy:
+frame-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>These frames should not be blocked by Content-Security-Policy.
+ It's pointless to block about:blank iframes because
+ blocking a frame just results in displaying about:blank anyway!
+ </p>
+ <iframe src="about:blank"></iframe>
+ <object type="text/html" data="about:blank"></object>
+
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
\ No newline at end of file
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers
new file mode 100644
index 0000000..ba11699
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: frame-src-about-blank-allowed-by-default={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: frame-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html
new file mode 100644
index 0000000..e4c4739
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>frame-src-about-blank-allowed-by-scheme</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+
+ <!-- enforcing policy:
+frame-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>This frame should not be blocked by Content-Security-Policy.
+ </p>
+ <iframe src="about:blank"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
\ No newline at end of file
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers
new file mode 100644
index 0000000..e23b82a
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: frame-src-about-blank-allowed-by-scheme={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: frame-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html
new file mode 100644
index 0000000..1d34679
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <title>frame-src-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+
+ var t_alert = async_test('Expecting alerts: ["PASS"]');
+ var expected_alerts = ["PASS"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+Content-Security-Policy: frame-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>
+ This iframe should be allowed.
+ </p>
+ <script>
+ window.wasPostTestScriptParsed = true;
+ var loads = 0;
+
+ function loadEvent() {
+ loads++;
+ log("PASS " + "IFrame #" + loads + " generated a load event.");
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="/content-security-policy/blink-contrib/resources/postmessage-pass.html" onload="loadEvent()"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..05247b4
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: frame-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: frame-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html
new file mode 100644
index 0000000..fe7555a
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>frame-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_log.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+frame-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>
+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
+ </p>
+ <script>
+ window.wasPostTestScriptParsed = true;
+ var loads = 0;
+
+ function loadEvent() {
+ loads++;
+ log("PASS " + "IFrame #" + loads + " generated a load event.");
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=frame-src%20'none'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..bd0e6d1
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: frame-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: frame-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html
new file mode 100644
index 0000000..5238e7c
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html
@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>frame-src-cross-origin-load</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.","PASS IFrame %232 generated a load event.","PASS IFrame %233 generated a load event."]'></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+
+ var t_alert = async_test('Expecting alerts: ["PASS","PASS"]');
+ var expected_alerts = ["PASS", "PASS"];
+
+ function alert_assert(msg) {
+ t_alert.step(function() {
+ if (msg.match(/^FAIL/i)) {
+ assert_unreached(msg);
+ t_alert.done();
+ }
+ for (var i = 0; i < expected_alerts.length; i++) {
+ if (expected_alerts[i] == msg) {
+ assert_true(expected_alerts[i] == msg);
+ expected_alerts.splice(i, 1);
+ if (expected_alerts.length == 0) {
+ t_alert.done();
+ }
+ return;
+ }
+ }
+ assert_unreached('unexpected alert: ' + msg);
+ t_alert.done();
+ });
+ }
+
+ </script>
+ <!-- enforcing policy:
+frame-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <p>
+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
+ </p>
+ <script>
+ window.wasPostTestScriptParsed = true;
+ var loads = 0;
+
+ function loadEvent() {
+ loads++;
+ log("PASS " + "IFrame #" + loads + " generated a load event.");
+ }
+
+ </script>
+</head>
+
+<body>
+ <iframe src="resources/postmessage-pass.html" onload="loadEvent()"></iframe>
+ <iframe src="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-pass.html" onload="loadEvent()"></iframe>
+ <iframe src="http://www2.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=frame-src%20'self'http://www1.{{host}}:{{ports[http][0]}}"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers
new file mode 100644
index 0000000..0970bbe
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: frame-src-cross-origin-load={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: frame-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html
new file mode 100644
index 0000000..92cd088
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>function-constructor-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ (new Function("alert_assert('PASS')"))();
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..dd80eba
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: function-constructor-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html
new file mode 100644
index 0000000..be0c574
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>function-constructor-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS EvalError"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ try {
+ (new Function("alert_assert('FAIL')"))();
+ } catch (e) {
+ log("PASS EvalError");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'unsafe-inline'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..eb7da39
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: function-constructor-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/icon-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/icon-allowed.sub.html
new file mode 100644
index 0000000..8bacdd3
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/icon-allowed.sub.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<script>
+ {}
+
+ function createLink(rel, src) {
+ var link = document.createElement('link');
+ link.rel = rel;
+ link.href = src;
+ document.head.appendChild(link);
+ }
+ window.addEventListener('DOMContentLoaded', function() {
+ createLink('icon', 'http://localhost/foo?q=from_icon'); {}
+ });
+
+</script>
+<p>Use callbacks to show that favicons are loaded as allowed by CSP when link tags are dynamically added to the page.</p>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..b7d557b
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: icon-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src http://localhost; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/icon-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/icon-blocked.sub.html
new file mode 100644
index 0000000..978f25f
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/icon-blocked.sub.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<script>
+ function createLink(rel, src) {
+ var link = document.createElement('link');
+ link.rel = rel;
+ link.href = src;
+ document.head.appendChild(link);
+ }
+ window.addEventListener('DOMContentLoaded', function() {
+ createLink('icon', 'http://localhost/foo?q=from_icon'); {}
+ });
+
+</script>
+<p>Use callbacks to show that favicons are not loaded in violation of CSP when link tags are dynamically added to the page.</p>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..c4dc699
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: icon-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html
new file mode 100644
index 0000000..f3d1e14
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html
@@ -0,0 +1 @@
+<iframe src="resources/sandboxed-eval.php"></iframe>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers
new file mode 100644
index 0000000..2cb1c72
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: iframe-inside-csp={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-allowed.sub.html
new file mode 100644
index 0000000..4668c3a
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-allowed.sub.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<!--
+This test was modified to not use the HTML4 intrinsic events 'img onload=' or
+'img=onerror' or to check the img element size.
+ -->
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>image-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+img-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <div id='t1'></div>
+ <script>
+ var t1img = document.createElement('img');
+ t1img.onload = function() { alert_assert('PASS'); }
+ t1img.onerror = function() { alert_assert('FAIL'); }
+ t1img.src = '../support/pass.png';
+ var t1div = document.getElementById('t1');
+ t1div.appendChild(t1img);
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..3b85fc6
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: image-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-blocked.sub.html
new file mode 100644
index 0000000..ac5c3e1
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-blocked.sub.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<!--
+This test was modified to not use the HTML4 intrinsic events 'img onload=' or
+'img=onerror'.
