Test files: 384; Total subtests: 894
| Test | FF64 |
|---|---|
| /content-security-policy/navigation/to-javascript-url-frame-src.html | OK |
| <iframe src='javascript:...'> not blocked by 'frame-src' | PASS |
| /content-security-policy/connect-src/worker-connect-src-blocked.sub.html | OK |
| Expecting logs: ["xhr blocked","TEST COMPLETE"] | PASS |
| /content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub.html | OK |
| Test that form-action overrides navigate-to when present. | FAIL |
| /content-security-policy/style-src/style-src-injected-inline-style-blocked.html | OK |
| Injected style attributes should not be applied | PASS |
| Should fire a securitypolicyviolation event | FAIL |
| /content-security-policy/script-src/eval-allowed-in-report-only-mode.html | OK |
| Eval is allowed because the CSP is report-only | PASS |
| /content-security-policy/svg/svg-policy-resource-doc-includes.html | OK |
| Expecting logs: ["TEST COMPLETE"] | PASS |
| /content-security-policy/style-src/injected-inline-style-blocked.sub.html | OK |
| Expecting logs: ["violated-directive=style-src-elem","PASS"] | FAIL |
| /content-security-policy/navigate-to/parent-navigates-child-allowed.html | OK |
| Test that the parent can navigate the child because the relevant policy belongs to the navigation initiator (in this case the parent, which has the policy `navigate-to 'self'`) | PASS |
| /content-security-policy/blob/blob-urls-do-not-match-self.sub.html | OK |
| Expecting logs: ["violated-directive=script-src-elem"] | FAIL |
| /content-security-policy/securitypolicyviolation/constructor-required-fields.html | OK |
| SecurityPolicyViolationEvent constructor does not require blockedURI | PASS |
| SecurityPolicyViolationEvent constructor does not require columnNumber | PASS |
| SecurityPolicyViolationEvent constructor does not require lineNumber | PASS |
| SecurityPolicyViolationEvent constructor does not require referrer | PASS |
| SecurityPolicyViolationEvent constructor does not require sample | PASS |
| SecurityPolicyViolationEvent constructor does not require sourceFile | PASS |
| SecurityPolicyViolationEvent constructor requires disposition | FAIL |
| SecurityPolicyViolationEvent constructor requires documentURI | FAIL |
| SecurityPolicyViolationEvent constructor requires effectiveDirective | FAIL |
| SecurityPolicyViolationEvent constructor requires originalPolicy | FAIL |
| SecurityPolicyViolationEvent constructor requires statusCode | FAIL |
| SecurityPolicyViolationEvent constructor requires violatedDirective | FAIL |
| SecurityPolicyViolationEvent constructor should throw with no parameters | PASS |
| SecurityPolicyViolationEvent constructor works with an init dict | PASS |
| /content-security-policy/worker-src/service-fallback.https.sub.html | OK |
| Same-origin service worker allowed by host-source expression. | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-url-block.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a URL which doesn't match this origin should be blocked. | NOTRUN |
| /content-security-policy/inheritance/iframe-srcdoc-inheritance.html | TIMEOUT |
| First image should be blocked | NOTRUN |
| Second image should be blocked | NOTRUN |
| /content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html | OK |
| Test that the inline style attribute is blocked | FAIL |
| /content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html | OK |
| Non-redirected same-origin URLs are not stripped. | PASS |
| /content-security-policy/plugin-types/plugintypes-mismatched-data.html | TIMEOUT |
| Should not load the object because its declared type does not match its actual type | NOTRUN |
| /content-security-policy/meta/meta-img-src.html | OK |
| Expecting logs: ["PASS","TEST COMPLETE"] | PASS |
| /content-security-policy/form-action/form-action-src-redirect-blocked.sub.html | OK |
| Expecting logs: ["violated-directive=form-action","TEST COMPLETE"] | FAIL |
| form-action-src-redirect-blocked | FAIL |
| /content-security-policy/securitypolicyviolation/idlharness.window.html | OK |
| SecurityPolicyViolationEvent interface object length | PASS |
| SecurityPolicyViolationEvent interface object name | PASS |
| SecurityPolicyViolationEvent interface: attribute blockedURI | PASS |
| SecurityPolicyViolationEvent interface: attribute blockedURL | FAIL |
| SecurityPolicyViolationEvent interface: attribute colno | FAIL |
| SecurityPolicyViolationEvent interface: attribute columnNumber | PASS |
| SecurityPolicyViolationEvent interface: attribute disposition | PASS |
| SecurityPolicyViolationEvent interface: attribute documentURI | PASS |
| SecurityPolicyViolationEvent interface: attribute documentURL | FAIL |
| SecurityPolicyViolationEvent interface: attribute effectiveDirective | PASS |
| SecurityPolicyViolationEvent interface: attribute lineNumber | PASS |
| SecurityPolicyViolationEvent interface: attribute lineno | FAIL |
