content-security-policy: Less Than 2 Passes

Test files without 2 passes: 384; Subtests without 2 passes: 911; Failure level: 911/911 (100.00%)

Test Files

  1. /content-security-policy/navigate-to/form-redirected-allowed.html (1/1, 100.00%, 0.11% of total)
  2. /content-security-policy/svg/svg-policy-with-resource.html (1/1, 100.00%, 0.11% of total)
  3. /content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html (1/1, 100.00%, 0.11% of total)
  4. /content-security-policy/generic/directive-name-case-insensitive.sub.html (3/3, 100.00%, 0.33% of total)
  5. /content-security-policy/img-src/img-src-self-unique-origin.html (1/1, 100.00%, 0.11% of total)
  6. /content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html (8/8, 100.00%, 0.88% of total)
  7. /content-security-policy/meta/combine-header-and-meta-policies.sub.html (2/2, 100.00%, 0.22% of total)
  8. /content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html (2/2, 100.00%, 0.22% of total)
  9. /content-security-policy/style-src/style-src-star-allowed.html (1/1, 100.00%, 0.11% of total)
  10. /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html (1/1, 100.00%, 0.11% of total)
  11. /content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  12. /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html (1/1, 100.00%, 0.11% of total)
  13. /content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html (3/3, 100.00%, 0.33% of total)
  14. /content-security-policy/navigate-to/meta-refresh-allowed.html (1/1, 100.00%, 0.11% of total)
  15. /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html (1/1, 100.00%, 0.11% of total)
  16. /content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  17. /content-security-policy/reporting/report-multiple-violations-01.html (2/2, 100.00%, 0.22% of total)
  18. /content-security-policy/child-src/child-src-redirect-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  19. /content-security-policy/connect-src/connect-src-xmlhttprequest-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  20. /content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html (1/1, 100.00%, 0.11% of total)
  21. /content-security-policy/form-action/form-action-src-allowed-target-frame.sub.html (1/1, 100.00%, 0.11% of total)
  22. /content-security-policy/navigate-to/form-cross-origin-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  23. /content-security-policy/script-src/scriptnonce-basic-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  24. /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html (1/1, 100.00%, 0.11% of total)
  25. /content-security-policy/embedded-enforcement/allow_csp_from-header.html (11/11, 100.00%, 1.21% of total)
  26. /content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  27. /content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub.html (1/1, 100.00%, 0.11% of total)
  28. /content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  29. /content-security-policy/script-src/worker-function-function-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  30. /content-security-policy/style-src/style-src-inline-style-allowed.html (1/1, 100.00%, 0.11% of total)
  31. /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html (1/1, 100.00%, 0.11% of total)
  32. /content-security-policy/navigate-to/form-cross-origin-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  33. /content-security-policy/style-src/style-src-hash-allowed.html (1/1, 100.00%, 0.11% of total)
  34. /content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html (1/1, 100.00%, 0.11% of total)
  35. /content-security-policy/style-src/style-src-injected-inline-style-allowed.html (1/1, 100.00%, 0.11% of total)
  36. /content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  37. /content-security-policy/navigation/javascript-url-navigation-inherits-csp.html (1/1, 100.00%, 0.11% of total)
  38. /content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html (1/1, 100.00%, 0.11% of total)
  39. /content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  40. /content-security-policy/navigate-to/link-click-redirected-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  41. /content-security-policy/meta/meta-img-src.html (1/1, 100.00%, 0.11% of total)
  42. /content-security-policy/worker-src/service-list.https.sub.html (1/1, 100.00%, 0.11% of total)
  43. /content-security-policy/worker-src/service-worker-src-default-fallback.https.sub.html (1/1, 100.00%, 0.11% of total)
  44. /content-security-policy/navigate-to/link-click-allowed.html (1/1, 100.00%, 0.11% of total)
  45. /content-security-policy/img-src/img-src-wildcard-allowed.html (2/2, 100.00%, 0.22% of total)
  46. /content-security-policy/reporting/report-blocked-data-uri.html (1/1, 100.00%, 0.11% of total)
  47. /content-security-policy/reporting/report-blocked-uri.html (1/1, 100.00%, 0.11% of total)
  48. /content-security-policy/style-src/style-src-imported-style-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  49. /content-security-policy/reporting/report-uri-scheme-relative.html (1/1, 100.00%, 0.11% of total)
  50. /content-security-policy/style-src/style-src-none-blocked.html (2/2, 100.00%, 0.22% of total)
  51. /content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html (3/3, 100.00%, 0.33% of total)
  52. /content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html (2/2, 100.00%, 0.22% of total)
  53. /content-security-policy/style-src/style-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  54. /content-security-policy/navigate-to/parent-navigates-child-blocked.html (2/2, 100.00%, 0.22% of total)
  55. /content-security-policy/child-src/child-src-allowed.sub.html (2/2, 100.00%, 0.22% of total)
  56. /content-security-policy/reporting/report-and-enforce.html (3/3, 100.00%, 0.33% of total)
  57. /content-security-policy/generic/generic-0_2_2.sub.html (2/2, 100.00%, 0.22% of total)
  58. /content-security-policy/securitypolicyviolation/inside-service-worker.https.html (1/1, 100.00%, 0.11% of total)
  59. /content-security-policy/script-src/script-src-1_10_1.html (2/2, 100.00%, 0.22% of total)
  60. /content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html (5/5, 100.00%, 0.55% of total)
  61. /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html (1/1, 100.00%, 0.11% of total)
  62. /content-security-policy/generic/generic-0_2.html (1/1, 100.00%, 0.11% of total)
  63. /content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked.html (1/1, 100.00%, 0.11% of total)
  64. /content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html (1/1, 100.00%, 0.11% of total)
  65. /content-security-policy/script-src/script-src-1_4_1.html (3/3, 100.00%, 0.33% of total)
  66. /content-security-policy/embedded-enforcement/subsumption_algorithm-general.html (8/8, 100.00%, 0.88% of total)
  67. /content-security-policy/media-src/media-src-7_1_2.sub.html (3/3, 100.00%, 0.33% of total)
  68. /content-security-policy/style-src/inline-style-attribute-on-html.sub.html (1/1, 100.00%, 0.11% of total)
  69. /content-security-policy/script-src/scripthash-unicode-normalization.sub.html (2/2, 100.00%, 0.22% of total)
  70. /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html (1/1, 100.00%, 0.11% of total)
  71. /content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html (3/3, 100.00%, 0.33% of total)
  72. /content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  73. /content-security-policy/plugin-types/plugintypes-nourl-allowed.html (1/1, 100.00%, 0.11% of total)
  74. /content-security-policy/frame-src/frame-src-about-blank-allowed-by-scheme.sub.html (1/1, 100.00%, 0.11% of total)
  75. /content-security-policy/style-src/style-src-imported-style-blocked.html (2/2, 100.00%, 0.22% of total)
  76. /content-security-policy/script-src/script-src-wildcards-disallowed.html (3/3, 100.00%, 0.33% of total)
  77. /content-security-policy/frame-ancestors/frame-ancestors-self-block.html (1/1, 100.00%, 0.11% of total)
  78. /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html (1/1, 100.00%, 0.11% of total)
  79. /content-security-policy/worker-src/shared-list.sub.html (2/2, 100.00%, 0.22% of total)
  80. /content-security-policy/generic/only-valid-whitespaces-are-allowed.html (24/24, 100.00%, 2.63% of total)
  81. /content-security-policy/securitypolicyviolation/inside-dedicated-worker.html (1/1, 100.00%, 0.11% of total)
  82. /content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  83. /content-security-policy/worker-src/dedicated-self.sub.html (1/1, 100.00%, 0.11% of total)
  84. /content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html (2/2, 100.00%, 0.22% of total)
  85. /content-security-policy/sandbox/sandbox-allow-scripts.sub.html (1/1, 100.00%, 0.11% of total)
  86. /content-security-policy/base-uri/base-uri-deny.sub.html (2/2, 100.00%, 0.22% of total)
  87. /content-security-policy/sandbox/sandbox-empty-subframe.sub.html (1/1, 100.00%, 0.11% of total)
  88. /content-security-policy/script-src/script-src-overrides-default-src.sub.html (1/1, 100.00%, 0.11% of total)
  89. /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html (1/1, 100.00%, 0.11% of total)
  90. /content-security-policy/script-src/script-src-1_4_2.html (2/2, 100.00%, 0.22% of total)
  91. /content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  92. /content-security-policy/object-src/object-src-url-redirect-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  93. /content-security-policy/worker-src/shared-none.sub.html (2/2, 100.00%, 0.22% of total)
  94. /content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html (2/2, 100.00%, 0.22% of total)
  95. /content-security-policy/unsafe-hashes/style_attribute_allowed.html (1/1, 100.00%, 0.11% of total)
  96. /content-security-policy/embedded-enforcement/subsumption_algorithm-none.html (18/18, 100.00%, 1.98% of total)
  97. /content-security-policy/unsafe-eval/function-constructor-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  98. /content-security-policy/generic/duplicate-directive.sub.html (1/1, 100.00%, 0.11% of total)
  99. /content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  100. /content-security-policy/generic/policy-does-not-affect-child.sub.html (1/1, 100.00%, 0.11% of total)
  101. /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html (1/1, 100.00%, 0.11% of total)
  102. /content-security-policy/style-src/style-src-inline-style-nonce-blocked.html (2/2, 100.00%, 0.22% of total)
  103. /content-security-policy/blob/blob-urls-do-not-match-self.sub.html (1/1, 100.00%, 0.11% of total)
  104. /content-security-policy/font-src/font-self-allowed.html (1/1, 100.00%, 0.11% of total)
  105. /content-security-policy/script-src/worker-script-src.sub.html (1/1, 100.00%, 0.11% of total)
  106. /content-security-policy/style-src/style-src-inline-style-nonce-allowed.html (1/1, 100.00%, 0.11% of total)
  107. /content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html (2/2, 100.00%, 0.22% of total)
  108. /content-security-policy/media-src/media-src-redir-bug.sub.html (5/5, 100.00%, 0.55% of total)
  109. /content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html (7/7, 100.00%, 0.77% of total)
  110. /content-security-policy/child-src/child-src-conflicting-frame-src.sub.html (1/1, 100.00%, 0.11% of total)
  111. /content-security-policy/script-src/scripthash-default-src.sub.html (1/1, 100.00%, 0.11% of total)
  112. /content-security-policy/navigate-to/form-allowed.html (1/1, 100.00%, 0.11% of total)
  113. /content-security-policy/connect-src/connect-src-beacon-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  114. /content-security-policy/worker-src/dedicated-list.sub.html (2/2, 100.00%, 0.22% of total)
  115. /content-security-policy/navigate-to/child-navigates-parent-allowed.html (1/1, 100.00%, 0.11% of total)
  116. /content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html (1/1, 100.00%, 0.11% of total)
  117. /content-security-policy/media-src/media-src-7_2_2.sub.html (3/3, 100.00%, 0.33% of total)
  118. /content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html (13/13, 100.00%, 1.43% of total)
  119. /content-security-policy/unsafe-eval/eval-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  120. /content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html (2/2, 100.00%, 0.22% of total)
  121. /content-security-policy/generic/generic-0_2_3.html (2/2, 100.00%, 0.22% of total)
  122. /content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html (2/2, 100.00%, 0.22% of total)
  123. /content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  124. /content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html (16/16, 100.00%, 1.76% of total)
  125. /content-security-policy/securitypolicyviolation/blockeduri-eval.html (1/1, 100.00%, 0.11% of total)
  126. /content-security-policy/securitypolicyviolation/inside-shared-worker.html (3/3, 100.00%, 0.33% of total)
  127. /content-security-policy/connect-src/connect-src-websocket-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  128. /content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  129. /content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html (2/2, 100.00%, 0.22% of total)
  130. /content-security-policy/child-src/child-src-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  131. /content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  132. /content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html (1/1, 100.00%, 0.11% of total)
  133. /content-security-policy/meta/meta-modified.html (1/1, 100.00%, 0.11% of total)
  134. /content-security-policy/embedded-enforcement/subsumption_algorithm-self.html (7/7, 100.00%, 0.77% of total)
  135. /content-security-policy/script-src/script-src-1_3.html (2/2, 100.00%, 0.22% of total)
  136. /content-security-policy/script-src/scripthash-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  137. /content-security-policy/securitypolicyviolation/constructor-required-fields.html (14/14, 100.00%, 1.54% of total)
  138. /content-security-policy/connect-src/connect-src-xmlhttprequest-redirect-to-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  139. /content-security-policy/navigate-to/spv-only-sent-to-initiator.sub.html (2/2, 100.00%, 0.22% of total)
  140. /content-security-policy/frame-ancestors/frame-ancestors-self-allow.html (1/1, 100.00%, 0.11% of total)
  141. /content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html (1/1, 100.00%, 0.11% of total)
  142. /content-security-policy/worker-src/dedicated-child.sub.html (2/2, 100.00%, 0.22% of total)
  143. /content-security-policy/img-src/icon-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  144. /content-security-policy/script-src/script-src-1_1.html (3/3, 100.00%, 0.33% of total)
  145. /content-security-policy/script-src/scriptnonce-redirect.sub.html (1/1, 100.00%, 0.11% of total)
  146. /content-security-policy/generic/generic-0_9.sub.html (1/1, 100.00%, 0.11% of total)
  147. /content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html (2/2, 100.00%, 0.22% of total)
  148. /content-security-policy/generic/generic-0_8.sub.html (1/1, 100.00%, 0.11% of total)
  149. /content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub.html (1/1, 100.00%, 0.11% of total)
  150. /content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html (1/1, 100.00%, 0.11% of total)
  151. /content-security-policy/default-src/default-src-inline-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  152. /content-security-policy/style-src/inline-style-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  153. /content-security-policy/unsafe-eval/function-constructor-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  154. /content-security-policy/reporting/report-same-origin-with-cookies.html (3/3, 100.00%, 0.33% of total)
  155. /content-security-policy/worker-src/shared-child.sub.html (2/2, 100.00%, 0.22% of total)