+ -->
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>image-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if it doesn't alert FAIL and does alert PASS.
+ <div id='t1'></div>
+ <script>
+ var t1img = document.createElement('img');
+ t1img.onload = function() { alert_assert("FAIL"); }
+ t1img.onerror = function() { alert_assert("PASS"); }
+ t1img.src = '../support/pass.png';
+ var t1div = document.getElementById('t1');
+ t1div.appendChild(t1img);
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=img-src%20'none'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..c58bb88
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: image-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html
new file mode 100644
index 0000000..13e0c03
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<!--
+This test was modified to not use the HTML4 intrinsic events 'img onload=' or
+'img=onerror' or to check the img element size.
+ -->
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>image-full-host-wildcard-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+img-src http://*.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <div id='t1'></div>
+ <script>
+ var t1img = document.createElement('img');
+ t1img.onload = function() { alert_assert('PASS'); }
+ t1img.onerror = function() { alert_assert('FAIL'); }
+ t1img.src = 'http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/pass.png';
+ var t1div = document.getElementById('t1');
+ t1div.appendChild(t1img);
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..0f384f0
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: image-full-host-wildcard-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src http://*.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html
new file mode 100644
index 0000000..8ec6fe4
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>injected-inline-script-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["Pass 1 of 2","Pass 2 of 2"]'></script>
+ <!-- enforcing policy:
+ script-src 'self' 'unsafe-inline'; connect-src 'self';
+ -->
+</head>
+
+<body>
+ <script src="resources/inject-script.js"></script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..7f34539
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: injected-inline-script-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html
new file mode 100644
index 0000000..bee3f9a
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>injected-inline-script-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <!-- enforcing policy:
+script-src 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script src="resources/inject-script.js"></script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'self'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..e90dec6
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: injected-inline-script-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html
new file mode 100644
index 0000000..2326c2c
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>injected-inline-style-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS: 2 stylesheets on the page."]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <div id="test1">
+ FAIL 1/2
+ </div>
+ <div id="test2">
+ FAIL 2/2
+ </div>
+ <script src="resources/inject-style.js"></script>
+ <script>
+ if (document.styleSheets.length === 2)
+ log("PASS: 2 stylesheets on the page.");
+ else
+ log("FAIL: " + document.styleSheets.length + " stylesheets on the page (should be 2).");
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..8a48dc2
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: injected-inline-style-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html
new file mode 100644
index 0000000..1ed46cb
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>injected-inline-style-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <div id="test1">
+ PASS 1/2
+ </div>
+ <div id="test2">
+ PASS 2/2
+ </div>
+ <script src="resources/inject-style.js"></script>
+ <script>
+ log(document.styleSheets.length == 0 ? "PASS" : "FAIL");
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'none'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..d3f0a5e
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: injected-inline-style-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html
new file mode 100644
index 0000000..9b00df1
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html
@@ -0,0 +1,128 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>inline-style-allowed-while-cloning-objects</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ window.onload = function() {
+ window.nodes = document.getElementById('nodes');
+ window.node1 = document.getElementById('node1');
+ window.node1.style.background = "yellow";
+ window.node1.style.color = "red";
+ window.node2 = document.getElementById('node1').cloneNode(true);
+ window.node2.id = "node2";
+ window.node3 = document.getElementById('node3');
+ window.node3.style.background = "blue";
+ window.node3.style.color = "green";
+ window.node4 = document.getElementById('node3').cloneNode(false);
+ window.node4.id = "node4";
+ window.node4.innerHTML = "Node #4";
+ nodes.appendChild(node1);
+ nodes.appendChild(node2);
+ nodes.appendChild(node3);
+ nodes.appendChild(node4);
+ test(function() {
+ assert_equals(node1.style.backgroundColor.match(/rgb\(255, 255, 0\)/)[0], "rgb(255, 255, 0)")
+ });
+ test(function() {
+ assert_equals(node2.style.backgroundColor.match(/rgb\(255, 255, 0\)/)[0], "rgb(255, 255, 0)")
+ });
+ test(function() {
+ assert_equals(node3.style.backgroundColor.match(/rgb\(0, 0, 255\)/)[0], "rgb(0, 0, 255)")
+ });
+ test(function() {
+ assert_equals(node4.style.backgroundColor.match(/rgb\(0, 0, 255\)/)[0], "rgb(0, 0, 255)")
+ });
+ test(function() {
+ assert_equals(node1.style.color.match(/rgb\(255, 0, 0\)/)[0], "rgb(255, 0, 0)")
+ });
+ test(function() {
+ assert_equals(node2.style.color.match(/rgb\(255, 0, 0\)/)[0], "rgb(255, 0, 0)")
+ });
+ test(function() {
+ assert_equals(node3.style.color.match(/rgb\(0, 128, 0\)/)[0], "rgb(0, 128, 0)")
+ });
+ test(function() {
+ assert_equals(node4.style.color.match(/rgb\(0, 128, 0\)/)[0], "rgb(0, 128, 0)")
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(node1).backgroundColor, window.getComputedStyle(node2).backgroundColor)
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(node3).backgroundColor, window.getComputedStyle(node4).backgroundColor)
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(node1).color, window.getComputedStyle(node2).color)
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(node3).color, window.getComputedStyle(node4).color)
+ });
+ window.ops = document.getElementById('ops');
+ ops.style.color = 'red';
+ window.clonedOps = ops.cloneNode(true);
+ window.violetOps = document.getElementById('violetOps');
+ violetOps.style.background = 'rgb(238, 130, 238)';
+ document.getElementsByTagName('body')[0].appendChild(clonedOps);
+ test(function() {
+ assert_equals(ops.style.backgroundColor, "")
+ });
+ test(function() {
+ assert_equals(ops.style.color.match(/rgb\(255, 0, 0\)/)[0], "rgb(255, 0, 0)")
+ });
+ test(function() {
+ assert_equals(clonedOps.style.backgroundColor, "")
+ });
+ test(function() {
+ assert_equals(violetOps.style.backgroundColor.match(/rgb\(238, 130, 238\)/)[0], "rgb(238, 130, 238)")
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(clonedOps).backgroundColor, window.getComputedStyle(ops).backgroundColor)
+ });
+ test(function() {
+ assert_equals(window.getComputedStyle(clonedOps).color, window.getComputedStyle(ops).color)
+ });
+ test(function() {
+ assert_not_equals(window.getComputedStyle(ops).backgroundColor, window.getComputedStyle(violetOps).backgroundColor)
+ });
+ test(function() {
+ assert_not_equals(window.getComputedStyle(clonedOps).backgroundColor, window.getComputedStyle(violetOps).backgroundColor)
+ });
+ test(function() {
+ assert_equals(ops.id, "ops")
+ });
+ test(function() {
+ assert_equals(ops.id, clonedOps.id)
+ });
+ };
+
+ </script>
+</head>
+
+<body>
+ <p>
+ This test ensures that styles can be set by object.cloneNode()
+ </p>
+ <div id="nodes">
+ This is a div (nodes)
+ <div id="node1"> This is a div. (node 1 or 2)</div>
+ <div id="node3"> This is a div. (node 3 or 4)</div>
+ </div>
+ <div id="ops" style="background: rgb(238, 130, 238)">
+ Yet another div.