| SecurityPolicyViolationEvent interface: attribute originalPolicy | PASS |
| SecurityPolicyViolationEvent interface: attribute referrer | PASS |
| SecurityPolicyViolationEvent interface: attribute sample | PASS |
| SecurityPolicyViolationEvent interface: attribute sourceFile | PASS |
| SecurityPolicyViolationEvent interface: attribute statusCode | PASS |
| SecurityPolicyViolationEvent interface: attribute violatedDirective | PASS |
| SecurityPolicyViolationEvent interface: existence and properties of interface object | PASS |
| SecurityPolicyViolationEvent interface: existence and properties of interface prototype object | PASS |
| SecurityPolicyViolationEvent interface: existence and properties of interface prototype object's "constructor" property | PASS |
| SecurityPolicyViolationEvent interface: existence and properties of interface prototype object's @@unscopables property | PASS |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "blockedURI" with the proper type | PASS |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "blockedURL" with the proper type | FAIL |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "colno" with the proper type | FAIL |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "columnNumber" with the proper type | PASS |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "disposition" with the proper type | PASS |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "documentURI" with the proper type | PASS |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "documentURL" with the proper type | FAIL |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "effectiveDirective" with the proper type | PASS |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "lineNumber" with the proper type | PASS |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "lineno" with the proper type | FAIL |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "originalPolicy" with the proper type | PASS |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "referrer" with the proper type | PASS |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "sample" with the proper type | PASS |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "sourceFile" with the proper type | PASS |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "statusCode" with the proper type | PASS |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "violatedDirective" with the proper type | PASS |
| SecurityPolicyViolationEvent must be primary interface of new SecurityPolicyViolationEvent("securitypolicyviolation") | PASS |
| Stringification of new SecurityPolicyViolationEvent("securitypolicyviolation") | PASS |
| idl_test setup | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. | NOTRUN |
| /content-security-policy/meta/combine-header-and-meta-policies.sub.html | OK |
| Expecting logs: ["TEST COMPLETE", "violated-directive=img-src", "violated-directive=style-src-elem"] | FAIL |
| combine-header-and-meta-policies | PASS |
| /content-security-policy/style-src/inline-style-attribute-blocked.sub.html | OK |
| Expecting logs: ["violated-directive=style-src-attr","PASS"] | FAIL |
| /content-security-policy/media-src/media-src-7_1.html | OK |
| In-policy async video source element | PASS |
| In-policy async video src | PASS |
| Should not fire policy violation events | PASS |
| /content-security-policy/frame-src/frame-src-blocked.sub.html | OK |
| Expecting logs: ["PASS IFrame #1 generated a load event.","violated-directive=frame-src"] | FAIL |
| /content-security-policy/form-action/form-action-src-default-ignored.sub.html | OK |
| Expecting logs: ["PASS","TEST COMPLETE"] | FAIL |
| /content-security-policy/plugin-types/plugintypes-nourl-blocked.html | TIMEOUT |
| Should not load the object because it does not match plugin-types | NOTRUN |
| /content-security-policy/plugin-types/plugintypes-nourl-allowed.html | OK |
| Violation report status OK. | PASS |
| /content-security-policy/style-src/stylehash-default-src.sub.html | OK |
| stylehash allowed from default-src | FAIL |
| /content-security-policy/embedded-enforcement/required_csp-header.html | OK |
| Test Required-CSP value on `csp` change: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>. | FAIL |
| Test Required-CSP value on `csp` change: Send Sec-Required-CSP Header on change of `src` attribute on iframe. | FAIL |
| Test Required-CSP value on `csp` change: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty. | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - gibberish csp | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - html encoded string | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - missing semicolon | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - misspeled 'none' | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - query values in path | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - url encoded string | FAIL |