  156. /content-security-policy/frame-ancestors/frame-ancestors-star-allow-sameorigin.html (1/1, 100.00%, 0.11% of total)
  157. /content-security-policy/media-src/media-src-7_2.html (3/3, 100.00%, 0.33% of total)
  158. /content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html (1/1, 100.00%, 0.11% of total)
  159. /content-security-policy/media-src/media-src-7_3.sub.html (2/2, 100.00%, 0.22% of total)
  160. /content-security-policy/connect-src/shared-worker-connect-src-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  161. /content-security-policy/plugin-types/plugintypes-empty.sub.html (1/1, 100.00%, 0.11% of total)
  162. /content-security-policy/navigate-to/href-location-redirected-allowed.html (1/1, 100.00%, 0.11% of total)
  163. /content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html (2/2, 100.00%, 0.22% of total)
  164. /content-security-policy/plugin-types/plugintypes-nourl-blocked.html (1/1, 100.00%, 0.11% of total)
  165. /content-security-policy/inheritance/iframe-all-local-schemes.sub.html (6/6, 100.00%, 0.66% of total)
  166. /content-security-policy/object-src/object-src-no-url-allowed.html (1/1, 100.00%, 0.11% of total)
  167. /content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo.html (2/2, 100.00%, 0.22% of total)
  168. /content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html (1/1, 100.00%, 0.11% of total)
  169. /content-security-policy/script-src/script-src-1_2_1.html (2/2, 100.00%, 0.22% of total)
  170. /content-security-policy/inheritance/iframe-srcdoc-inheritance.html (2/2, 100.00%, 0.22% of total)
  171. /content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html (1/1, 100.00%, 0.11% of total)
  172. /content-security-policy/unsafe-eval/eval-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  173. /content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html (1/1, 100.00%, 0.11% of total)
  174. /content-security-policy/frame-src/frame-src-about-blank-allowed-by-default.sub.html (1/1, 100.00%, 0.11% of total)
  175. /content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html (2/2, 100.00%, 0.22% of total)
  176. /content-security-policy/connect-src/shared-worker-connect-src-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  177. /content-security-policy/connect-src/worker-from-guid.sub.html (1/1, 100.00%, 0.11% of total)
  178. /content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html (1/1, 100.00%, 0.11% of total)
  179. /content-security-policy/font-src/font-match-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  180. /content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html (1/1, 100.00%, 0.11% of total)
  181. /content-security-policy/script-src/worker-eval-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  182. /content-security-policy/style-src/stylenonce-allowed.sub.html (3/3, 100.00%, 0.33% of total)
  183. /content-security-policy/form-action/form-action-src-get-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  184. /content-security-policy/navigate-to/link-click-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  185. /content-security-policy/frame-src/frame-src-cross-origin-load.sub.html (2/2, 100.00%, 0.22% of total)
  186. /content-security-policy/sandbox/window-reuse-sandboxed.html (1/1, 100.00%, 0.11% of total)
  187. /content-security-policy/navigate-to/form-redirected-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  188. /content-security-policy/frame-src/frame-src-self-unique-origin.html (1/1, 100.00%, 0.11% of total)
  189. /content-security-policy/connect-src/connect-src-eventsource-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  190. /content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html (3/3, 100.00%, 0.33% of total)
  191. /content-security-policy/img-src/img-src-4_1.sub.html (3/3, 100.00%, 0.33% of total)
  192. /content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub.html (1/1, 100.00%, 0.11% of total)
  193. /content-security-policy/securitypolicyviolation/idlharness.window.html (41/41, 100.00%, 4.50% of total)
  194. /content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html (2/2, 100.00%, 0.22% of total)
  195. /content-security-policy/reporting/report-strips-fragment.html (1/1, 100.00%, 0.11% of total)
  196. /content-security-policy/media-src/media-src-7_3_2.sub.html (2/2, 100.00%, 0.22% of total)
  197. /content-security-policy/form-action/form-action-self-allowed-target-blank.html (1/1, 100.00%, 0.11% of total)
  198. /content-security-policy/style-src/inline-style-attribute-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  199. /content-security-policy/script-src/injected-inline-script-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  200. /content-security-policy/generic/generic-0_10.html (1/1, 100.00%, 0.11% of total)
  201. /content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html (1/1, 100.00%, 0.11% of total)
  202. /content-security-policy/connect-src/connect-src-beacon-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  203. /content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html (1/1, 100.00%, 0.11% of total)
  204. /content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html (1/1, 100.00%, 0.11% of total)
  205. /content-security-policy/plugin-types/plugintypes-notype-data.html (1/1, 100.00%, 0.11% of total)
  206. /content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html (1/1, 100.00%, 0.11% of total)
  207. /content-security-policy/img-src/icon-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  208. /content-security-policy/style-src/style-src-inline-style-attribute-blocked.html (2/2, 100.00%, 0.22% of total)
  209. /content-security-policy/style-src/style-src-injected-inline-style-blocked.html (2/2, 100.00%, 0.22% of total)
  210. /content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html (11/11, 100.00%, 1.21% of total)
  211. /content-security-policy/frame-src/frame-src-redirect.html (1/1, 100.00%, 0.11% of total)
  212. /content-security-policy/style-src/style-src-inline-style-attribute-allowed.html (1/1, 100.00%, 0.11% of total)
  213. /content-security-policy/generic/no-default-src.sub.html (2/2, 100.00%, 0.22% of total)
  214. /content-security-policy/prefetch-src/prefetch-header-allowed.html (3/3, 100.00%, 0.33% of total)
  215. /content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.sub.html (1/1, 100.00%, 0.11% of total)
  216. /content-security-policy/script-src/script-src-1_4.html (3/3, 100.00%, 0.33% of total)
  217. /content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub.html (1/1, 100.00%, 0.11% of total)
  218. /content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  219. /content-security-policy/blob/blob-urls-match-blob.sub.html (1/1, 100.00%, 0.11% of total)
  220. /content-security-policy/object-src/object-src-url-embed-allowed.html (1/1, 100.00%, 0.11% of total)
  221. /content-security-policy/frame-ancestors/frame-ancestors-star-allow-crossorigin.html (1/1, 100.00%, 0.11% of total)
  222. /content-security-policy/generic/generic-0_1-img-src.html (2/2, 100.00%, 0.22% of total)
  223. /content-security-policy/navigate-to/form-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  224. /content-security-policy/style-src/stylehash-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  225. /content-security-policy/generic/generic-0_10_1.sub.html (2/2, 100.00%, 0.22% of total)
  226. /content-security-policy/script-src/script-src-1_10.html (2/2, 100.00%, 0.22% of total)
  227. /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html (1/1, 100.00%, 0.11% of total)
  228. /content-security-policy/navigate-to/meta-refresh-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  229. /content-security-policy/sandbox/iframe-inside-csp.sub.html (1/1, 100.00%, 0.11% of total)
  230. /content-security-policy/worker-src/shared-fallback.sub.html (2/2, 100.00%, 0.22% of total)
  231. /content-security-policy/font-src/font-none-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  232. /content-security-policy/reporting/multiple-report-policies.html (2/2, 100.00%, 0.22% of total)
  233. /content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html (1/1, 100.00%, 0.11% of total)
  234. /content-security-policy/style-src/inline-style-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  235. /content-security-policy/frame-src/frame-src-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  236. /content-security-policy/blob/star-doesnt-match-blob.sub.html (1/1, 100.00%, 0.11% of total)
  237. /content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html (2/2, 100.00%, 0.22% of total)
  238. /content-security-policy/script-src/script-src-1_2.html (3/3, 100.00%, 0.33% of total)
  239. /content-security-policy/svg/svg-policy-resource-doc-includes.html (1/1, 100.00%, 0.11% of total)
  240. /content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html (1/1, 100.00%, 0.11% of total)
  241. /content-security-policy/plugin-types/plugintypes-mismatched-url.html (1/1, 100.00%, 0.11% of total)
  242. /content-security-policy/embedded-enforcement/iframe-csp-attribute.html (4/4, 100.00%, 0.44% of total)
  243. /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html (1/1, 100.00%, 0.11% of total)
  244. /content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub.html (1/1, 100.00%, 0.11% of total)
  245. /content-security-policy/svg/object-in-svg-foreignobject.sub.html (1/1, 100.00%, 0.11% of total)
  246. /content-security-policy/reporting/report-uri-multiple-reversed.html (1/1, 100.00%, 0.11% of total)
  247. /content-security-policy/inside-worker/dedicated-inheritance.html (36/36, 100.00%, 3.95% of total)
  248. /content-security-policy/generic/generic-0_8_1.sub.html (1/1, 100.00%, 0.11% of total)
  249. /content-security-policy/worker-src/service-self.https.sub.html (1/1, 100.00%, 0.11% of total)
  250. /content-security-policy/object-src/object-src-no-url-blocked.html (1/1, 100.00%, 0.11% of total)
  251. /content-security-policy/inside-worker/dedicated-script.html (22/22, 100.00%, 2.41% of total)
  252. /content-security-policy/blob/self-doesnt-match-blob.sub.html (1/1, 100.00%, 0.11% of total)
  253. /content-security-policy/script-src/worker-set-timeout-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  254. /content-security-policy/style-src/style-src-inline-style-blocked.html (2/2, 100.00%, 0.22% of total)
  255. /content-security-policy/plugin-types/plugintypes-notype-url.html (1/1, 100.00%, 0.11% of total)
  256. /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html (1/1, 100.00%, 0.11% of total)
  257. /content-security-policy/connect-src/worker-connect-src-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  258. /content-security-policy/embedded-enforcement/required_csp-header.html (70/70, 100.00%, 7.68% of total)
  259. /content-security-policy/worker-src/service-child.https.sub.html (1/1, 100.00%, 0.11% of total)
  260. /content-security-policy/worker-src/shared-self.sub.html (1/1, 100.00%, 0.11% of total)
  261. /content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html (3/3, 100.00%, 0.33% of total)
  262. /content-security-policy/connect-src/connect-src-eventsource-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  263. /content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html (1/1, 100.00%, 0.11% of total)
  264. /content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  265. /content-security-policy/navigate-to/href-location-redirected-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  266. /content-security-policy/generic/cspro-not-enforced-in-worker.html (2/2, 100.00%, 0.22% of total)
  267. /content-security-policy/script-src/scripthash-basic-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  268. /content-security-policy/script-src/injected-inline-script-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  269. /content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html (1/1, 100.00%, 0.11% of total)
  270. /content-security-policy/child-src/child-src-cross-origin-load.sub.html (2/2, 100.00%, 0.22% of total)
  271. /content-security-policy/frame-ancestors/frame-ancestors-none-block.html (1/1, 100.00%, 0.11% of total)
  272. /content-security-policy/style-src/inline-style-attribute-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  273. /content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html (1/1, 100.00%, 0.11% of total)
  274. /content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html (11/11, 100.00%, 1.21% of total)
  275. /content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html (2/2, 100.00%, 0.22% of total)
  276. /content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html (1/1, 100.00%, 0.11% of total)
  277. /content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked.html (1/1, 100.00%, 0.11% of total)
  278. /content-security-policy/form-action/form-action-src-get-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  279. /content-security-policy/reporting/report-uri-effective-directive.html (1/1, 100.00%, 0.11% of total)
  280. /content-security-policy/style-src/stylehash-basic-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  281. /content-security-policy/navigate-to/link-click-redirected-allowed.html (1/1, 100.00%, 0.11% of total)
  282. /content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html (15/15, 100.00%, 1.65% of total)
  283. /content-security-policy/style-src/style-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  284. /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html (1/1, 100.00%, 0.11% of total)
  285. /content-security-policy/object-src/object-src-url-blocked.html (1/1, 100.00%, 0.11% of total)
  286. /content-security-policy/default-src/default-src-inline-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  287. /content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub.html (1/1, 100.00%, 0.11% of total)
  288. /content-security-policy/font-src/font-stylesheet-font-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  289. /content-security-policy/sandbox/sandbox-allow-scripts-subframe.sub.html (1/1, 100.00%, 0.11% of total)
  290. /content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html (1/1, 100.00%, 0.11% of total)
  291. /content-security-policy/connect-src/connect-src-websocket-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  292. /content-security-policy/prefetch-src/prefetch-allowed.html (3/3, 100.00%, 0.33% of total)
  293. /content-security-policy/script-src/scriptnonce-and-scripthash.sub.html (1/1, 100.00%, 0.11% of total)
  294. /content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html (2/2, 100.00%, 0.22% of total)
  295. /content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html (1/1, 100.00%, 0.11% of total)
  296. /content-security-policy/form-action/form-action-src-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  297. /content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html (1/1, 100.00%, 0.11% of total)
  298. /content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  299. /content-security-policy/worker-src/dedicated-fallback.sub.html (2/2, 100.00%, 0.22% of total)
  300. /content-security-policy/script-src/worker-importscripts-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  301. /content-security-policy/reporting/report-original-url.sub.html (5/5, 100.00%, 0.55% of total)
  302. /content-security-policy/securitypolicyviolation/style-sample.html (2/2, 100.00%, 0.22% of total)
  303. /content-security-policy/reporting/report-uri-multiple.html (1/1, 100.00%, 0.11% of total)
  304. /content-security-policy/generic/filesystem-urls-match-filesystem.sub.html (1/1, 100.00%, 0.11% of total)
  305. /content-security-policy/object-src/object-src-url-allowed.html (1/1, 100.00%, 0.11% of total)
  306. /content-security-policy/object-src/object-src-url-embed-blocked.html (1/1, 100.00%, 0.11% of total)
  307. /content-security-policy/reporting/report-only-in-meta.sub.html (1/1, 100.00%, 0.11% of total)