+ </div>
+ <div id="violetOps">
+ Yet another div.
+ </div>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'self'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers
new file mode 100644
index 0000000..963fa17
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-allowed-while-cloning-objects={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html
new file mode 100644
index 0000000..bf5ac12
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>inline-style-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+ <style>
+ .target {
+ background-color: blue;
+ }
+
+ </style>
+</head>
+
+<body class="target">
+ <script>
+ log(document.styleSheets.length > 0 ? 'PASS' : 'FAIL');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..8ff58f5
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html
new file mode 100644
index 0000000..ab44604
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>inline-style-attribute-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body style="background-color: blue;">
+ <script>
+ log(document.body.style.length > 0 ? 'PASS' : 'FAIL');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..7d765e2
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-attribute-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html
new file mode 100644
index 0000000..90efe9f
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>inline-style-attribute-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body style="background-color: blue;">
+ <script>
+ log(document.body.style.length > 0 ? 'FAIL' : 'PASS');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'none'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..0b1ec14
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-attribute-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html
new file mode 100644
index 0000000..b002af9
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html style="background-color: blue;">
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="style-src 'self'">
+ <title>inline-style-attribute-on-html</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>Even though this page has a CSP policy the blocks inline style, the style attribute on the HTML element still takes effect because it preceeds the meta element.
+ </p>
+ <script>
+ log(document.documentElement.style.length > 0 ? 'PASS' : 'FAIL');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers
new file mode 100644
index 0000000..66bf93f
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-attribute-on-html={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html
new file mode 100644
index 0000000..3f7756e
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>inline-style-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+ <style>
+ .target {
+ background-color: blue;
+ }
+
+ </style>
+</head>
+
+<body class="target">
+ <script>
+ log(document.styleSheets.length > 0 ? 'FAIL' : 'PASS');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'none'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..0b83063
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: inline-style-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html
new file mode 100644
index 0000000..fe6d2b1
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html
@@ -0,0 +1,9 @@
+<link rel="manifest" href="manifest.test/manifest.json">
+<script>
+ {
+ testRunner.getManifestThen(function() {
+ alert_assert("Pass");
+ });
+ }
+
+</script>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..3fbdc73
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: manifest-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: manifest-src *; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html
new file mode 100644
index 0000000..fe6d2b1
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html
@@ -0,0 +1,9 @@
+<link rel="manifest" href="manifest.test/manifest.json">
+<script>
+ {
+ testRunner.getManifestThen(function() {
+ alert_assert("Pass");
+ });
+ }
+
+</script>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..4d6e5e3
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: manifest-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: manifest-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-allowed.sub.html
new file mode 100644
index 0000000..4cb4002
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-allowed.sub.html
@@ -0,0 +1,14 @@
+<video></video>
+<script src="../../../media-resources/media-file.js"></script>
+<script src="../../../media-resources/video-test.js"></script>
+<script>
+ waitForEvent('loadedmetadata', function() {
+ alert_assert('PASS');
+ endTestLater();
+ });
+ // Find a supported media file.
+ var mediaFile = findMediaFile("video", "content/test");
+ var mimeType = mimeTypeForFile(mediaFile);
+ video.src = "http://{{host}}:{{ports[http][0]}}/resources/load-and-stall.cgi?name=../../../media/" + mediaFile + "&mimeType=" + mimeType + "&stallAt=100000";
+
+</script>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..b0401f7
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: media-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: media-src http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-blocked.sub.html
new file mode 100644
index 0000000..57c8d5f
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-blocked.sub.html
@@ -0,0 +1,15 @@
+<video></video>
+<script src="../../../media-resources/media-file.js"></script>
+<script src="../../../media-resources/video-test.js"></script>
+<p>This test passes if it doesn't alert failure.</p>
+<script>
+ waitForEvent('loadedmetadata', function() {
+ alert_assert('FAIL');
+ });
+ addEventListener('load', endTestLater, false);
+ // Find a supported media file.