| Test cross origin redirect of cross origin iframe: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>. | PASS |
| Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP Header on change of `src` attribute on iframe. | FAIL |
| Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty. | FAIL |
| Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated | PASS |
| Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - gibberish csp | PASS |
| Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - html encoded string | PASS |
| Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - missing semicolon | PASS |
| Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - misspeled 'none' | PASS |
| Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - query values in path | PASS |
| Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present | PASS |
| Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present | PASS |
| Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name | PASS |
| Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives | PASS |
| Test cross origin redirect of cross origin iframe: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - url encoded string | PASS |
| Test cross origin redirect: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>. | PASS |
| Test cross origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe. | FAIL |
| Test cross origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty. | FAIL |
| Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated | PASS |
| Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - gibberish csp | PASS |
| Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - html encoded string | PASS |
| Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - missing semicolon | PASS |
| Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - misspeled 'none' | PASS |
| Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - query values in path | PASS |
| Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present | PASS |
| Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present | PASS |
| Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name | PASS |
| Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives | PASS |
| Test cross origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - url encoded string | PASS |
| Test same origin redirect: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>. | PASS |
| Test same origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe. | FAIL |
| Test same origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty. | FAIL |
| Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated | PASS |
| Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - gibberish csp | PASS |
| Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - html encoded string | PASS |
| Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - missing semicolon | PASS |
| Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - misspeled 'none' | PASS |
| Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - query values in path | PASS |
| Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present | PASS |
| Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present | PASS |
| Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name | PASS |
| Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives | PASS |
| Test same origin redirect: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - url encoded string | PASS |
| Test same origin: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>. | PASS |
| Test same origin: Send Sec-Required-CSP Header on change of `src` attribute on iframe. | FAIL |
| Test same origin: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty. | FAIL |
| Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated | PASS |
| Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - gibberish csp | PASS |
| Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - html encoded string | PASS |
| Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - missing semicolon | PASS |
| Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - misspeled 'none' | PASS |
| Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - query values in path | PASS |
| Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present | PASS |
| Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present | PASS |
| Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name | PASS |
| Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives | PASS |
| Test same origin: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - url encoded string | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html | TIMEOUT |
| undefined | TIMEOUT |
| /content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html | TIMEOUT |
| Should fire a securitypolicyviolation event | FAIL |
| Test that paragraph remains unmodified and error events received. | NOTRUN |
| /content-security-policy/style-src/stylehash-basic-blocked.sub.html | OK |