  308. /content-security-policy/embedded-enforcement/idlharness.window.html (4/4, 100.00%, 0.44% of total)
  309. /content-security-policy/font-src/font-mismatch-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  310. /content-security-policy/navigate-to/anchor-navigation-always-allowed.html (1/1, 100.00%, 0.11% of total)
  311. /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html (1/1, 100.00%, 0.11% of total)
  312. /content-security-policy/plugin-types/plugintypes-mismatched-data.html (1/1, 100.00%, 0.11% of total)
  313. /content-security-policy/connect-src/worker-connect-src-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  314. /content-security-policy/prefetch-src/prefetch-header-blocked.html (3/3, 100.00%, 0.33% of total)
  315. /content-security-policy/navigation/to-javascript-url-frame-src.html (1/1, 100.00%, 0.11% of total)
  316. /content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html (1/1, 100.00%, 0.11% of total)
  317. /content-security-policy/style-src/stylehash-default-src.sub.html (1/1, 100.00%, 0.11% of total)
  318. /content-security-policy/style-src/style-src-hash-blocked.html (3/3, 100.00%, 0.33% of total)
  319. /content-security-policy/reporting/report-uri-from-child-frame.html (1/1, 100.00%, 0.11% of total)
  320. /content-security-policy/base-uri/base-uri-allow.sub.html (1/1, 100.00%, 0.11% of total)
  321. /content-security-policy/frame-ancestors/frame-ancestors-url-allow.sub.html (1/1, 100.00%, 0.11% of total)
  322. /content-security-policy/inside-worker/shared-script.html (6/6, 100.00%, 0.66% of total)
  323. /content-security-policy/form-action/form-action-src-redirect-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  324. /content-security-policy/generic/304-response-should-update-csp.sub.html (4/4, 100.00%, 0.44% of total)
  325. /content-security-policy/form-action/form-action-src-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  326. /content-security-policy/navigate-to/href-location-allowed.html (1/1, 100.00%, 0.11% of total)
  327. /content-security-policy/connect-src/connect-src-websocket-self.sub.html (1/1, 100.00%, 0.11% of total)
  328. /content-security-policy/worker-src/dedicated-worker-src-default-fallback.sub.html (1/1, 100.00%, 0.11% of total)
  329. /content-security-policy/navigate-to/parent-navigates-child-allowed.html (1/1, 100.00%, 0.11% of total)
  330. /content-security-policy/reporting/report-cross-origin-no-cookies.sub.html (3/3, 100.00%, 0.33% of total)
  331. /content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html (3/3, 100.00%, 0.33% of total)
  332. /content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html (2/2, 100.00%, 0.22% of total)
  333. /content-security-policy/svg/svg-inline.sub.html (1/1, 100.00%, 0.11% of total)
  334. /content-security-policy/inside-worker/shared-inheritance.html (15/15, 100.00%, 1.65% of total)
  335. /content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html (1/1, 100.00%, 0.11% of total)
  336. /content-security-policy/reporting/report-multiple-violations-02.html (2/2, 100.00%, 0.22% of total)
  337. /content-security-policy/generic/generic-0_1-script-src.html (3/3, 100.00%, 0.33% of total)
  338. /content-security-policy/navigate-to/meta-refresh-redirected-allowed.html (1/1, 100.00%, 0.11% of total)
  339. /content-security-policy/style-src/style-src-error-event-fires.html (2/2, 100.00%, 0.22% of total)
  340. /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html (1/1, 100.00%, 0.11% of total)
  341. /content-security-policy/navigate-to/href-location-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  342. /content-security-policy/connect-src/connect-src-eventsource-redirect-to-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  343. /content-security-policy/object-src/object-src-url-redirect-allowed.html (1/1, 100.00%, 0.11% of total)
  344. /content-security-policy/form-action/form-action-src-javascript-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  345. /content-security-policy/style-src/style-src-injected-stylesheet-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  346. /content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub.html (6/6, 100.00%, 0.66% of total)
  347. /content-security-policy/worker-src/service-fallback.https.sub.html (1/1, 100.00%, 0.11% of total)
  348. /content-security-policy/style-src/style-src-stylesheet-nonce-allowed.html (1/1, 100.00%, 0.11% of total)
  349. /content-security-policy/worker-src/shared-worker-src-default-fallback.sub.html (1/1, 100.00%, 0.11% of total)
  350. /content-security-policy/script-src/scriptnonce-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  351. /content-security-policy/style-src/injected-inline-style-allowed.sub.html (1/1, 100.00%, 0.11% of total)
  352. /content-security-policy/script-src/eval-allowed-in-report-only-mode.html (1/1, 100.00%, 0.11% of total)
  353. /content-security-policy/media-src/media-src-7_1.html (3/3, 100.00%, 0.33% of total)
  354. /content-security-policy/style-src/injected-inline-style-blocked.sub.html (1/1, 100.00%, 0.11% of total)
  355. /content-security-policy/media-src/media-src-blocked.sub.html (5/5, 100.00%, 0.55% of total)
  356. /content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  357. /content-security-policy/worker-src/service-none.https.sub.html (1/1, 100.00%, 0.11% of total)
  358. /content-security-policy/svg/svg-from-guid.html (1/1, 100.00%, 0.11% of total)
  359. /content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html (9/9, 100.00%, 0.99% of total)
  360. /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html (1/1, 100.00%, 0.11% of total)
  361. /content-security-policy/worker-src/dedicated-none.sub.html (2/2, 100.00%, 0.22% of total)
  362. /content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html (7/7, 100.00%, 0.77% of total)
  363. /content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html (1/1, 100.00%, 0.11% of total)
  364. /content-security-policy/meta/meta-outside-head.sub.html (1/1, 100.00%, 0.11% of total)
  365. /content-security-policy/prefetch-src/prefetch-blocked.html (3/3, 100.00%, 0.33% of total)
  366. /content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  367. /content-security-policy/style-src/stylenonce-blocked.sub.html (2/2, 100.00%, 0.22% of total)
  368. /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html (1/1, 100.00%, 0.11% of total)
  369. /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html (1/1, 100.00%, 0.11% of total)
  370. /content-security-policy/reporting/report-uri-from-javascript.html (1/1, 100.00%, 0.11% of total)
  371. /content-security-policy/img-src/report-blocked-data-uri.sub.html (1/1, 100.00%, 0.11% of total)
  372. /content-security-policy/frame-ancestors/frame-ancestors-url-block.html (1/1, 100.00%, 0.11% of total)
  373. /content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html (1/1, 100.00%, 0.11% of total)
  374. /content-security-policy/sandbox/window-reuse-unsandboxed.html (1/1, 100.00%, 0.11% of total)
  375. /content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html (1/1, 100.00%, 0.11% of total)
  376. /content-security-policy/sandbox/sandbox-empty.sub.html (1/1, 100.00%, 0.11% of total)
  377. /content-security-policy/frame-src/frame-src-allowed.sub.html (2/2, 100.00%, 0.22% of total)
  378. /content-security-policy/img-src/img-src-none-blocks.html (1/1, 100.00%, 0.11% of total)
  379. /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html (1/1, 100.00%, 0.11% of total)
  380. /content-security-policy/inheritance/window.html (4/4, 100.00%, 0.44% of total)
  381. /content-security-policy/embedded-enforcement/required-csp-header-cascade.html (9/9, 100.00%, 0.99% of total)
  382. /content-security-policy/form-action/form-action-src-default-ignored.sub.html (1/1, 100.00%, 0.11% of total)
  383. /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html (1/1, 100.00%, 0.11% of total)
  384. /content-security-policy/reporting/report-uri-from-inline-javascript.html (1/1, 100.00%, 0.11% of total)
Test Show/Hide MessagesCh73
/content-security-policy/navigate-to/form-redirected-allowed.html (1/1, 100.00%, 0.11% of total)OK
Test that the child iframe navigation is allowedPASS
/content-security-policy/svg/svg-policy-with-resource.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["TEST COMPLETE"]PASS
/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html (1/1, 100.00%, 0.11% of total)OK
Non-redirected cross-origin URLs are not stripped.PASS
/content-security-policy/generic/directive-name-case-insensitive.sub.html (3/3, 100.00%, 0.33% of total)OK
Test that the www1 image is allowed to loadPASS
Test that the www2 image is not allowed to loadPASS
Test that the www2 image throws a violation eventPASS
/content-security-policy/img-src/img-src-self-unique-origin.html (1/1, 100.00%, 0.11% of total)OK
Image's url must not match with 'self'. Image must be blocked.PASS
/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html (8/8, 100.00%, 0.88% of total)OK
A nonce has to be returned if required by the embedder.PASS
Any nonce subsumes.PASS
Exact nonce subsumes.PASS
Multiples nonces returned subsume.PASS
Nonce intersection is still done on exact match - matching nonces.PASS
Nonce intersection is still done on exact match - non-matching nonces.PASS
Other expressions still have to be subsumed - negative testPASS
Other expressions still have to be subsumed - positive test.PASS
/content-security-policy/meta/combine-header-and-meta-policies.sub.html (2/2, 100.00%, 0.22% of total)OK
Expecting logs: ["TEST COMPLETE", "violated-directive=img-src", "violated-directive=style-src-elem"]PASS
combine-header-and-meta-policiesPASS
/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html (2/2, 100.00%, 0.22% of total)TIMEOUT
Should fire a security policy violation eventNOTRUN
The attribute style should not be appliedPASS
/content-security-policy/style-src/style-src-star-allowed.html (1/1, 100.00%, 0.11% of total)OK
* should allow any stylePASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.NOTRUN
/content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Test that the child iframe navigation is allowedPASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html (1/1, 100.00%, 0.11% of total)OK
A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.PASS
/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html (3/3, 100.00%, 0.33% of total)OK
Navigated iframe is upgraded and reportedFAIL
Upgraded iframe is reportedFAIL
Upgraded image is reportedFAIL
/content-security-policy/navigate-to/meta-refresh-allowed.html (1/1, 100.00%, 0.11% of total)OK
Test that the child iframe navigation is allowedPASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.NOTRUN
/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["Pass","violated-directive=connect-src"]PASS
/content-security-policy/reporting/report-multiple-violations-01.html (2/2, 100.00%, 0.22% of total)OK
Test number of sent reports.PASS
Violation report status OK.PASS
/content-security-policy/child-src/child-src-redirect-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"]PASS
/content-security-policy/connect-src/connect-src-xmlhttprequest-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["Pass"]PASS
/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html (1/1, 100.00%, 0.11% of total)TIMEOUT
Image that redirects to http:// URL prohibited by Report-Only must generate a violation report, even with upgrade-insecure-requestsTIMEOUT
/content-security-policy/form-action/form-action-src-allowed-target-frame.sub.html (1/1, 100.00%, 0.11% of total)OK
form submission targetting a frame allowedPASS
/content-security-policy/navigate-to/form-cross-origin-blocked.sub.html (2/2, 100.00%, 0.22% of total)OK
Test that the child iframe navigation is not allowedFAIL
Violation report status OK.FAIL
/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting alerts: ["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src-elem", "violated-directive=script-src-elem", "violated-directive=script-src-elem"]PASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html (1/1, 100.00%, 0.11% of total)OK
A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.FAIL
/content-security-policy/embedded-enforcement/allow_csp_from-header.html (11/11, 100.00%, 1.21% of total)OK
Allow-CSP-From header enforces EmbeddingCSP.PASS
Allow-CSP-From header with a star value can be returned.PASS
Cross origin iframe with an empty Allow-CSP-From header gets blocked.PASS
Cross origin iframe without Allow-CSP-From header gets blocked.PASS
Iframe with improper Allow-CSP-From header gets blocked.PASS
Same origin iframes are allowed even if Allow-CSP-From does not match origin.PASS
Same origin iframes are allowed even if the Allow-CSP-From is empty.PASS
Same origin iframes are allowed even if the Allow-CSP-From is not present.PASS
Same origin iframes are always allowed.PASS
Star Allow-CSP-From header enforces EmbeddingCSP.PASS
iframe from cross origin does not load without Allow-CSP-From header.PASS
/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS","violated-directive=script-src"]PASS
/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub.html (1/1, 100.00%, 0.11% of total)OK
Test that form-action overrides navigate-to when present.PASS
/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
img-src with wildcard port should match any portPASS
/content-security-policy/script-src/worker-function-function-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["Function() function blocked"]PASS
/content-security-policy/style-src/style-src-inline-style-allowed.html (1/1, 100.00%, 0.11% of total)OK
Inline style should apply with 'unsafe-inline'PASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a value '*' should render in nested frames.NOTRUN
/content-security-policy/navigate-to/form-cross-origin-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Test that the child iframe navigation is allowedPASS
/content-security-policy/style-src/style-src-hash-allowed.html (1/1, 100.00%, 0.11% of total)OK
All style elements should load because they have proper hashesPASS
/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS: eval() blocked.","violated-directive=script-src"]PASS
/content-security-policy/style-src/style-src-injected-inline-style-allowed.html (1/1, 100.00%, 0.11% of total)OK
Injected inline style should load with 'unsafe-inline'PASS
/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html (1/1, 100.00%, 0.11% of total)TIMEOUT
Test that the child iframe navigation is allowedNOTRUN
/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html (1/1, 100.00%, 0.11% of total)OK
javascript-url-navigation-inherits-cspFAIL
/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html (1/1, 100.00%, 0.11% of total)OK
Should convert the script contents to UTF-8 before hashingPASS
/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS 1 of 2","PASS 2 of 2"]PASS
/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html (2/2, 100.00%, 0.22% of total)OK
Test that the child iframe navigation is not allowedFAIL
Violation report status OK.FAIL
/content-security-policy/meta/meta-img-src.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS","TEST COMPLETE"]PASS
/content-security-policy/worker-src/service-list.https.sub.html (1/1, 100.00%, 0.11% of total)OK
Same-origin service worker allowed by host-source expression.PASS
/content-security-policy/worker-src/service-worker-src-default-fallback.https.sub.html (1/1, 100.00%, 0.11% of total)OK
Same-origin service worker allowed by default-src 'self'.PASS
/content-security-policy/navigate-to/link-click-allowed.html (1/1, 100.00%, 0.11% of total)OK
Test that the child iframe navigation is allowedPASS
/content-security-policy/img-src/img-src-wildcard-allowed.html (2/2, 100.00%, 0.22% of total)OK
img-src with wildcard should match allPASS
img-src with wildcard should not match blobPASS
/content-security-policy/reporting/report-blocked-data-uri.html (1/1, 100.00%, 0.11% of total)OK