+ var mediaFile = findMediaFile("video", "content/test");
+ var mimeType = mimeTypeForFile(mediaFile);
+ video.src = "http://{{host}}:{{ports[http][0]}}/resources/load-and-stall.cgi?name=../../../media/" + mediaFile + "&mimeType=" + mimeType + "&stallAt=100000";
+
+</script>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..86c5695
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: media-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: media-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-track-block.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-track-block.sub.html
new file mode 100644
index 0000000..c8036ce
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-track-block.sub.html
@@ -0,0 +1,39 @@
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>media-src-track-block</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+media-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <script>
+ function loaded() {
+ alert_assert("FAIL");
+ }
+
+ function errored() {
+ alert_assert("PASS");
+ }
+
+ function start() {
+ var track = document.querySelector('track');
+ track.track.mode = "hidden";
+ track.setAttribute('src', 'resources/track.vtt');
+ }
+
+ </script>
+</head>
+
+<body onload="start()">
+ <video>
+ <track kind="captions" onload="loaded()" onerror="errored()">
+ </video>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=media-src%20'none'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers
new file mode 100644
index 0000000..85c496e
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: media-src-track-block={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: media-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html
new file mode 100644
index 0000000..358b7af
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-in-svg-foreignobject</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>This test ensures that objects inside SVG foreignobject elements are beholden to the same policy as the rest of the document. This test passes if there i a CSP violation saying the plugin was blocked.</p>
+ <svg>
+ <foreignobject>
+ <object xmlns="http://www.w3.org/1999/xhtml" data="/plugins/resources/mock-plugin.pl">
+ </object>
+ </foreignobject>
+ </svg>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers
new file mode 100644
index 0000000..a196a15
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-in-svg-foreignobject={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html
new file mode 100644
index 0000000..d770278
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-applet-archive-codebase</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ var len = navigator.mimeTypes.length;
+ var allTypes = "";
+ var appletMimeType = "application/x-java-applet";
+ for (var i = 0; i < len; i++) {
+ allTypes += navigator.mimeTypes[i].type + ';';
+ }
+ if (allTypes.indexOf(appletMimeType) == -1) {
+ t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ var s = document.createElement('script');
+ s.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'";
+ document.body.appendChild(s);
+ }
+
+ </script>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <applet code="TestThingie" archive="archive.jar" codebase="/plugins/codebase/" id="appletObject" onload="log('FAIL')" onerror="log('PASS')"></applet>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers
new file mode 100644
index 0000000..0b71a18
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-applet-archive-codebase={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html
new file mode 100644
index 0000000..69c7198
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-applet-archive</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ var len = navigator.mimeTypes.length;
+ var allTypes = "";
+ var appletMimeType = "application/x-java-applet";
+ for (var i = 0; i < len; i++) {
+ allTypes += navigator.mimeTypes[i].type + ';';
+ }
+ if (allTypes.indexOf(appletMimeType) == -1) {
+ t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ var s = document.createElement('script');
+ s.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'";
+ document.body.appendChild(s);
+ }
+
+ </script>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <applet code="TestThingie" archive="/plugins/archive.jar" id="appletObject" onload="log('FAIL')" onerror="log('PASS')"></applet>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers
new file mode 100644
index 0000000..4bd5ec1
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-applet-archive={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html
new file mode 100644
index 0000000..6121dad
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-applet-archive-code-codebase</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ var len = navigator.mimeTypes.length;
+ var allTypes = "";
+ var appletMimeType = "application/x-java-applet";
+ for (var i = 0; i < len; i++) {
+ allTypes += navigator.mimeTypes[i].type + ';';
+ }
+ if (allTypes.indexOf(appletMimeType) == -1) {
+ t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ var s = document.createElement('script');
+ s.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'";
+ document.body.appendChild(s);
+ }
+
+ </script>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <applet code="code.class" codebase="/plugins/codebase/"></applet>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers
new file mode 100644
index 0000000..1ced1a8
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-applet-code-codebase={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html
new file mode 100644
index 0000000..af598bf
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-applet-code</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ var len = navigator.mimeTypes.length;
+ var allTypes = "";
+ var appletMimeType = "application/x-java-applet";
+ for (var i = 0; i < len; i++) {
+ allTypes += navigator.mimeTypes[i].type + ';';
+ }
+ if (allTypes.indexOf(appletMimeType) == -1) {
+ t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test.");
+ t_log.phase = t_log.phases.HAS_RESULT;
+ t_log.done();
+ } else {
+ var s = document.createElement('script');
+ s.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'";
+ document.body.appendChild(s);
+ }
+
+ </script>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <applet code="/plugins/code.class"></applet>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers
new file mode 100644
index 0000000..44bd725
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-applet-code={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html
new file mode 100644
index 0000000..2e2bef2
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-no-url-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if there isn't a CSP violation saying the plugin was blocked.
+ <object type="application/x-webkit-test-netscape"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..3746103
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-no-url-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html
new file mode 100644
index 0000000..ad3eebc
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-no-url-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <object type="application/x-webkit-test-netscape"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..dba0ece
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-no-url-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html
new file mode 100644
index 0000000..dace2c4
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-url-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if there is no CSP violation saying the plugin was blocked.
+ <object data="/content-security-policy/support/pass.png"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..bce19c1
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-url-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html
new file mode 100644
index 0000000..4f12d74
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>object-src-url-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if there is a CSP violation saying the plugin was blocked.
+ <object data="/plugins/resources/mock-plugin.pl"></object>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..1447fd0
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: object-src-url-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html
new file mode 100644
index 0000000..a43e4be
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html
@@ -0,0 +1 @@
+<iframe src="resources/alert-pass.html"></iframe>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers
new file mode 100644
index 0000000..ff37e37
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: policy-does-not-affect-child={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html
new file mode 100644
index 0000000..dea8a87
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-blocked-data-uri</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; report-uri resources/save-report.php?test=report-blocked-data-uri.html; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==">
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=img-src%20'none'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers
new file mode 100644
index 0000000..8530a1c
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-blocked-data-uri={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html
new file mode 100644
index 0000000..2922894
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <title>Cookies are not sent on cross origin violation reports</title>
+ <!-- CSP headers
+ Content-Security-Policy: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID=$id
+ -->
+</head>
+<body>
+<script>
+ var test = async_test("Image should not load");
+ fetch(
+ "/cookies/resources/set-cookie.py?name=cspViolationReportCookie1&path=" + encodeURIComponent("{{domains[www1]}}:{{ports[http][0]}}/"),
+ {mode: 'no-cors', credentials: 'include'})
+ .then(() => {
+ // This image will generate a CSP violation report.
+ const img = new Image();
+ img.onerror = test.step_func_done();
+ img.onload = test.unreached_func("Should not have loaded the image");
+
+ img.src = "../support/fail.png";
+ document.body.appendChild(img);
+ });
+</script>
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27&noCookies=true'></script>
+
+</body>
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers
new file mode 100644
index 0000000..5a71229
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-cross-origin-no-cookies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self'; report-uri http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html
new file mode 100644
index 0000000..e7a3b3c
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<!--
+ | This test was modified to not use the HTML4 intrinsic events 'img onload=' or
+ | 'img=onerror'.