| Expecting alerts: ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"] | FAIL |
| /content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub.html | OK |
| Violation report status OK. | FAIL |
| /content-security-policy/script-src/script-src-overrides-default-src.sub.html | OK |
| Expecting logs: ["PASS 1 of 2","PASS 2 of 2"] | PASS |
| /content-security-policy/media-src/media-src-7_2.html | OK |
| In-policy audio source element | PASS |
| In-policy audio src | PASS |
| Should not fire policy violation events | PASS |
| /content-security-policy/object-src/object-src-url-embed-allowed.html | OK |
| Violation report status OK. | PASS |
| /content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html | OK |
| Test that violation report event was fired | PASS |
| /content-security-policy/svg/svg-inline.sub.html | OK |
| Should fire violation event | FAIL |
| /content-security-policy/sandbox/window-reuse-unsandboxed.html | TIMEOUT |
| Window object should be reused | NOTRUN |
| /content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html | OK |
| Test that style loads if allowed by proper hash values | PASS |
| Violation report status OK. | PASS |
| /content-security-policy/script-src/worker-eval-blocked.sub.html | OK |
| Expecting logs: ["eval blocked"] | PASS |
| /content-security-policy/base-uri/base-uri-deny.sub.html | OK |
| Check that baseURI fires a securitypolicyviolation event when it does not match the csp directive | PASS |
| Check that the baseURI is not set when it does not match the csp directive | PASS |
| /content-security-policy/reporting/report-cross-origin-no-cookies.sub.html | OK |
| Image should not load | PASS |
| Test report cookies. | PASS |
| Violation report status OK. | PASS |
| /content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html | OK |
| Expecting logs: ["PASS: eval() blocked.","violated-directive=script-src"] | PASS |
| /content-security-policy/style-src/style-src-injected-stylesheet-allowed.sub.html | OK |
| Programatically injected stylesheet should load | PASS |
| /content-security-policy/navigate-to/href-location-blocked.sub.html | TIMEOUT |
| Test that the child iframe navigation is not allowed | NOTRUN |
| Violation report status OK. | FAIL |
| /content-security-policy/form-action/form-action-src-get-allowed.sub.html | OK |
| Expecting logs: ["PASS","TEST COMPLETE"] | PASS |
| /content-security-policy/media-src/media-src-redir-bug.sub.html | OK |
| In-policy async video source element | PASS |
| In-policy async video source element w/redir | PASS |
| In-policy async video src | PASS |
| Should not fire policy violation events | PASS |
| in-policy async video src w/redir | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a URL value should compare against each frame's origin rather than URL, so a nested frame with a sandboxed parent frame should be blocked due to the parent having a unique origin. | NOTRUN |
| /content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html | TIMEOUT |
| Should fire a security policy violation for the attribute | NOTRUN |
| The attribute style should not be applied and the inline style should be applied | PASS |
| /content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html | TIMEOUT |
| Should fire a security policy violation event | NOTRUN |
| The attribute style should not be applied | PASS |
| /content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.sub.html | OK |
| Expecting logs: ["violated-directive=script-src","PASS"] | FAIL |
| /content-security-policy/connect-src/connect-src-websocket-blocked.sub.html | OK |
| Expecting logs: ["blocked","violated-directive=connect-src"] | PASS |
| /content-security-policy/plugin-types/plugintypes-notype-data.html | TIMEOUT |
| Should not load the object because it does not have a declared type | NOTRUN |
| /content-security-policy/generic/cspro-not-enforced-in-worker.html | OK |
| Check that eval is allowed since the inherited policy is report only | PASS |
| Check that inline is allowed since the inherited policy is report only | PASS |
| /content-security-policy/font-src/font-match-allowed.sub.html | TIMEOUT |
| Test font loads if it matches font-src. | TIMEOUT |
| /content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html | OK |
| Should fire a securitypolicyviolation event | FAIL |
| Should not load stylesheet without correct nonce | PASS |
| /content-security-policy/script-src/injected-inline-script-allowed.sub.html | OK |
| Expecting logs: ["Pass 1 of 2","Pass 2 of 2"] | PASS |
| /content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html | OK |
| Navigated iframe is upgraded and reported | FAIL |
| Upgraded iframe is reported | FAIL |
| Upgraded image is reported | FAIL |
| /content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html | TIMEOUT |
| Test that the javascript: src is not allowed to run | NOTRUN |