Violation report status OK.PASS
/content-security-policy/reporting/report-blocked-uri.html (1/1, 100.00%, 0.11% of total)OK
Violation report status OK.PASS
/content-security-policy/style-src/style-src-imported-style-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Imported style that violates policy should not loadPASS
/content-security-policy/reporting/report-uri-scheme-relative.html (1/1, 100.00%, 0.11% of total)OK
Violation report status OK.PASS
/content-security-policy/style-src/style-src-none-blocked.html (2/2, 100.00%, 0.22% of total)OK
Should fire a securitypolicyviolation eventPASS
Should not stylesheet when style-src is 'none'PASS
/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html (3/3, 100.00%, 0.33% of total)OK
Event is firedPASS
Test that image does not loadPASS
Violation report status OK.PASS
/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html (2/2, 100.00%, 0.22% of total)TIMEOUT
Should fire a security policy violation for the attributeNOTRUN
The attribute style should not be applied and the inline style should be appliedPASS
/content-security-policy/style-src/style-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS"]PASS
/content-security-policy/navigate-to/parent-navigates-child-blocked.html (2/2, 100.00%, 0.22% of total)OK
Test that the parent can't navigate the child because the relevant policy belongs to the navigation initiator (in this case the parent, which has the policy `navigate-to support/wait_for_navigation.html;`)FAIL
Violation report status OK.FAIL
/content-security-policy/child-src/child-src-allowed.sub.html (2/2, 100.00%, 0.22% of total)OK
Expecting alerts: ["PASS"]PASS
Expecting logs: ["PASS IFrame #1 generated a load event."]PASS
/content-security-policy/reporting/report-and-enforce.html (3/3, 100.00%, 0.33% of total)OK
The image should be blockedPASS
The stylesheet should loadPASS
Violation report status OK.PASS
/content-security-policy/generic/generic-0_2_2.sub.html (2/2, 100.00%, 0.22% of total)OK
Prevents access to external scripts.PASS
Should fire violation events for every failed violationPASS
/content-security-policy/securitypolicyviolation/inside-service-worker.https.html (1/1, 100.00%, 0.11% of total)TIMEOUT
undefinedTIMEOUT
/content-security-policy/script-src/script-src-1_10_1.html (2/2, 100.00%, 0.22% of total)OK
Test that no report violation event was raisedPASS
Verify that data: as script src runs with this policyPASS
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html (5/5, 100.00%, 0.55% of total)OK
A wildcard host should match a more specific host.PASS
Host must match.PASS
Hosts without wildcards must match.PASS
More specific subdomain should not match.PASS
Specified host should not match a wildcard host.PASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.NOTRUN
/content-security-policy/generic/generic-0_2.html (1/1, 100.00%, 0.11% of total)OK
Should fire violation events for every failed violationPASS
/content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked.html (1/1, 100.00%, 0.11% of total)TIMEOUT
undefinedTIMEOUT
/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html (1/1, 100.00%, 0.11% of total)OK
Should convert the script contents to UTF-8 before hashingFAIL
/content-security-policy/script-src/script-src-1_4_1.html (3/3, 100.00%, 0.33% of total)OK
Test that securitypolicyviolation event is firedPASS
window.setInterval()PASS
window.setTimeout()PASS
/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html (8/8, 100.00%, 0.88% of total)OK
If there is no required csp, iframe should load.PASS
Iframe should load even if the ports are different but are default for the protocols.PASS
Iframe with a different CSP should be blocked.PASS
Iframe with a matching and more restrictive ports should load.PASS
Iframe with empty returned CSP should be blocked.PASS
Iframe with less restricting CSP should be blocked.PASS
Iframe with matching CSP should load.PASS
Iframe with more restricting CSP should load.PASS
/content-security-policy/media-src/media-src-7_1_2.sub.html (3/3, 100.00%, 0.33% of total)OK
Disallowed async video source elementPASS
Disallowed async video srcPASS
Test that securitypolicyviolation events are firedPASS
/content-security-policy/style-src/inline-style-attribute-on-html.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS"]PASS
/content-security-policy/script-src/scripthash-unicode-normalization.sub.html (2/2, 100.00%, 0.22% of total)OK
Only matching content runs even with NFC normalization.PASS
Should fire securitypolicyviolationPASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html (1/1, 100.00%, 0.11% of total)OK
A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.PASS
/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html (3/3, 100.00%, 0.33% of total)OK
Should convert the script contents to UTF-8 before hashing - greek small letter muPASS
Should convert the script contents to UTF-8 before hashing - latin capital letter g with brevePASS
Should convert the script contents to UTF-8 before hashing - latin micro signPASS
/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html (2/2, 100.00%, 0.22% of total)OK
Test that the child iframe navigation is not allowedFAIL
Violation report status OK.FAIL
/content-security-policy/plugin-types/plugintypes-nourl-allowed.html (1/1, 100.00%, 0.11% of total)OK
Violation report status OK.PASS
/content-security-policy/frame-src/frame-src-about-blank-allowed-by-scheme.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS"]PASS
/content-security-policy/style-src/style-src-imported-style-blocked.html (2/2, 100.00%, 0.22% of total)OK
@import stylesheet should not load because it does not match style-srcPASS
Should fire a securitypolicyviolation eventPASS
/content-security-policy/script-src/script-src-wildcards-disallowed.html (3/3, 100.00%, 0.33% of total)OK
blob: URIs should not match *PASS
data: URIs should not match *PASS
filesystem URIs should not match *PASS
/content-security-policy/frame-ancestors/frame-ancestors-self-block.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a value 'self' should block rendering.NOTRUN
/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.NOTRUN
/content-security-policy/worker-src/shared-list.sub.html (2/2, 100.00%, 0.22% of total)OK
Same-origin dedicated worker allowed by 'self'.PASS
blob: dedicated worker allowed by 'blob:'.PASS
/content-security-policy/generic/only-valid-whitespaces-are-allowed.html (24/24, 100.00%, 2.63% of total)OK
Should load image without any CSP - HTTP headerPASS
Should load image without any CSP - meta tagPASS
Should not load image with 'none' CSP - HTTP headerPASS
Should not load image with 'none' CSP - meta tagPASS
U+0009 TAB should be properly parsed between directive name and value - HTTP headerPASS
U+0009 TAB should be properly parsed between directive name and value - meta tagPASS
U+0009 TAB should be properly parsed inside directive value - HTTP headerPASS
U+0009 TAB should be properly parsed inside directive value - meta tagPASS
U+000A LF should be properly parsed between directive name and value - meta tagPASS
U+000A LF should be properly parsed inside directive value - meta tagPASS
U+000C FF should be properly parsed between directive name and value - HTTP headerPASS
U+000C FF should be properly parsed between directive name and value - meta tagPASS
U+000C FF should be properly parsed inside directive value - HTTP headerPASS
U+000C FF should be properly parsed inside directive value - meta tagPASS
U+000D CR should be properly parsed between directive name and value - meta tagPASS
U+000D CR should be properly parsed inside directive value - meta tagPASS
U+0020 SPACE should be properly parsed between directive name and value - HTTP headerPASS
U+0020 SPACE should be properly parsed between directive name and value - meta tagPASS
U+0020 SPACE should be properly parsed inside directive value - HTTP headerPASS
U+0020 SPACE should be properly parsed inside directive value - meta tagPASS
U+00A0 NBSP should not be parsed between directive name and value - HTTP headerPASS
U+00A0 NBSP should not be parsed between directive name and value - meta tagPASS
U+00A0 NBSP should not be parsed inside directive value - HTTP headerPASS
U+00A0 NBSP should not be parsed inside directive value - meta tagPASS
/content-security-policy/securitypolicyviolation/inside-dedicated-worker.html (1/1, 100.00%, 0.11% of total)TIMEOUT
undefinedTIMEOUT
/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS","violated-directive=script-src"]PASS
/content-security-policy/worker-src/dedicated-self.sub.html (1/1, 100.00%, 0.11% of total)OK
Same-origin dedicated worker allowed by 'self'.PASS
/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html (2/2, 100.00%, 0.22% of total)OK
Violation report status OK.PASS
iframe still inherits correct CSPPASS
/content-security-policy/sandbox/sandbox-allow-scripts.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["Message"]PASS
/content-security-policy/base-uri/base-uri-deny.sub.html (2/2, 100.00%, 0.22% of total)OK
Check that baseURI fires a securitypolicyviolation event when it does not match the csp directivePASS
Check that the baseURI is not set when it does not match the csp directivePASS
/content-security-policy/sandbox/sandbox-empty-subframe.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS2"]PASS
/content-security-policy/script-src/script-src-overrides-default-src.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS 1 of 2","PASS 2 of 2"]PASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.NOTRUN
/content-security-policy/script-src/script-src-1_4_2.html (2/2, 100.00%, 0.22% of total)OK
Test that securitypolicyviolation event is firedPASS
Unsafe eval ran in Function() constructor.PASS
/content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=connect-src"]PASS
/content-security-policy/object-src/object-src-url-redirect-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Should block the object and fire a spvPASS
/content-security-policy/worker-src/shared-none.sub.html (2/2, 100.00%, 0.22% of total)OK
Same-origin shared worker blocked by 'none'.PASS
blob: shared worker blocked by 'none'.PASS
/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html (2/2, 100.00%, 0.22% of total)OK
Test that style loads if allowed by proper hash valuesPASS
Violation report status OK.PASS
/content-security-policy/unsafe-hashes/style_attribute_allowed.html (1/1, 100.00%, 0.11% of total)OK
Test that the inline style attribute is loadedFAIL
/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html (18/18, 100.00%, 1.98% of total)OK
Both required and returned csp are `none` for only one directive.PASS
Both required and returned csp are `none`.PASS
Both required and returned csp are effectively 'none'.PASS
Both required and returned csp are empty.PASS
Empty required csp subsumes a policy with `none`.PASS
Empty required csp subsumes any list of policies.PASS
Empty required csp subsumes empty list of returned policies.PASS
Required csp with `none` does not subsume `none` of another directive.PASS
Required csp with `none` does not subsume `none` of different directives.PASS
Required csp with `none` does not subsume a host source expression.PASS
Required csp with `none` subsumes effective list of `none` despite other keywords.PASS
Required csp with `none` subsumes effective list of `none`.PASS
Required csp with effective `none` does not subsume `none` of another directive.PASS
Required csp with effective `none` does not subsume a host source expression.PASS
Required policy that allows `none` does not subsume empty list of policies.PASS
Returned csp with `none` is subsumed by any required csp.PASS
Returned csp with effective `none` is subsumed by any required csp.PASS
Source list with exprssions other than `none` make `none` ineffective.PASS
/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS EvalError","violated-directive=script-src"]PASS
/content-security-policy/generic/duplicate-directive.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting alerts: ["PASS (1/1)"]PASS
/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Test that the child iframe navigation is allowedPASS
/content-security-policy/generic/policy-does-not-affect-child.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS"]PASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.NOTRUN
/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html (2/2, 100.00%, 0.22% of total)OK
Should fire a securitypolicyviolation eventPASS
Should not load inline style element with invalid noncePASS
/content-security-policy/blob/blob-urls-do-not-match-self.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=script-src-elem"]PASS
/content-security-policy/font-src/font-self-allowed.html (1/1, 100.00%, 0.11% of total)OK
Test font loads if it matches font-src.PASS
/content-security-policy/script-src/worker-script-src.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS"]PASS
/content-security-policy/style-src/style-src-inline-style-nonce-allowed.html (1/1, 100.00%, 0.11% of total)OK
Style with correct nonce should loadPASS
/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html (2/2, 100.00%, 0.22% of total)OK
Event is firedPASS
Test that image does not loadPASS
/content-security-policy/media-src/media-src-redir-bug.sub.html (5/5, 100.00%, 0.55% of total)TIMEOUT
In-policy async video source elementNOTRUN
In-policy async video source element w/redirNOTRUN
In-policy async video srcNOTRUN
Should not fire policy violation eventsNOTRUN
in-policy async video src w/redirNOTRUN
/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html (7/7, 100.00%, 0.77% of total)OK
'unsafe-eval' is properly subsumed.PASS
Effective policy is properly found where 'unsafe-eval' is not part of it.PASS
Effective policy is properly found where 'unsafe-eval' is not subsumed.PASS
Effective policy is properly found.PASS
No other keyword has the same effect as 'unsafe-eval'.PASS
Other expressions have to be subsumed.PASS
Required csp must allow 'unsafe-eval'.PASS
/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"]PASS
/content-security-policy/script-src/scripthash-default-src.sub.html (1/1, 100.00%, 0.11% of total)OK
script-hash allowed from default-srcPASS
/content-security-policy/navigate-to/form-allowed.html (1/1, 100.00%, 0.11% of total)OK
Test that the child iframe navigation is allowedPASS
/content-security-policy/connect-src/connect-src-beacon-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["Pass", "violated-directive=connect-src"]PASS
/content-security-policy/worker-src/dedicated-list.sub.html (2/2, 100.00%, 0.22% of total)OK
Same-origin dedicated worker allowed by host-source expression.PASS
blob: dedicated worker allowed by 'blob:'.PASS
/content-security-policy/navigate-to/child-navigates-parent-allowed.html (1/1, 100.00%, 0.11% of total)OK
Test that the child can navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child, which has the policy `navigate-to 'self'`)PASS
/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html (1/1, 100.00%, 0.11% of total)TIMEOUT
Should fire a security policy violation eventNOTRUN
/content-security-policy/media-src/media-src-7_2_2.sub.html (3/3, 100.00%, 0.33% of total)OK
Disallaowed audio srcPASS
Disallowed audio source elementPASS
Test that securitypolicyviolation events are firedPASS
/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html (13/13, 100.00%, 1.43% of total)OK
'sha256-abc123' is not subsumed by 'sha256-abc456'.PASS
'sha256-abc123' is properly subsumed with other sources.PASS
'sha256-abc123' is properly subsumed.PASS
Effective policy is properly found where 'sha256-abc123' is not part of it.PASS
Effective policy is properly found where 'sha256-abc123' is not subsumed.PASS
Effective policy is properly found.PASS
Effective policy now does not allow 'sha256-abc123'.PASS
Hashes do not have to be present in returned csp but must not allow all inline behavior.PASS
Hashes do not have to be present in returned csp.PASS
Other expressions have to be subsumed but 'unsafe-inline' gets ignored.PASS