+ -->
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-disallowed-from-meta</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri /content-security-policy/support/report.py?op=put&reportID=5ada7c32-1c46-4b79-a95f-af33fcf95f8e">
+</head>
+
+<body>
+ This image should be blocked, but should not show up in the violation report because meta policies MUST ignore report-uri.
+ <div id='t1'></div>
+ <script>
+ var t1img = document.createElement('img');
+ t1img.onerror = function() { alert_assert('PASS'); }
+ t1img.onload = function() { alert_assert('FAIL'); }
+ t1img.src = '../resources/abe.png';
+ var t1div = document.getElementById('t1');
+ t1div.appendChild(t1img);
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers
new file mode 100644
index 0000000..4c62052
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-disallowed-from-meta=5ada7c32-1c46-4b79-a95f-af33fcf95f8e; Path=/content-security-policy/blink-contrib
\ No newline at end of file
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html
new file mode 100644
index 0000000..e90cb06
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-cross-origin-no-cookies</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; report-uri http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID=; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self';
+-->
+ <script src="/content-security-policy/blink-contrib/resources/set-cookie.js"></script>
+</head>
+
+<body>
+ <!-- This image will generate a CSP violation report. -->
+ <img src="resources/abe.png">
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=img-src%20'none'&noCookies=true"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers
new file mode 100644
index 0000000..4655de2
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-same-origin-with-cookies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html
new file mode 100644
index 0000000..cf3f72f
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-uri-from-inline-javascript</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; report-uri resources/save-report.php?test=report-uri-from-inline-javascript.html; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ // This script block will trigger a violation report.
+ var i = document.createElement('img');
+ i.src = 'resources/abe.png';
+ document.body.appendChild(i);
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=img-src%20'none'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers
new file mode 100644
index 0000000..c37a9ff
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-uri-from-inline-javascript={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html
new file mode 100644
index 0000000..790a75b
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>report-uri-from-javascript</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+img-src 'none'; report-uri resources/save-report.php?test=report-uri-from-javascript.html; script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script src="resources/inject-image.js"></script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=img-src%20'none'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers
new file mode 100644
index 0000000..ed65601
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-uri-from-javascript={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri.sub.html
new file mode 100644
index 0000000..9ffb835
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri.sub.html
@@ -0,0 +1,6 @@
+<script src="resources/report-test.js"></script>
+<script>
+ // This script block will trigger a violation report.
+ alert_assert('FAIL');
+
+</script>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers
new file mode 100644
index 0000000..1416ea7
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: report-uri={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self'; report-uri resources/save-report.php?test=report-uri.html; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/alert-fail.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/alert-fail.html
new file mode 100644
index 0000000..c0fb817
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/alert-fail.html
@@ -0,0 +1,4 @@
+<script>
+ alert('FAIL');
+
+</script>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/alert-pass.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/alert-pass.html
new file mode 100644
index 0000000..50e753d
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/alert-pass.html
@@ -0,0 +1,4 @@
+<script>
+ alert('PASS');
+
+</script>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/blue.css b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/blue.css
new file mode 100644
index 0000000..54aeecc
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/blue.css
@@ -0,0 +1,3 @@
+.target {
+ background-color: blue;
+}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js
new file mode 100644
index 0000000..63b0ece
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js
@@ -0,0 +1,8 @@
+// Cobalt: document.write() not supported.
+if (document.write) {
+ document.write("<script>test(function () { assert_unreached('FAIL inline script from document.write ran') });</script>");
+} else {
+ var s = document.createElement('script');
+ s.textContent = "test(function () { assert_unreached('FAIL inline script from document.write ran') });";
+ document.body.appendChild(s);
+}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/generate-csp-report.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/generate-csp-report.html
new file mode 100644
index 0000000..887f44f
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/generate-csp-report.html
@@ -0,0 +1,7 @@
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'; report-uri save-report.php?test=generate-csp-report.html">
+<script>
+ // This script block will trigger a violation report.
+ alert('FAIL');
+
+</script>
+<script src="go-to-echo-report.js"></script>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js
new file mode 100644
index 0000000..e220f2a
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js
@@ -0,0 +1,12 @@
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+window.onload = function() {
+ var test = window.location.pathname.replace(/^.+\//, '');
+ var match = window.location.search.match(/^\?test=([^&]+)/);
+ if (match)
+ test = match[1];
+ window.location = "/security/contentSecurityPolicy/resources/echo-report.php?test=" + test;
+}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/inject-image.js b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/inject-image.js
new file mode 100644
index 0000000..1e1f93b
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/inject-image.js
@@ -0,0 +1,4 @@
+// This script block will trigger a violation report.
+var i = document.createElement('img');
+i.src = '/security/resources/abe.png';
+document.body.appendChild(i);
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/inject-script.js b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/inject-script.js
new file mode 100644
index 0000000..f202a9a
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/inject-script.js
@@ -0,0 +1,12 @@
+// Cobalt: document.write() not supported.
+if (document.write) {
+ document.write("<script>alert_assert('Pass 1 of 2');</script>");
+} else {
+ var s = document.createElement('script');
+ s.textContent = "alert_assert('Pass 1 of 2');";
+ document.body.appendChild(s);
+}
+
+var s = document.createElement('script');
+s.textContent = "alert_assert('Pass 2 of 2');";
+document.body.appendChild(s);
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/inject-style.js b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/inject-style.js
new file mode 100644
index 0000000..db7ac36
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/inject-style.js
@@ -0,0 +1,12 @@
+// Cobalt: document.write() not supported.