Other expressions have to be subsumed.PASS
Required csp must allow 'sha256-abc123'.PASS
Returned should not include hashes not present in required csp.PASS
/content-security-policy/unsafe-eval/eval-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS EvalError","PASS EvalError", "violated-directive=script-src"]PASS
/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html (2/2, 100.00%, 0.22% of total)OK
Eval is allowed because the CSP is report-onlyPASS
Violation report status OK.PASS
/content-security-policy/generic/generic-0_2_3.html (2/2, 100.00%, 0.22% of total)OK
Prevents access to external scripts.PASS
Should fire violation events for every failed violationPASS
/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html (2/2, 100.00%, 0.22% of total)TIMEOUT
Should fire a security policy violation for the inline blockNOTRUN
The inline style should not be applied and the attribute style should be appliedFAIL
/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
img src matches correctly partial wildcard host csp directivePASS
/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html (16/16, 100.00%, 1.76% of total)OK
'strict-dynamic' is ineffective for `style-src`.PASS
'unsafe-inline' does not matter if returned csp is effectively `none`.PASS
'unsafe-inline' is ineffective when nonces are present.PASS
'unsafe-inline' is only ineffective if the effective returned csp has hashes in `script-src`.PASS
'unsafe-inline' is only ineffective if the effective returned csp has hashes in `style-src`.PASS
'unsafe-inline' is only ineffective if the effective returned csp has nonces in `style-src`.PASS
'unsafe-inline' is properly subsumed in `script-src`.PASS
'unsafe-inline' is properly subsumed in `style-src`.PASS
Effective returned csp allows 'unsafe-inline'PASS
Effective returned csp does not allow 'sha512-321cba' hash.PASS
Required csp allows `strict-dynamic`, but retuned csp does.PASS
Required csp does not allow `unsafe-inline`, but retuned csp does.PASS
Returned csp does not have to allow 'unsafe-inline' in `style-src` to be subsumed.PASS
Returned csp only loads 'unsafe-inline' scripts with 'nonce-abc'.PASS
Returned csp whitelists a hash.PASS
Returned csp whitelists a nonce.PASS
/content-security-policy/securitypolicyviolation/blockeduri-eval.html (1/1, 100.00%, 0.11% of total)OK
Eval violations have a blockedURI of 'eval'FAIL
/content-security-policy/securitypolicyviolation/inside-shared-worker.html (3/3, 100.00%, 0.33% of total)TIMEOUT
No SecurityPolicyViolation event fired for successful load.PASS
SecurityPolicyViolation event fired on global with the correct blockedURI.TIMEOUT
SecurityPolicyViolation event fired on global.PASS
/content-security-policy/connect-src/connect-src-websocket-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["blocked","violated-directive=connect-src"]PASS
/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html (2/2, 100.00%, 0.22% of total)OK
Test that the child iframe navigation is not allowedFAIL
Violation report status OK.FAIL
/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html (2/2, 100.00%, 0.22% of total)OK
Should fire a securitypolicyviolation eventPASS
Test that paragraph remains unmodified and error events received.PASS
/content-security-policy/child-src/child-src-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"]PASS
/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
img src does not match full host and wildcard csp directivePASS
/content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=script-src-elem"]PASS
/content-security-policy/meta/meta-modified.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS", "PASS","TEST COMPLETE"]PASS
/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html (7/7, 100.00%, 0.77% of total)OK
'self' keywords should match.PASS
Required 'self' should match to a origin's url.PASS
Required 'self' should subsume a more secure version of origin's url.PASS
Returned 'self' should match to an origin's url.PASS
Returned 'self' should not be subsumed by a more secure version of origin's url.PASS
Returned CSP does not have to specify 'self'.PASS
Returned CSP must not allow 'self' if required CSP does not.PASS
/content-security-policy/script-src/script-src-1_3.html (2/2, 100.00%, 0.22% of total)OK
Inline script in a script tag should run with an unsafe-inline directivePASS
Should not fire policy violation eventsPASS
/content-security-policy/script-src/scripthash-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting alerts: ["PASS (1/4)","PASS (2/4)","PASS (3/4)","PASS (4/4)"]PASS
/content-security-policy/securitypolicyviolation/constructor-required-fields.html (14/14, 100.00%, 1.54% of total)OK
SecurityPolicyViolationEvent constructor does not require blockedURIPASS
SecurityPolicyViolationEvent constructor does not require columnNumberPASS
SecurityPolicyViolationEvent constructor does not require lineNumberPASS
SecurityPolicyViolationEvent constructor does not require referrerPASS
SecurityPolicyViolationEvent constructor does not require samplePASS
SecurityPolicyViolationEvent constructor does not require sourceFilePASS
SecurityPolicyViolationEvent constructor requires dispositionPASS
SecurityPolicyViolationEvent constructor requires documentURIPASS
SecurityPolicyViolationEvent constructor requires effectiveDirectivePASS
SecurityPolicyViolationEvent constructor requires originalPolicyPASS
SecurityPolicyViolationEvent constructor requires statusCodePASS
SecurityPolicyViolationEvent constructor requires violatedDirectivePASS
SecurityPolicyViolationEvent constructor should throw with no parametersPASS
SecurityPolicyViolationEvent constructor works with an init dictPASS
/content-security-policy/connect-src/connect-src-xmlhttprequest-redirect-to-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS XMLHttpRequest.send() did not follow the disallowed redirect.","TEST COMPLETE","violated-directive=connect-src"]PASS
/content-security-policy/navigate-to/spv-only-sent-to-initiator.sub.html (2/2, 100.00%, 0.22% of total)TIMEOUT
Test that no spv event is raisedNOTRUN
Violation report status OK.PASS
/content-security-policy/frame-ancestors/frame-ancestors-self-allow.html (1/1, 100.00%, 0.11% of total)OK
A 'frame-ancestors' CSP directive with a value 'self' should allow rendering.PASS
/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html (1/1, 100.00%, 0.11% of total)OK
Non-redirected cross-origin URLs are not stripped.PASS
/content-security-policy/worker-src/dedicated-child.sub.html (2/2, 100.00%, 0.22% of total)OK
Same-origin dedicated worker allowed by host-source expression.PASS
blob: dedicated worker allowed by 'blob:'.PASS
/content-security-policy/img-src/icon-blocked.sub.html (2/2, 100.00%, 0.22% of total)OK
Test that image does not loadPASS
Test that spv event is firedPASS
/content-security-policy/script-src/script-src-1_1.html (3/3, 100.00%, 0.33% of total)OK
Inline event handlerPASS
Inline script blockPASS
Should fire policy violation eventsPASS
/content-security-policy/script-src/scriptnonce-redirect.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting alerts: ["PASS"]PASS
/content-security-policy/generic/generic-0_9.sub.html (1/1, 100.00%, 0.11% of total)TIMEOUT
Test that script does not fire violation eventPASS
/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html (2/2, 100.00%, 0.22% of total)OK
Should fire a securitypolicyviolation eventPASS
Should not load stylesheet without correct noncePASS
/content-security-policy/generic/generic-0_8.sub.html (1/1, 100.00%, 0.11% of total)OK
Test that script does not fire violation eventPASS
/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub.html (1/1, 100.00%, 0.11% of total)OK
Test that form-action overrides navigate-to when present.PASS
/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html (1/1, 100.00%, 0.11% of total)OK
form submission targetting _blank allowed after a redirectPASS
/content-security-policy/default-src/default-src-inline-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=script-src-elem","violated-directive=script-src-elem"]PASS
/content-security-policy/style-src/inline-style-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS"]PASS
/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS"]PASS
/content-security-policy/reporting/report-same-origin-with-cookies.html (3/3, 100.00%, 0.33% of total)OK
Image should not loadPASS
Test report cookies.FAIL
Violation report status OK.PASS
/content-security-policy/worker-src/shared-child.sub.html (2/2, 100.00%, 0.22% of total)OK
Same-origin dedicated worker allowed by 'self'.PASS
blob: dedicated worker allowed by 'blob:'.PASS
/content-security-policy/frame-ancestors/frame-ancestors-star-allow-sameorigin.html (1/1, 100.00%, 0.11% of total)OK
A 'frame-ancestors' CSP directive with '*' should allow rendering.PASS
/content-security-policy/media-src/media-src-7_2.html (3/3, 100.00%, 0.33% of total)TIMEOUT
In-policy audio source elementNOTRUN
In-policy audio srcNOTRUN
Should not fire policy violation eventsNOTRUN
/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html (1/1, 100.00%, 0.11% of total)TIMEOUT
Test that the javascript: src is not allowed to runNOTRUN
/content-security-policy/media-src/media-src-7_3.sub.html (2/2, 100.00%, 0.22% of total)TIMEOUT
In-policy track elementNOTRUN
Should not fire policy violation eventsNOTRUN
/content-security-policy/connect-src/shared-worker-connect-src-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["xhr allowed","TEST COMPLETE"]PASS
/content-security-policy/plugin-types/plugintypes-empty.sub.html (1/1, 100.00%, 0.11% of total)OK
Should not load the object because plugin-types allows no pluginsPASS
/content-security-policy/navigate-to/href-location-redirected-allowed.html (1/1, 100.00%, 0.11% of total)TIMEOUT
Test that the child iframe navigation is allowedNOTRUN
/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html (2/2, 100.00%, 0.22% of total)OK
Event is firedPASS
Test that image does not loadPASS
/content-security-policy/plugin-types/plugintypes-nourl-blocked.html (1/1, 100.00%, 0.11% of total)OK
Should not load the object because it does not match plugin-typesPASS
/content-security-policy/inheritance/iframe-all-local-schemes.sub.html (6/6, 100.00%, 0.66% of total)OK
<iframe sandbox src='blob:...'>'s inherits policy. (opaque origin sandbox)PASS
<iframe src='blob:...'>'s inherits policy.PASS
<iframe src='data:...'>'s inherits policy.PASS
<iframe src='javascript:...'>'s inherits policy.PASS
<iframe srcdoc>'s inherits policy.PASS
<iframe>'s about:blank inherits policy.PASS
/content-security-policy/object-src/object-src-no-url-allowed.html (1/1, 100.00%, 0.11% of total)OK
Violation report status OK.PASS
/content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo.html (2/2, 100.00%, 0.22% of total)OK
A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would allow the page.PASS
A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would block the page.PASS
/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"]PASS
/content-security-policy/script-src/script-src-1_2_1.html (2/2, 100.00%, 0.22% of total)OK
DOM manipulation inline testsPASS
Test that securitypolicyviolation event is firedPASS
/content-security-policy/inheritance/iframe-srcdoc-inheritance.html (2/2, 100.00%, 0.22% of total)OK
First image should be blockedPASS
Second image should be blockedPASS
/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=script-src-elem"]PASS
/content-security-policy/unsafe-eval/eval-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting alerts: ["PASS (1 of 2)","PASS (2 of 2)"]PASS
/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html (1/1, 100.00%, 0.11% of total)OK
Should convert the script contents to UTF-8 before hashingFAIL
/content-security-policy/frame-src/frame-src-about-blank-allowed-by-default.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS"]PASS
/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html (2/2, 100.00%, 0.22% of total)TIMEOUT
Should execute the inline script attributePASS
Should fire a security policy violation for the attributeNOTRUN
/content-security-policy/connect-src/shared-worker-connect-src-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["xhr blocked","TEST COMPLETE"]PASS
/content-security-policy/connect-src/worker-from-guid.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=connect-src","xhr blocked","TEST COMPLETE"]FAIL
/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html (1/1, 100.00%, 0.11% of total)OK
Check that frames load without throwing any violation eventsPASS
/content-security-policy/font-src/font-match-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Test font loads if it matches font-src.PASS
/content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html (1/1, 100.00%, 0.11% of total)OK
Violation report status OK.PASS
/content-security-policy/script-src/worker-eval-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["eval blocked"]PASS
/content-security-policy/style-src/stylenonce-allowed.sub.html (3/3, 100.00%, 0.33% of total)OK
Should fire securitypolicyviolationPASS
stylenonce-allowedPASS
stylenonce-allowed 1PASS
/content-security-policy/form-action/form-action-src-get-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS","TEST COMPLETE"]PASS
/content-security-policy/navigate-to/link-click-blocked.sub.html (2/2, 100.00%, 0.22% of total)OK
Test that the child iframe navigation is not allowedFAIL
Violation report status OK.FAIL
/content-security-policy/frame-src/frame-src-cross-origin-load.sub.html (2/2, 100.00%, 0.22% of total)OK
Expecting alerts: ["PASS","PASS"]PASS
Expecting logs: ["PASS IFrame #1 generated a load event.","PASS IFrame #2 generated a load event.","PASS IFrame #3 generated a load event.","violated-directive=frame-src"]PASS
/content-security-policy/sandbox/window-reuse-sandboxed.html (1/1, 100.00%, 0.11% of total)TIMEOUT
Window object should not be reusedNOTRUN
/content-security-policy/navigate-to/form-redirected-blocked.sub.html (2/2, 100.00%, 0.22% of total)OK
Test that the child iframe navigation is not allowedFAIL
Violation report status OK.FAIL
/content-security-policy/frame-src/frame-src-self-unique-origin.html (1/1, 100.00%, 0.11% of total)OK
Iframe's url must not match with 'self'. It must be blocked.PASS
/content-security-policy/connect-src/connect-src-eventsource-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["allowed"]PASS
/content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html (3/3, 100.00%, 0.33% of total)OK
Test that embedded iframe document image does not loadPASS
Test that parent document image loadsPASS
Test that spv event is firedPASS
/content-security-policy/img-src/img-src-4_1.sub.html (3/3, 100.00%, 0.33% of total)OK
img-src for relative path should loadPASS
img-src from approved domains should loadPASS
img-src from unapproved domains should not loadPASS
/content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub.html (1/1, 100.00%, 0.11% of total)OK
Violation report status OK.PASS
/content-security-policy/securitypolicyviolation/idlharness.window.html (41/41, 100.00%, 4.50% of total)OK
SecurityPolicyViolationEvent interface object lengthPASS
SecurityPolicyViolationEvent interface object namePASS
SecurityPolicyViolationEvent interface: attribute blockedURIPASS
SecurityPolicyViolationEvent interface: attribute blockedURLFAIL
SecurityPolicyViolationEvent interface: attribute colnoFAIL
SecurityPolicyViolationEvent interface: attribute columnNumberPASS
SecurityPolicyViolationEvent interface: attribute dispositionPASS
SecurityPolicyViolationEvent interface: attribute documentURIPASS
SecurityPolicyViolationEvent interface: attribute documentURLFAIL
SecurityPolicyViolationEvent interface: attribute effectiveDirectivePASS
SecurityPolicyViolationEvent interface: attribute lineNumberPASS
SecurityPolicyViolationEvent interface: attribute linenoFAIL
SecurityPolicyViolationEvent interface: attribute originalPolicyPASS
SecurityPolicyViolationEvent interface: attribute referrerPASS
SecurityPolicyViolationEvent interface: attribute samplePASS
SecurityPolicyViolationEvent interface: attribute sourceFilePASS
SecurityPolicyViolationEvent interface: attribute statusCodePASS
SecurityPolicyViolationEvent interface: attribute violatedDirectivePASS
SecurityPolicyViolationEvent interface: existence and properties of interface objectPASS
SecurityPolicyViolationEvent interface: existence and properties of interface prototype objectPASS
SecurityPolicyViolationEvent interface: existence and properties of interface prototype object's "constructor" propertyPASS
SecurityPolicyViolationEvent interface: existence and properties of interface prototype object's @@unscopables propertyPASS
SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "blockedURI" with the proper typePASS
SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "blockedURL" with the proper typeFAIL
SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "colno" with the proper typeFAIL
SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "columnNumber" with the proper typePASS
SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "disposition" with the proper typePASS
SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "documentURI" with the proper typePASS
SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "documentURL" with the proper typeFAIL
SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "effectiveDirective" with the proper typePASS
SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "lineNumber" with the proper typePASS
SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "lineno" with the proper typeFAIL
SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "originalPolicy" with the proper typePASS
SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "referrer" with the proper typePASS
SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "sample" with the proper typePASS
SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "sourceFile" with the proper typePASS
SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "statusCode" with the proper typePASS
SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "violatedDirective" with the proper typePASS
SecurityPolicyViolationEvent must be primary interface of new SecurityPolicyViolationEvent("securitypolicyviolation")PASS
Stringification of new SecurityPolicyViolationEvent("securitypolicyviolation")PASS
idl_test setupPASS
/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html (2/2, 100.00%, 0.22% of total)OK
Inline style attributes should not have a sample.PASS
Inline style blocks should not have a sample.PASS
/content-security-policy/reporting/report-strips-fragment.html (1/1, 100.00%, 0.11% of total)OK
Reported document URI does not contain fragments.PASS
/content-security-policy/media-src/media-src-7_3_2.sub.html (2/2, 100.00%, 0.22% of total)OK
Disallowed track element onerror handler fires.PASS
Test that securitypolicyviolation events are firedPASS
/content-security-policy/form-action/form-action-self-allowed-target-blank.html (1/1, 100.00%, 0.11% of total)OK
The form submission should not be blocked by the iframe's CSP.PASS
/content-security-policy/style-src/inline-style-attribute-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=style-src-attr","PASS"]PASS
/content-security-policy/script-src/injected-inline-script-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=script-src-elem",]PASS
/content-security-policy/generic/generic-0_10.html (1/1, 100.00%, 0.11% of total)OK
Test that script does not fire violation eventPASS
/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html (1/1, 100.00%, 0.11% of total)OK
Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.PASS
/content-security-policy/connect-src/connect-src-beacon-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["Pass"]PASS
/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html (1/1, 100.00%, 0.11% of total)OK
Should convert the script contents to UTF-8 before hashingFAIL
/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html (1/1, 100.00%, 0.11% of total)OK
Should not have executed the javascript urlPASS
/content-security-policy/plugin-types/plugintypes-notype-data.html (1/1, 100.00%, 0.11% of total)OK
Should not load the object because it does not have a declared typePASS
/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html (1/1, 100.00%, 0.11% of total)OK
Test that the inline style attribute is blockedPASS
/content-security-policy/img-src/icon-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Test that image loadsPASS
/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html (2/2, 100.00%, 0.22% of total)OK
Inline style attribute should not be applied without 'unsafe-inline'PASS
Should fire a securitypolicyviolation eventPASS
/content-security-policy/style-src/style-src-injected-inline-style-blocked.html (2/2, 100.00%, 0.22% of total)OK
Injected style attributes should not be appliedPASS
Should fire a securitypolicyviolation eventPASS
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html (11/11, 100.00%, 1.21% of total)OK
All scheme sources are subsumed by their stronger variants.PASS
All scheme sources must be subsumed.PASS
If scheme source is present in returned csp, it must be specified in required csp too.PASS
Matching `https` protocols.PASS
The reverse allows iframe be to be loaded.PASS
`http:` does not subsume other protocols.PASS
`http:` should subsume all host source expressions with `https:`.PASS
`http:` should subsume all host source expressions with this protocol.PASS
`http:` subsumes other `http:` source expression.PASS
`http:` subsumes other `https:` source expression and expressions with `http:`.PASS
`https` is more restrictive than `http`.PASS
/content-security-policy/frame-src/frame-src-redirect.html (1/1, 100.00%, 0.11% of total)OK
Redirected iframe src should evaluate both enforced and report-only policies on both original request and when following redirectPASS
/content-security-policy/style-src/style-src-inline-style-attribute-allowed.html (1/1, 100.00%, 0.11% of total)OK
Inline style attribute should apply with 'unsafe-inline'PASS
/content-security-policy/generic/no-default-src.sub.html (2/2, 100.00%, 0.22% of total)OK
Allows scripts from the same host.PASS
Violation report status OK.PASS
/content-security-policy/prefetch-src/prefetch-header-allowed.html (3/3, 100.00%, 0.33% of total)OK
Browser supports performance APIs.PASS
Browser supports prefetch.PASS
Prefetch via `Link` header succeeds when allowed by prefetch-srcPASS
/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=script-src","PASS"]FAIL
/content-security-policy/script-src/script-src-1_4.html (3/3, 100.00%, 0.33% of total)OK
Test that securitypolicyviolation event is firedPASS
eval() should not run without 'unsafe-eval' script-src directive.PASS
eval() should throw without 'unsafe-eval' keyword source in script-src directive.PASS
/content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub.html (1/1, 100.00%, 0.11% of total)OK
form submission targetting a frame allowed after a redirectPASS
/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html (2/2, 100.00%, 0.22% of total)TIMEOUT
Test that the child iframe navigation is not allowedNOTRUN
Violation report status OK.FAIL
/content-security-policy/blob/blob-urls-match-blob.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS (1/1)"]PASS
/content-security-policy/object-src/object-src-url-embed-allowed.html (1/1, 100.00%, 0.11% of total)OK
Violation report status OK.PASS
/content-security-policy/frame-ancestors/frame-ancestors-star-allow-crossorigin.html (1/1, 100.00%, 0.11% of total)OK
A 'frame-ancestors' CSP directive with '*' should allow rendering.FAIL
/content-security-policy/generic/generic-0_1-img-src.html (2/2, 100.00%, 0.22% of total)OK
Should fire violation events for every failed violationPASS
Verify cascading of default-src to img-src policyPASS
/content-security-policy/navigate-to/form-blocked.sub.html (2/2, 100.00%, 0.22% of total)OK
Test that the child iframe navigation is not allowedFAIL
Violation report status OK.FAIL
/content-security-policy/style-src/stylehash-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting alerts: ["PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied.","PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied.","PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied.","PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied."]PASS
/content-security-policy/generic/generic-0_10_1.sub.html (2/2, 100.00%, 0.22% of total)OK
Prevents access to external scripts.PASS
Should fire violation events for every failed violationPASS
/content-security-policy/script-src/script-src-1_10.html (2/2, 100.00%, 0.22% of total)OK
Test that securitypolicyviolation event is firedFAIL
Verify that data: as script src doesn't run with this policyPASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.NOTRUN
/content-security-policy/navigate-to/meta-refresh-blocked.sub.html (2/2, 100.00%, 0.22% of total)OK
Test that the child iframe navigation is not allowedFAIL
Violation report status OK.FAIL
/content-security-policy/sandbox/iframe-inside-csp.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS (1/2): Script can execute","PASS (2/2): Eval works"]PASS
/content-security-policy/worker-src/shared-fallback.sub.html (2/2, 100.00%, 0.22% of total)OK
Same-origin dedicated worker allowed by 'self'.PASS
blob: dedicated worker allowed by 'blob:'.PASS
/content-security-policy/font-src/font-none-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Test font does not load if it does not match font-src.PASS
/content-security-policy/reporting/multiple-report-policies.html (2/2, 100.00%, 0.22% of total)OK
1-Violation report status OKPASS
2-Violation report status OKPASS
/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html (1/1, 100.00%, 0.11% of total)OK
Non-redirected same-origin URLs are not stripped.PASS
/content-security-policy/style-src/inline-style-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS"]PASS
/content-security-policy/frame-src/frame-src-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS IFrame #1 generated a load event.","violated-directive=frame-src"]PASS
/content-security-policy/blob/star-doesnt-match-blob.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=worker-src","TEST COMPLETE"]PASS
/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html (2/2, 100.00%, 0.22% of total)TIMEOUT
Should execute the inline script blockPASS
Should fire a security policy violation for the attributeNOTRUN
/content-security-policy/script-src/script-src-1_2.html (3/3, 100.00%, 0.33% of total)OK
Inline event handlerPASS
Inline script blockPASS
Should fire policy violation eventsPASS
/content-security-policy/svg/svg-policy-resource-doc-includes.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["TEST COMPLETE"]PASS
/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html (1/1, 100.00%, 0.11% of total)OK
Should convert the script contents to UTF-8 before hashingFAIL
/content-security-policy/plugin-types/plugintypes-mismatched-url.html (1/1, 100.00%, 0.11% of total)TIMEOUT
Should not load the object because its declared type does not match its actual typeNOTRUN
/content-security-policy/embedded-enforcement/iframe-csp-attribute.html (4/4, 100.00%, 0.44% of total)OK
<iframe> has a 'csp' attibute which is an empty string if undefined.PASS
<iframe>'s 'csp content attribute reflects the IDL attribute.PASS
<iframe>'s IDL attribute reflects the DOM attribute.PASS
<iframe>'s csp attribute is always a string.PASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.NOTRUN
/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub.html (1/1, 100.00%, 0.11% of total)OK
Test that form-action overrides navigate-to when present.PASS
/content-security-policy/svg/object-in-svg-foreignobject.sub.html (1/1, 100.00%, 0.11% of total)OK
Should throw a securitypolicyviolationPASS
/content-security-policy/reporting/report-uri-multiple-reversed.html (1/1, 100.00%, 0.11% of total)OK
Violation report status OK.PASS
/content-security-policy/inside-worker/dedicated-inheritance.html (36/36, 100.00%, 3.95% of total)OK
Cross-origin 'fetch()' in blob:PASS
Cross-origin 'fetch()' in filesystem:PASS
Cross-origin 'fetch()' in http:PASS
Cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27)PASS
Cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*)PASS
Cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27none%27)PASS
Cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20*)PASS
Cross-origin XHR in blob:PASS
Cross-origin XHR in filesystem:PASS
Cross-origin XHR in http:PASS
Cross-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27)PASS
Cross-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*)PASS
Cross-origin XHR in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27none%27)PASS
Cross-origin XHR in http:?pipe=sub|header(Content-Security-Policy,default-src%20*)PASS
Filesystem and blob.PASS
Same-origin 'fetch()' in blob:PASS
Same-origin 'fetch()' in filesystem:PASS
Same-origin 'fetch()' in http:PASS
Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27)PASS
Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*)PASS
Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27none%27)PASS
Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20*)PASS
Same-origin => cross-origin 'fetch()' in blob:PASS
Same-origin => cross-origin 'fetch()' in filesystem:PASS
Same-origin => cross-origin 'fetch()' in http:PASS
Same-origin => cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27)PASS
Same-origin => cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*)PASS
Same-origin => cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27none%27)PASS
Same-origin => cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20*)PASS
Same-origin XHR in blob:PASS
Same-origin XHR in filesystem:PASS
Same-origin XHR in http:PASS
Same-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27)PASS
Same-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*)PASS
Same-origin XHR in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27none%27)PASS
Same-origin XHR in http:?pipe=sub|header(Content-Security-Policy,default-src%20*)PASS
/content-security-policy/generic/generic-0_8_1.sub.html (1/1, 100.00%, 0.11% of total)OK
Should fire violation events for every failed violationPASS
/content-security-policy/worker-src/service-self.https.sub.html (1/1, 100.00%, 0.11% of total)OK
Same-origin service worker allowed by 'self'.PASS
/content-security-policy/object-src/object-src-no-url-blocked.html (1/1, 100.00%, 0.11% of total)OK
Should block the object and fire a spvPASS
/content-security-policy/inside-worker/dedicated-script.html (22/22, 100.00%, 2.41% of total)OK
Cross-origin `importScripts()` blocked in blob:PASS
Cross-origin `importScripts()` blocked in filesystem:PASS
Cross-origin `importScripts()` blocked in http:PASS
Cross-origin `importScripts()` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27none%27)PASS
Cross-origin `importScripts()` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20*)PASS
Cross-origin `importScripts()` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20%27none%27)PASS
Cross-origin `importScripts()` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20*)PASS
Filesystem and blob.PASS
`eval()` blocked in blob:PASS
`eval()` blocked in filesystem:PASS
`eval()` blocked in http:PASS
`eval()` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27none%27)PASS
`eval()` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20*)PASS
`eval()` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20%27none%27)PASS
`eval()` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20*)PASS
`setTimeout([string])` blocked in blob:PASS
`setTimeout([string])` blocked in filesystem:PASS
`setTimeout([string])` blocked in http:PASS
`setTimeout([string])` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27none%27)PASS
`setTimeout([string])` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20*)PASS