+if (document.write) {
+ document.write("<style>#test1 { display: none; }</style>");
+} else {
+ var s = document.createElement('style');
+ s.textContent = "#test1 { display: none; }";
+ document.body.appendChild(s);
+}
+
+var s = document.createElement('style');
+s.textContent = "#test2 { display: none; }";
+document.body.appendChild(s);
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/post-message.js b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/post-message.js
new file mode 100644
index 0000000..69daa31
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/post-message.js
@@ -0,0 +1 @@
+postMessage("importScripts allowed");
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/postmessage-fail.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/postmessage-fail.html
new file mode 100644
index 0000000..a0308ad
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/postmessage-fail.html
@@ -0,0 +1,4 @@
+<script>
+ window.parent.postMessage('FAIL', '*');
+
+</script>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/postmessage-pass.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/postmessage-pass.html
new file mode 100644
index 0000000..700167b
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/postmessage-pass.html
@@ -0,0 +1,4 @@
+<script>
+ window.parent.postMessage('PASS', '*');
+
+</script>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/script.js b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/script.js
new file mode 100644
index 0000000..54eaf53
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/script.js
@@ -0,0 +1,2 @@
+var result = document.getElementById("result");
+result.firstChild.nodeValue = result.attributes.getNamedItem("text").value;
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers
new file mode 100644
index 0000000..1d5fbba
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers
@@ -0,0 +1 @@
+Set-Cookie: report-cookie=true
\ No newline at end of file
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js
new file mode 100644
index 0000000..28937d0
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js
@@ -0,0 +1,23 @@
+onconnect = function (event) {
+ var port = event.ports[0];
+ var xhr = new XMLHttpRequest;
+ xhr.onerror = function () {
+ port.postMessage("xhr blocked");
+ port.postMessage("TEST COMPLETE");
+ };
+ xhr.onload = function () {
+ if (xhr.responseText == "FAIL") {
+ port.postMessage("xhr allowed");
+ } else {
+ port.postMessage("xhr blocked");
+ }
+ port.postMessage("TEST COMPLETE");
+ };
+ try {
+ xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+ xhr.send();
+ } catch (e) {
+ port.postMessage("xhr blocked");
+ port.postMessage("TEST COMPLETE");
+ }
+}
\ No newline at end of file
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js
new file mode 100644
index 0000000..28937d0
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js
@@ -0,0 +1,23 @@
+onconnect = function (event) {
+ var port = event.ports[0];
+ var xhr = new XMLHttpRequest;
+ xhr.onerror = function () {
+ port.postMessage("xhr blocked");
+ port.postMessage("TEST COMPLETE");
+ };
+ xhr.onload = function () {
+ if (xhr.responseText == "FAIL") {
+ port.postMessage("xhr allowed");
+ } else {
+ port.postMessage("xhr blocked");
+ }
+ port.postMessage("TEST COMPLETE");
+ };
+ try {
+ xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+ xhr.send();
+ } catch (e) {
+ port.postMessage("xhr blocked");
+ port.postMessage("TEST COMPLETE");
+ }
+}
\ No newline at end of file
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers
new file mode 100644
index 0000000..ac7368c
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: connect-src 'none'
\ No newline at end of file
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/simple-event-stream b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/simple-event-stream
new file mode 100644
index 0000000..e467657
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/simple-event-stream
@@ -0,0 +1 @@
+data: hello
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers
new file mode 100644
index 0000000..9bb8bad
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers
@@ -0,0 +1 @@
+Content-Type: text/event-stream
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/track.vtt b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/track.vtt
new file mode 100644
index 0000000..365e9ae
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/track.vtt
@@ -0,0 +1 @@
+Subtitles!
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-eval.js b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-eval.js
new file mode 100644
index 0000000..9aa8712
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-eval.js
@@ -0,0 +1,5 @@
+var id = 0;
+try {
+ id = eval("1 + 2 + 3");
+} catch (e) {}
+postMessage(id === 0 ? "eval blocked" : "eval allowed");
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers
new file mode 100644
index 0000000..afdcc7c
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'unsafe-inline'
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-function-function.js b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-function-function.js
new file mode 100644
index 0000000..03d9bf4
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-function-function.js
@@ -0,0 +1,7 @@
+var fn = function() {
+ postMessage('Function() function blocked');
+}
+try {
+ fn = new Function("", "postMessage('Function() function allowed');");
+} catch (e) {}
+fn();
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers
new file mode 100644
index 0000000..afdcc7c
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'unsafe-inline'
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-importscripts.js b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-importscripts.js
new file mode 100644
index 0000000..ca9f2ec
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-importscripts.js
@@ -0,0 +1,6 @@
+try {
+ importScripts("/content-security-policy/blink-contrib/resources/post-message.js");
+ postMessage("importScripts allowed");
+} catch (e) {
+ postMessage("importScripts blocked: " + e);
+}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers
new file mode 100644
index 0000000..57616b1
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'none'
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js
new file mode 100644
index 0000000..22819d5
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js
@@ -0,0 +1,21 @@
+var xhr = new XMLHttpRequest;
+xhr.onerror = function () {
+ postMessage("xhr blocked");
+ postMessage("TEST COMPLETE");
+};
+xhr.onload = function () {
+ //cons/**/ole.log(xhr.responseText);
+ if (xhr.responseText == "FAIL") {
+ postMessage("xhr allowed");
+ } else {
+ postMessage("xhr blocked");
+ }
+ postMessage("TEST COMPLETE");
+};
+try {
+ xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+ xhr.send();
+} catch (e) {
+ postMessage("xhr blocked");
+ postMessage("TEST COMPLETE");
+}
\ No newline at end of file
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers
new file mode 100644
index 0000000..ac7368c
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: connect-src 'none'
\ No newline at end of file
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js
new file mode 100644
index 0000000..73359a3
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js
@@ -0,0 +1,21 @@
+var xhr = new XMLHttpRequest;
+xhr.onerror = function () {
+ postMessage("xhr blocked");
+ postMessage("TEST COMPLETE");
+};
+xhr.onload = function () {
+ //cons/**/ole.log(xhr.responseText);
+ if (xhr.responseText == "FAIL") {
+ postMessage("xhr allowed");
+ } else {
+ postMessage("xhr blocked");
+ }
+ postMessage("TEST COMPLETE");
+};
+try {
+ xhr.open("GET", "/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
+ xhr.send();
+} catch (e) {
+ postMessage("xhr blocked");
+ postMessage("TEST COMPLETE");
+}
\ No newline at end of file
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js
new file mode 100644
index 0000000..a16827e
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js
@@ -0,0 +1,5 @@
+var id = 0;
+try {
+ id = setTimeout("postMessage('handler invoked')", 100);
+} catch (e) {}
+postMessage(id === 0 ? "setTimeout blocked" : "setTimeout allowed");
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers
new file mode 100644
index 0000000..57616b1
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'none'
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html
new file mode 100644
index 0000000..c755504
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html
@@ -0,0 +1,3 @@
+
+This test passes if it does alert pass.