`setTimeout([string])` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20%27none%27)PASS
`setTimeout([string])` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20*)PASS
/content-security-policy/blob/self-doesnt-match-blob.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=worker-src","TEST COMPLETE"]PASS
/content-security-policy/script-src/worker-set-timeout-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting alerts: ["setTimeout blocked"]FAIL
/content-security-policy/style-src/style-src-inline-style-blocked.html (2/2, 100.00%, 0.22% of total)OK
Inline style element should not load without 'unsafe-inline'PASS
Should fire a securitypolicyviolation eventPASS
/content-security-policy/plugin-types/plugintypes-notype-url.html (1/1, 100.00%, 0.11% of total)OK
Should not load the object because it does not have a declared typePASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames.NOTRUN
/content-security-policy/connect-src/worker-connect-src-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["xhr allowed"]PASS
/content-security-policy/embedded-enforcement/required_csp-header.html (70/70, 100.00%, 7.68% of total)TIMEOUT
Test Required-CSP value on `csp` change: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.PASS
Test Required-CSP value on `csp` change: Send Sec-Required-CSP Header on change of `src` attribute on iframe.PASS
Test Required-CSP value on `csp` change: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.PASS
Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - comma separatedPASS
Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - gibberish cspPASS
Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - html encoded stringPASS
Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - missing semicolonPASS
Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - misspeled 'none'PASS
Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - query values in pathPASS
Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-to presentPASS
Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri presentPASS
Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy namePASS
Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directivesPASS
Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - url encoded stringPASS
Test cross origin redirect of cross origin iframe: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.PASS
Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP Header on change of `src` attribute on iframe.PASS
Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.PASS
Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - comma separatedPASS
Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - gibberish cspPASS
Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - html encoded stringPASS
Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - missing semicolonPASS
Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - misspeled 'none'PASS
Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - query values in pathPASS
Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-to presentPASS
Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri presentPASS
Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy namePASS
Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directivesPASS
Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - url encoded stringPASS
Test cross origin redirect: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.PASS
Test cross origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe.TIMEOUT
Test cross origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.PASS
Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - comma separatedTIMEOUT
Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - gibberish cspTIMEOUT
Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - html encoded stringTIMEOUT
Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - missing semicolonTIMEOUT
Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - misspeled 'none'TIMEOUT
Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - query values in pathTIMEOUT
Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-to presentTIMEOUT
Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri presentTIMEOUT
Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy nameTIMEOUT
Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directivesTIMEOUT
Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - url encoded stringTIMEOUT
Test same origin redirect: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.PASS
Test same origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe.TIMEOUT
Test same origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.TIMEOUT
Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - comma separatedTIMEOUT
Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - gibberish cspTIMEOUT
Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - html encoded stringTIMEOUT
Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - missing semicolonTIMEOUT
Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - misspeled 'none'TIMEOUT
Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - query values in pathTIMEOUT
Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-to presentTIMEOUT
Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri presentTIMEOUT
Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy nameTIMEOUT
Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directivesTIMEOUT
Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - url encoded stringTIMEOUT
Test same origin: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.PASS
Test same origin: Send Sec-Required-CSP Header on change of `src` attribute on iframe.PASS
Test same origin: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.PASS
Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - comma separatedPASS
Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - gibberish cspPASS
Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - html encoded stringPASS
Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - missing semicolonPASS
Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - misspeled 'none'PASS
Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - query values in pathPASS
Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-to presentPASS
Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri presentPASS
Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy namePASS
Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directivesPASS
Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - url encoded stringPASS
/content-security-policy/worker-src/service-child.https.sub.html (1/1, 100.00%, 0.11% of total)OK
Same-origin service worker allowed by host-source expression.PASS
/content-security-policy/worker-src/shared-self.sub.html (1/1, 100.00%, 0.11% of total)OK
Same-origin dedicated worker allowed by 'self'.PASS
/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html (3/3, 100.00%, 0.33% of total)OK
Event is firedPASS
Test that image does not loadPASS
Violation report status OK.PASS
/content-security-policy/connect-src/connect-src-eventsource-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["blocked","violated-directive=connect-src"]PASS
/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html (1/1, 100.00%, 0.11% of total)OK
Test that the child iframe navigation is allowedPASS
/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS 1 of 2","PASS 2 of 2"]PASS
/content-security-policy/navigate-to/href-location-redirected-blocked.sub.html (2/2, 100.00%, 0.22% of total)TIMEOUT
Test that the child iframe navigation is not allowedNOTRUN
Violation report status OK.FAIL
/content-security-policy/generic/cspro-not-enforced-in-worker.html (2/2, 100.00%, 0.22% of total)OK
Check that eval is allowed since the inherited policy is report onlyPASS
Check that inline is allowed since the inherited policy is report onlyPASS
/content-security-policy/script-src/scripthash-basic-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting alerts: ["PASS (1/1)"]PASS
/content-security-policy/script-src/injected-inline-script-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["Pass 1 of 2","Pass 2 of 2"]PASS
/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html (1/1, 100.00%, 0.11% of total)OK
Non-redirected cross-origin URLs are not stripped.PASS
/content-security-policy/child-src/child-src-cross-origin-load.sub.html (2/2, 100.00%, 0.22% of total)OK
Expecting alerts: ["PASS","PASS"]PASS
Expecting logs: ["PASS IFrame #1 generated a load event.","PASS IFrame #2 generated a load event.","PASS IFrame #3 generated a load event.", "violated-directive=frame-src"]PASS
/content-security-policy/frame-ancestors/frame-ancestors-none-block.html (1/1, 100.00%, 0.11% of total)OK
A 'frame-ancestors' CSP directive with a value 'none' should block rendering.FAIL
/content-security-policy/style-src/inline-style-attribute-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS"]FAIL
/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html (1/1, 100.00%, 0.11% of total)OK
Test that violation report event was firedFAIL
/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html (11/11, 100.00%, 1.21% of total)OK
'strict-dynamic' has to be allowed by required csp if it is present in returned csp.PASS
'strict-dynamic' is effective only for `script-src`.PASS
'strict-dynamic' is ineffective for `child-src`.PASS
'strict-dynamic' is ineffective for `frame-src`.PASS
'strict-dynamic' is ineffective for `img-src`.PASS
'strict-dynamic' is ineffective for `style-src`.PASS
'strict-dynamic' is proper handled for finding effective policy.PASS
'strict-dynamic' makes 'self' ineffective.PASS
'strict-dynamic' makes 'unsafe-inline' ineffective.PASS
'strict-dynamic' makes host source expressions ineffective.PASS
'strict-dynamic' makes scheme source expressions ineffective.PASS
/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html (2/2, 100.00%, 0.22% of total)OK
base-uri 'self' blocks foreign-origin sandboxed iframes.PASS
base-uri 'self' works with same-origin sandboxed iframes.PASS
/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html (1/1, 100.00%, 0.11% of total)OK
`strict-dynamic` does not drop whitelists in `img-src`.FAIL
/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked.html (1/1, 100.00%, 0.11% of total)OK
Inline style should be appliedFAIL
/content-security-policy/form-action/form-action-src-get-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=form-action","TEST COMPLETE"]PASS
/content-security-policy/reporting/report-uri-effective-directive.html (1/1, 100.00%, 0.11% of total)OK
Violation report status OK.PASS
/content-security-policy/style-src/stylehash-basic-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting alerts: ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"]PASS
/content-security-policy/navigate-to/link-click-redirected-allowed.html (1/1, 100.00%, 0.11% of total)OK
Test that the child iframe navigation is allowedPASS
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html (15/15, 100.00%, 1.65% of total)OK
Returned CSP should be subsumed even if the port is not specified but is a default port for a more secure scheme.PASS
Returned CSP should be subsumed even if the port is not specified but is a default port for a scheme.PASS
Returned CSP should be subsumed if the port is specified but is not default for a more secure scheme.PASS
Returned CSP should be subsumed if the port is specified but the scheme is more secure.PASS
Returned CSP should be subsumed if the port is specified.PASS
Returned CSP should be subsumed if the ports match but schemes are not identical for `ws`.PASS
Returned CSP should be subsumed if the ports match but schemes are not identical.PASS
Specified ports must match.PASS
The same should hold for `ws` case.PASS
Unspecified ports must match if schemes match.PASS
Wildcard port should match a wildcard.PASS
Wildcard port should match any specific port.PASS
Wildcard port should match unspecified port.PASS
Wildcard port should not be subsumed by a default port.PASS
Wildcard port should not be subsumed by a spcified port.PASS
/content-security-policy/style-src/style-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=style-src","PASS"]FAIL
/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html (1/1, 100.00%, 0.11% of total)OK
A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames.FAIL
/content-security-policy/object-src/object-src-url-blocked.html (1/1, 100.00%, 0.11% of total)OK
Should block the object and fire a spvPASS
/content-security-policy/default-src/default-src-inline-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting alerts: ["PASS 1 of 2","PASS 2 of 2"]PASS
/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub.html (1/1, 100.00%, 0.11% of total)OK
Test that form-action overrides navigate-to when present.PASS
/content-security-policy/font-src/font-stylesheet-font-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Test font does not load if it does not match font-src.PASS
/content-security-policy/sandbox/sandbox-allow-scripts-subframe.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["Message"]PASS
/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html (1/1, 100.00%, 0.11% of total)OK
form submission targetting _blank allowed after a redirectPASS
/content-security-policy/connect-src/connect-src-websocket-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["allowed"]PASS
/content-security-policy/prefetch-src/prefetch-allowed.html (3/3, 100.00%, 0.33% of total)OK
Browser supports performance APIs.PASS
Browser supports prefetch.PASS
Prefetch succeeds when allowed by prefetch-srcFAIL
/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]PASS
/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html (2/2, 100.00%, 0.22% of total)TIMEOUT
Should fire a security policy violation eventNOTRUN
The inline style should not be appliedFAIL
/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting alerts: ["PASS (1/1)"]PASS
/content-security-policy/form-action/form-action-src-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS","TEST COMPLETE"]PASS
/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html (1/1, 100.00%, 0.11% of total)OK
Test that the inline style attribute is blockedPASS
/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html (2/2, 100.00%, 0.22% of total)OK
Programatically injected stylesheet should not loadPASS
Should fire a securitypolicyviolation eventPASS
/content-security-policy/worker-src/dedicated-fallback.sub.html (2/2, 100.00%, 0.22% of total)OK
Same-origin dedicated worker allowed by host-source expression.PASS
blob: dedicated worker allowed by 'blob:'.PASS
/content-security-policy/script-src/worker-importscripts-blocked.sub.html (2/2, 100.00%, 0.22% of total)OK
Expecting logs: ["TEST COMPLETE"]PASS
worker-importscripts-blockedFAIL
/content-security-policy/reporting/report-original-url.sub.html (5/5, 100.00%, 0.55% of total)OK
Block after redirect, cross-origin = original URL in reportPASS
Block after redirect, same-origin = original URL in reportPASS
Direct block, cross-origin = full URL in reportPASS
Direct block, same-origin = full URL in reportPASS
Violation report status OK.PASS
/content-security-policy/securitypolicyviolation/style-sample.html (2/2, 100.00%, 0.22% of total)OK
Inline style attributes should have a sample.PASS
Inline style blocks should have a sample.PASS
/content-security-policy/reporting/report-uri-multiple.html (1/1, 100.00%, 0.11% of total)OK
Violation report status OK.PASS
/content-security-policy/generic/filesystem-urls-match-filesystem.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS (1/1)"]PASS
/content-security-policy/object-src/object-src-url-allowed.html (1/1, 100.00%, 0.11% of total)OK
Violation report status OK.PASS
/content-security-policy/object-src/object-src-url-embed-blocked.html (1/1, 100.00%, 0.11% of total)OK
Should block the object and fire a spvPASS
/content-security-policy/reporting/report-only-in-meta.sub.html (1/1, 100.00%, 0.11% of total)OK
Image should loadPASS