+<iframe src="data:text/html,<script>alert_assert('PASS');</script>"></iframe>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers
new file mode 100644
index 0000000..4c79457
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: sandbox-allow-scripts-subframe={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: sandbox allow-scripts; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html
new file mode 100644
index 0000000..3bdaa12
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html
@@ -0,0 +1,6 @@
+
+This test passes if it does alert pass.
+<script>
+ alert_assert('PASS');
+
+</script>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers
new file mode 100644
index 0000000..b6df57d
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: sandbox-allow-scripts={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: sandbox allow-scripts; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html
new file mode 100644
index 0000000..5ddccfa
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html
@@ -0,0 +1,3 @@
+
+This test passes if it doesn't alert fail.
+<iframe src="data:text/html,<script>alert_assert('FAIL');</script>"></iframe>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers
new file mode 100644
index 0000000..5287112
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: sandbox-empty-subframe={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: sandbox; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-empty.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-empty.sub.html
new file mode 100644
index 0000000..4e04e98
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-empty.sub.html
@@ -0,0 +1,6 @@
+
+This test passes if it doesn't alert fail.
+<script>
+ alert_assert('FAIL');
+
+</script>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers
new file mode 100644
index 0000000..f7d31c9
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: sandbox-empty={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: sandbox; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html
new file mode 100644
index 0000000..adcc90a
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<!--
+ | This test was modified to not use the HTML4 intrinsic event 'body onload='.
+ -->
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>script-src-overrides-default-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script>
+ <!-- enforcing policy:
+default-src about:; script-src 'self' 'unsafe-inline' 'self' 'unsafe-inline'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <script>
+ alert_assert('PASS 1 of 2');
+ document.body.onload=function() { alert_assert('PASS 2 of 2'); }
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers
new file mode 100644
index 0000000..5d34564
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-overrides-default-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: default-src about:; script-src 'self' 'unsafe-inline'; style-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html
new file mode 100644
index 0000000..5f38862
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-connect-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src 'self';
+-->
+
+</head>
+<p>This test loads a worker, from a guid.
+ The worker should be blocked from loading with a child-src policy of 'self'
+ as the blob: scheme must be specified explicitly.
+ A report should be sent to the report-uri specified
+ with this resource.</p>
+<body>
+ <script>
+ try {
+ var blob = new Blob([
+ "postMessage('FAIL');" +
+ "postMessage('TEST COMPLETE');"
+ ],
+ {type : 'application/javascript'});
+ var url = URL.createObjectURL(blob);
+ var worker = new Worker(url);
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ worker.onerror = function(event) {
+ alert_assert('TEST COMPLETE');
+ event.preventDefault();
+ }
+ } catch (e) {
+ alert_assert('TEST COMPLETE');
+ }
+ function timeout() {
+ alert_assert('TEST COMPLETE');
+ }
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=child-src%20'self'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers
new file mode 100644
index 0000000..0584348
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: self-doesnt-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html
new file mode 100644
index 0000000..007d66c
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>shared-worker-connect-src-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["xhr allowed","TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+
+</head>
+
+<body>
+ <script>
+ try {
+ var worker = new SharedWorker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js');
+ worker.port.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..eefff95
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: shared-worker-connect-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html
new file mode 100644
index 0000000..f049b93
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>shared-worker-connect-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["xhr blocked","TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src *; script-src 'self' 'unsafe-inline';
+-->
+
+</head>
+
+<body>
+ <p>This test loads a shared worker, delivered with its own
+ policy. The worker should be blocked from making an XHR
+ as that policy specifies a connect-src 'none', though
+ this resource's policy is connect-src *. No report
+ should be sent since the worker's policy doesn't specify
+ a report-uri.</p>
+ <script>
+ try {
+ var worker = new SharedWorker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js');
+ worker.port.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..bb4fb4c
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: shared-worker-connect-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src *; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html
new file mode 100644
index 0000000..b60eccb
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>source-list-parsing-paths-03</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-inline' example.com/js/; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>This test passes if the source expression does not throw an "invalid source" error.</p>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers
new file mode 100644
index 0000000..58e7a22
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: source-list-parsing-paths-03={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' example.com/js/; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html
new file mode 100644
index 0000000..50b7668
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>srcdoc-doesnt-bypass-script-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/alertAssert.sub.js?alerts=%5B%5D"></script>
+ <!-- enforcing policy:
+script-src 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ This test passes if it doesn't alert fail.
+ <iframe srcdoc="<script>window.parent.alert_assert('FAIL')</script>"></iframe>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'self'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers
new file mode 100644
index 0000000..e2ffd11
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: srcdoc-doesnt-bypass-script-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html
new file mode 100644
index 0000000..fac12b5
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-connect-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src *;
+-->
+
+</head>
+<p>This test loads a worker, from a guid.
+ The worker should be blocked from loading with a child-src policy of *
+ as the blob: scheme must be specified explicitly.
+ A report should be sent to the report-uri specified
+ with this resource.</p>
+<body>
+ <script>
+ try {
+ var blob = new Blob([
+ "postMessage('FAIL');" +
+ "postMessage('TEST COMPLETE');"
+ ],
+ {type : 'application/javascript'});
+ var url = URL.createObjectURL(blob);
+ var worker = new Worker(url);
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ worker.onerror = function(event) {
+ event.preventDefault();
+ alert_assert('TEST COMPLETE');
+ }
+ } catch (e) {
+ alert_assert('TEST COMPLETE');
+ }
+ function timeout() {
+ alert_assert('TEST COMPLETE');
+ }
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=child-src%20'self'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers
new file mode 100644
index 0000000..9f7db5b
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: star-doesnt-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src *; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/style-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/style-allowed.sub.html
new file mode 100644
index 0000000..edcdb33
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/style-allowed.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<!--
+ | The loading of style sheet doesn't block the executing of scripts in Cobalt.
+ | Add load event listener to test the style sheet value after the style sheet
+ | is loaded and processed.
+ -->
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>style-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+ <link rel="stylesheet" href="resources/blue.css">
+</head>
+
+<body>
+ <script>
+ document.addEventListener("load", function() {
+ log(document.styleSheets.length > 0 ? 'PASS' : 'FAIL');
+ });
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..cdf3945
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: style-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/style-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/style-blocked.sub.html
new file mode 100644
index 0000000..847e05b
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/style-blocked.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>style-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+-->
+ <link rel="stylesheet" href="resources/blue.css">
+</head>
+
+<body>
+ <script>
+ log(document.styleSheets.length > 0 ? 'FAIL' : 'PASS');
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'none'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..54c3272
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: style-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html
new file mode 100644
index 0000000..9231491
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-connect-src-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["xhr allowed"]'></script>
+ <!-- enforcing policy:
+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
+-->
+
+</head>
+
+<body>
+ <script>
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js');
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers
new file mode 100644
index 0000000..92ef91f
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-connect-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html
new file mode 100644
index 0000000..0541322
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-connect-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["xhr blocked","TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src *; script-src 'self' 'unsafe-inline';
+-->
+
+</head>
+<p>This test loads a worker, which is delivered with its own
+ policy. The worker should be blocked from making an XHR
+ as that policy specifies a connect-src 'none', though
+ this resource's policy is connect-src *. No report
+ should be sent since the worker's policy doesn't specify
+ a report-uri.</p>
+<body>
+ <script>
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js');
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..e302aa8
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-connect-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src *; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html
new file mode 100644
index 0000000..ac96e0f
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-eval-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["eval blocked"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'self'; connect-src 'self';
+-->
+</head>
+
+<body>
+ <p>This test loads a worker, delivered with its own policy.
+ The eval() call in the worker should be forbidden by that
+ policy. No report should be generated because the worker
+ policy does not set a report-uri (although this parent
+ resource does).</p>
+ <script>
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-eval.js');
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..8964f80
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-eval-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-from-guid.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-from-guid.sub.html
new file mode 100644
index 0000000..b290b82
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-from-guid.sub.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-connect-src-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["xhr blocked","TEST COMPLETE"]'></script>
+ <!-- enforcing policy:
+connect-src 'self'; script-src 'self' 'unsafe-inline' blob:;
+-->
+
+</head>
+<p>This test loads a worker, from a guid.
+ The worker should be blocked from making an XHR
+ to www1 as this resource's policy is connect-src 'self
+ and a guid Worker should inherit is parent's policy.
+ A report should be sent to the report-uri specified
+ with this resource.</p>
+<body>
+ <script>
+ try {
+ var blob = new Blob([
+ "var xhr = new XMLHttpRequest;" +
+ "xhr.onerror = function () {" +
+ " postMessage('xhr blocked');" +
+ " postMessage('TEST COMPLETE');" +
+ "};" +
+ "xhr.onload = function () {" +
+ " if (xhr.responseText == 'FAIL') {" +
+ " postMessage('xhr allowed');" +
+ " } else {" +
+ " postMessage('xhr blocked');" +
+ " }" +
+ " postMessage('TEST COMPLETE');" +
+ "};" +
+ "try { " +
+ " xhr.open(" +
+ " 'GET'," +
+ " 'http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis'," +
+ " true" +
+ " );" +
+ " xhr.send();" +
+ "} catch (e) {" +
+ " postMessage('xhr blocked');" +
+ " postMessage('TEST COMPLETE');" +
+ "}"],
+ {type : 'application/javascript'});
+ var url = URL.createObjectURL(blob);
+ var worker = new Worker(url);
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20'self'"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers
new file mode 100644
index 0000000..d94d31a
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-from-guid={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline' blob:; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html
new file mode 100644
index 0000000..1db5747
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-function-function-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["Function() function blocked"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <p>This test loads a worker, delivered with its own policy.
+ The Function constructor should be forbidden by that
+ policy. No report should be generated because the worker
+ policy does not set a report-uri (although this parent
+ resource does).</p>
+ <script>
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-function-function.js');
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..b012518
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-function-function-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html
new file mode 100644
index 0000000..d3240e3
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-importscripts-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'unsafe-eval' 'unsafe-inline' 127.0.0.1:8000; connect-src 'self';
+-->
+ <script></script>
+</head>
+
+<body>
+ <script>
+ window.wasPostTestScriptParsed = true;
+ var result = '';
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-importscripts.js');
+ worker.onmessage = function(event) {
+ result = event.data;
+ test(function() {
+ assert_equals(result, 'importScripts blocked: NetworkError: Failed to execute \'importScripts\' on \'WorkerGlobalScope\': The script at \'http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/post-message.js\' failed to load.')
+ });
+ log("TEST COMPLETE");
+ };
+ } catch (e) {
+ result = e;
+ test(function() {
+ assert_equals(result, 'importScripts blocked')
+ });
+ log("TEST COMPLETE");
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..04de51d
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-importscripts-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-script-src.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-script-src.sub.html
new file mode 100644
index 0000000..9caf772
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-script-src.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-script-src</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ try {
+ var foo = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/post-message.js');
+ foo.onmessage = function(event) {
+ alert_assert("PASS");
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers
new file mode 100644
index 0000000..76e5a3b
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-script-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html
new file mode 100644
index 0000000..119121c
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>worker-set-timeout-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["setTimeout blocked"]'></script>
+ <!-- enforcing policy:
+script-src 'self' 'unsafe-inline' 'self' 'unsafe-inline'; connect-src 'self';
+-->
+
+</head>
+
+<body>
+ <script>
+ try {
+ var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-set-timeout.js');
+ worker.onmessage = function(event) {
+ alert_assert(event.data);
+ };
+ } catch (e) {
+ alert_assert(e);
+ }
+
+ </script>
+ <div id="log"></div>
+ <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
+</body>
+
+</html>
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers
new file mode 100644
index 0000000..fb6b3d0
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: worker-set-timeout-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/xsl-blocked-expected.png b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/xsl-blocked-expected.png
new file mode 100644
index 0000000..b5daa85
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/xsl-blocked-expected.png
Binary files differ
diff --git a/src/third_party/web_platform_tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.png b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.png
new file mode 100644
index 0000000..b5daa85
--- /dev/null
+++ b/src/third_party/web_platform_tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.png
Binary files differ