/content-security-policy/embedded-enforcement/idlharness.window.html (4/4, 100.00%, 0.44% of total)OK
HTMLIFrameElement interface: attribute cspPASS
HTMLIFrameElement interface: document.createElement("iframe") must inherit property "csp" with the proper typePASS
Partial interface HTMLIFrameElement: original interface definedPASS
idl_test setupPASS
/content-security-policy/font-src/font-mismatch-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Test font does not load if it does not match font-src.PASS
/content-security-policy/navigate-to/anchor-navigation-always-allowed.html (1/1, 100.00%, 0.11% of total)OK
Test that anchor navigation is allowed regardless of the `navigate-to` directivePASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.NOTRUN
/content-security-policy/plugin-types/plugintypes-mismatched-data.html (1/1, 100.00%, 0.11% of total)TIMEOUT
Should not load the object because its declared type does not match its actual typeNOTRUN
/content-security-policy/connect-src/worker-connect-src-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["xhr blocked","TEST COMPLETE"]FAIL
/content-security-policy/prefetch-src/prefetch-header-blocked.html (3/3, 100.00%, 0.33% of total)TIMEOUT
Browser supports performance APIs.PASS
Browser supports prefetch.PASS
Prefetch via `Link` header succeeds when allowed by prefetch-srcTIMEOUT
/content-security-policy/navigation/to-javascript-url-frame-src.html (1/1, 100.00%, 0.11% of total)OK
<iframe src='javascript:...'> not blocked by 'frame-src'PASS
/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html (1/1, 100.00%, 0.11% of total)OK
Check that frames load without throwing any violation eventsPASS
/content-security-policy/style-src/stylehash-default-src.sub.html (1/1, 100.00%, 0.11% of total)OK
stylehash allowed from default-srcPASS
/content-security-policy/style-src/style-src-hash-blocked.html (3/3, 100.00%, 0.33% of total)OK
Should fire a securitypolicyviolation eventPASS
Should load the style with a correct hashPASS
Should not load style that does not match hashPASS
/content-security-policy/reporting/report-uri-from-child-frame.html (1/1, 100.00%, 0.11% of total)OK
Check that we received a message from the child framePASS
/content-security-policy/base-uri/base-uri-allow.sub.html (1/1, 100.00%, 0.11% of total)OK
Check that base URIs can be set if they do not violate the page's policy.PASS
/content-security-policy/frame-ancestors/frame-ancestors-url-allow.sub.html (1/1, 100.00%, 0.11% of total)OK
A 'frame-ancestors' CSP directive with a URL matching this origin should allow rendering.PASS
/content-security-policy/inside-worker/shared-script.html (6/6, 100.00%, 0.66% of total)TIMEOUT
Cross-origin `importScripts()` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27PASS
Cross-origin `importScripts()` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20%27self%27PASS
`eval()` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27PASS
`eval()` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20%27self%27PASS
`setTimeout([string])` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27PASS
`setTimeout([string])` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20%27self%27PASS
/content-security-policy/form-action/form-action-src-redirect-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=form-action","TEST COMPLETE"]FAIL
/content-security-policy/generic/304-response-should-update-csp.sub.html (4/4, 100.00%, 0.44% of total)OK
Test that the first frame does not use nonce defPASS
Test that the first frame uses nonce abcPASS
Test that the second frame does not use nonce abcPASS
Test that the second frame uses nonce defPASS
/content-security-policy/form-action/form-action-src-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=form-action","TEST COMPLETE"]PASS
/content-security-policy/navigate-to/href-location-allowed.html (1/1, 100.00%, 0.11% of total)TIMEOUT
Test that the child iframe navigation is allowedNOTRUN
/content-security-policy/connect-src/connect-src-websocket-self.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["allowed", "allowed"]PASS
/content-security-policy/worker-src/dedicated-worker-src-default-fallback.sub.html (1/1, 100.00%, 0.11% of total)OK
Same-origin dedicated worker allowed by default-src 'self'.PASS
/content-security-policy/navigate-to/parent-navigates-child-allowed.html (1/1, 100.00%, 0.11% of total)OK
Test that the parent can navigate the child because the relevant policy belongs to the navigation initiator (in this case the parent, which has the policy `navigate-to 'self'`)PASS
/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html (3/3, 100.00%, 0.33% of total)OK
Image should not loadPASS
Test report cookies.PASS
Violation report status OK.PASS
/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html (3/3, 100.00%, 0.33% of total)OK
Event is firedPASS
Test that image does not loadPASS
Violation report status OK.FAIL
/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html (2/2, 100.00%, 0.22% of total)OK
Event is firedPASS
Violation report status OK.FAIL
/content-security-policy/svg/svg-inline.sub.html (1/1, 100.00%, 0.11% of total)OK
Should fire violation eventPASS
/content-security-policy/inside-worker/shared-inheritance.html (15/15, 100.00%, 1.65% of total)TIMEOUT
Cross-origin 'fetch()' in http:TIMEOUT
Cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27self%27)PASS
Cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27)PASS
Cross-origin XHR in http:TIMEOUT
Cross-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27self%27)PASS
Cross-origin XHR in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27)PASS
Same-origin 'fetch()' in http:PASS
Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27self%27)PASS
Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27)PASS
Same-origin => cross-origin 'fetch()' in http:TIMEOUT
Same-origin => cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27self%27)PASS
Same-origin => cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27)PASS
Same-origin XHR in http:PASS
Same-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27self%27)PASS
Same-origin XHR in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27)PASS
/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html (1/1, 100.00%, 0.11% of total)OK
Test that the child iframe navigation is blockedFAIL
/content-security-policy/reporting/report-multiple-violations-02.html (2/2, 100.00%, 0.22% of total)OK
Test number of sent reports.PASS
Violation report status OK.PASS
/content-security-policy/generic/generic-0_1-script-src.html (3/3, 100.00%, 0.33% of total)OK
Should fire violation events for every failed violationPASS
Verify cascading of default-src to script-src policy: allowPASS
Verify cascading of default-src to script-src policy: blockPASS
/content-security-policy/navigate-to/meta-refresh-redirected-allowed.html (1/1, 100.00%, 0.11% of total)OK
Test that the child iframe navigation is allowedPASS
/content-security-policy/style-src/style-src-error-event-fires.html (2/2, 100.00%, 0.22% of total)OK
Test error event fires on inline stylePASS
Test error event fires on stylesheet linkPASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html (1/1, 100.00%, 0.11% of total)OK
A 'frame-ancestors' CSP directive with a value '*' should render in nested frames.PASS
/content-security-policy/navigate-to/href-location-blocked.sub.html (2/2, 100.00%, 0.22% of total)TIMEOUT
Test that the child iframe navigation is not allowedNOTRUN
Violation report status OK.FAIL
/content-security-policy/connect-src/connect-src-eventsource-redirect-to-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS EventSource() did not follow the disallowed redirect.","TEST COMPLETE", "violated-directive=connect-src"]PASS
/content-security-policy/object-src/object-src-url-redirect-allowed.html (1/1, 100.00%, 0.11% of total)OK
Violation report status OK.PASS
/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=form-action","TEST COMPLETE"]PASS
/content-security-policy/style-src/style-src-injected-stylesheet-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Programatically injected stylesheet should loadPASS
/content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub.html (6/6, 100.00%, 0.66% of total)OK
<iframe sandbox src='blob:...'>'s inherits policy. (opaque origin sandbox)PASS
<iframe src='blob:...'>'s inherits policy.PASS
<iframe src='data:...'>'s inherits policy.PASS
<iframe src='javascript:...'>'s inherits policy.PASS
<iframe srcdoc>'s inherits policy.PASS
<iframe>'s about:blank inherits policy.PASS
/content-security-policy/worker-src/service-fallback.https.sub.html (1/1, 100.00%, 0.11% of total)OK
Same-origin service worker allowed by host-source expression.PASS
/content-security-policy/style-src/style-src-stylesheet-nonce-allowed.html (1/1, 100.00%, 0.11% of total)OK
Stylesheet link should load with correct noncePASS
/content-security-policy/worker-src/shared-worker-src-default-fallback.sub.html (1/1, 100.00%, 0.11% of total)OK
Same-origin shared worker allowed by default-src 'self'.PASS
/content-security-policy/script-src/scriptnonce-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting alerts: ["PASS (1/2)","PASS (2/2)"]PASS
/content-security-policy/style-src/injected-inline-style-allowed.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS: 2 stylesheets on the page."]PASS
/content-security-policy/script-src/eval-allowed-in-report-only-mode.html (1/1, 100.00%, 0.11% of total)OK
Eval is allowed because the CSP is report-onlyPASS
/content-security-policy/media-src/media-src-7_1.html (3/3, 100.00%, 0.33% of total)TIMEOUT
In-policy async video source elementNOTRUN
In-policy async video srcNOTRUN
Should not fire policy violation eventsNOTRUN
/content-security-policy/style-src/injected-inline-style-blocked.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=style-src-elem","PASS"]PASS
/content-security-policy/media-src/media-src-blocked.sub.html (5/5, 100.00%, 0.55% of total)TIMEOUT
Disallaowed audio srcPASS
Disallowed async video source elementPASS
Disallowed async video srcPASS
Disallowed audio source elementPASS
Test that securitypolicyviolation events are firedTIMEOUT
/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html (2/2, 100.00%, 0.22% of total)OK
Test that the child can't navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child which has the policy `navigate-to 'none'`)FAIL
Violation report status OK.FAIL
/content-security-policy/worker-src/service-none.https.sub.html (1/1, 100.00%, 0.11% of total)OK
Same-origin service worker blocked by 'none'.PASS
/content-security-policy/svg/svg-from-guid.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["TEST COMPLETE"]PASS
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html (9/9, 100.00%, 0.99% of total)OK
All specific paths match except the order.PASS
Empty path is not subsumed by specified paths.PASS
Matching paths.PASS
Returned CSP allows only one path.PASS
Returned CSP has a more specific path.PASS
Returned CSP must specify a path.PASS
That should not be true when required csp specifies a specific page.PASS
Unspecified path should be subsumed by `/`.PASS
`/` path should be subsumed by an empty path.PASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a URL value should compare against each frame's origin rather than URL, so a nested frame with a sandboxed parent frame should be blocked due to the parent having a unique origin.NOTRUN
/content-security-policy/worker-src/dedicated-none.sub.html (2/2, 100.00%, 0.22% of total)OK
Same-origin dedicated worker blocked by host-source expression.PASS
blob: dedicated worker blocked by 'blob:'.PASS
/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html (7/7, 100.00%, 0.77% of total)OK
'unsafe-hashes' is properly subsumed.PASS
Effective policy is properly found where 'unsafe-hashes' is not part of it.PASS
Effective policy is properly found where 'unsafe-hashes' is not subsumed.PASS
Effective policy is properly found.PASS
No other keyword has the same effect as 'unsafe-hashes'.PASS
Other expressions have to be subsumed.PASS
Required csp must allow 'unsafe-hashes'.PASS
/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html (1/1, 100.00%, 0.11% of total)TIMEOUT
Test that the javascript: src is allowed to runNOTRUN
/content-security-policy/meta/meta-outside-head.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting alerts: ["PASS (1/1)"]PASS
/content-security-policy/prefetch-src/prefetch-blocked.html (3/3, 100.00%, 0.33% of total)OK
Blocked prefetch generates report.FAIL
Browser supports performance APIs.PASS
Browser supports prefetch.PASS
/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html (2/2, 100.00%, 0.22% of total)OK
Test that the child iframe navigation is not allowedFAIL
Violation report status OK.FAIL
/content-security-policy/style-src/stylenonce-blocked.sub.html (2/2, 100.00%, 0.22% of total)OK
Should fire securitypolicyviolationPASS
stylenonce-blockedPASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a value '*' should render in nested frames.NOTRUN
/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames.NOTRUN
/content-security-policy/reporting/report-uri-from-javascript.html (1/1, 100.00%, 0.11% of total)OK
Violation report status OK.PASS
/content-security-policy/img-src/report-blocked-data-uri.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["violated-directive=img-src"]PASS
/content-security-policy/frame-ancestors/frame-ancestors-url-block.html (1/1, 100.00%, 0.11% of total)OK
A 'frame-ancestors' CSP directive with a URL which doesn't match this origin should be blocked.FAIL
/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html (1/1, 100.00%, 0.11% of total)OK
Should have executed the javascript urlPASS
/content-security-policy/sandbox/window-reuse-unsandboxed.html (1/1, 100.00%, 0.11% of total)TIMEOUT
Window object should be reusedNOTRUN
/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html (1/1, 100.00%, 0.11% of total)TIMEOUT
Test that the javascript: src is not allowed to runNOTRUN
/content-security-policy/sandbox/sandbox-empty.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS2"]PASS
/content-security-policy/frame-src/frame-src-allowed.sub.html (2/2, 100.00%, 0.22% of total)OK
Expecting alerts: ["PASS"]PASS
Expecting logs: ["PASS IFrame #1 generated a load event."]PASS
/content-security-policy/img-src/img-src-none-blocks.html (1/1, 100.00%, 0.11% of total)OK
img-src with 'none' source should not matchPASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames.NOTRUN
/content-security-policy/inheritance/window.html (4/4, 100.00%, 0.44% of total)TIMEOUT
`document.write` into `window.open()` inherits policy.FAIL
window.open('blob:...') inherits policy.TIMEOUT
window.open('javascript:...') inherits policy.TIMEOUT
window.open() inherits policy.FAIL
/content-security-policy/embedded-enforcement/required-csp-header-cascade.html (9/9, 100.00%, 0.99% of total)OK
Test same origin: Test invalid policy on first iframe (bad directive)PASS
Test same origin: Test invalid policy on first iframe (report directive)PASS
Test same origin: Test invalid policy on second iframe (bad directive)PASS
Test same origin: Test invalid policy on second iframe (report directive)PASS
Test same origin: Test less restrictive policy on second iframePASS
Test same origin: Test more restrictive policy on second iframePASS
Test same origin: Test no policy on first iframePASS
Test same origin: Test no policy on second iframePASS
Test same origin: Test same policy for both iframesPASS
/content-security-policy/form-action/form-action-src-default-ignored.sub.html (1/1, 100.00%, 0.11% of total)OK
Expecting logs: ["PASS","TEST COMPLETE"]PASS
/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html (1/1, 100.00%, 0.11% of total)TIMEOUT
A 'frame-ancestors' CSP directive with a value '*' should render in nested frames.NOTRUN
/content-security-policy/reporting/report-uri-from-inline-javascript.html (1/1, 100.00%, 0.11% of total)OK
Violation report status OK.PASS