| /content-security-policy/navigate-to/form-redirected-allowed.html | OK |
| Test that the child iframe navigation is allowed | PASS |
| /content-security-policy/reporting/report-strips-fragment.html | OK |
| Reported document URI does not contain fragments. | PASS |
| /content-security-policy/connect-src/shared-worker-connect-src-blocked.sub.html | OK |
| Expecting logs: ["xhr blocked","TEST COMPLETE"] | PASS |
| /content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html | OK |
| Test that the child iframe navigation is allowed | PASS |
| /content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub.html | OK |
| form submission targetting a frame allowed after a redirect | PASS |
| /content-security-policy/reporting/report-uri-from-child-frame.html | OK |
| Check that we received a message from the child frame | PASS |
| Violation report status OK. | PASS |
| /content-security-policy/object-src/object-src-url-allowed.html | OK |
| Violation report status OK. | PASS |
| /content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html | TIMEOUT |
| Should fire a security policy violation event | NOTRUN |
| The inline style should not be applied | FAIL |
| /content-security-policy/sandbox/iframe-inside-csp.sub.html | OK |
| Expecting logs: ["PASS (1/2): Script can execute","PASS (2/2): Eval works"] | PASS |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html | OK |
| 'sha256-abc123' is not subsumed by 'sha256-abc456'. | FAIL |
| 'sha256-abc123' is properly subsumed with other sources. | PASS |
| 'sha256-abc123' is properly subsumed. | PASS |
| Effective policy is properly found where 'sha256-abc123' is not part of it. | PASS |
| Effective policy is properly found where 'sha256-abc123' is not subsumed. | FAIL |
| Effective policy is properly found. | PASS |
| Effective policy now does not allow 'sha256-abc123'. | PASS |
| Hashes do not have to be present in returned csp but must not allow all inline behavior. | FAIL |
| Hashes do not have to be present in returned csp. | PASS |
| Other expressions have to be subsumed but 'unsafe-inline' gets ignored. | PASS |
| Other expressions have to be subsumed. | FAIL |
| Required csp must allow 'sha256-abc123'. | FAIL |
| Returned should not include hashes not present in required csp. | FAIL |
| /content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html | OK |
| Expecting logs: ["Pass","violated-directive=connect-src"] | PASS |
| /content-security-policy/child-src/child-src-allowed.sub.html | OK |
| Expecting alerts: ["PASS"] | PASS |
| Expecting logs: ["PASS IFrame #1 generated a load event."] | PASS |
| /content-security-policy/worker-src/dedicated-fallback.sub.html | OK |
| Same-origin dedicated worker allowed by host-source expression. | PASS |
| blob: dedicated worker allowed by 'blob:'. | PASS |
| /content-security-policy/script-src/scriptnonce-basic-blocked.sub.html | OK |
| Expecting alerts: ["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src-elem", "violated-directive=script-src-elem", "violated-directive=script-src-elem"] | FAIL |
| /content-security-policy/form-action/form-action-src-allowed.sub.html | OK |
| Expecting logs: ["PASS","TEST COMPLETE"] | PASS |
| /content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html | OK |
| Should convert the script contents to UTF-8 before hashing | FAIL |
| /content-security-policy/unsafe-eval/eval-blocked.sub.html | OK |
| Expecting logs: ["PASS EvalError","PASS EvalError", "violated-directive=script-src"] | PASS |
| /content-security-policy/form-action/form-action-src-javascript-blocked.sub.html | OK |
| Expecting logs: ["violated-directive=form-action","TEST COMPLETE"] | PASS |
| /content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html | OK |
| Expecting logs: ["PASS 1 of 2","PASS 2 of 2"] | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-self-block.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value 'self' should block rendering. | NOTRUN |
| /content-security-policy/style-src/style-src-inline-style-blocked.html | OK |
| Inline style element should not load without 'unsafe-inline' | PASS |
| Should fire a securitypolicyviolation event | FAIL |
| /content-security-policy/script-src/worker-set-timeout-blocked.sub.html | OK |
| Expecting alerts: ["setTimeout blocked"] | PASS |
| /content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html | OK |
| Expecting logs: ["PASS 1 of 2","PASS 2 of 2"] | PASS |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html | OK |
| 'strict-dynamic' is ineffective for `style-src`. | PASS |
| 'unsafe-inline' does not matter if returned csp is effectively `none`. | PASS |
| 'unsafe-inline' is ineffective when nonces are present. | PASS |
| 'unsafe-inline' is only ineffective if the effective returned csp has hashes in `script-src`. | PASS |
| 'unsafe-inline' is only ineffective if the effective returned csp has hashes in `style-src`. | PASS |
| 'unsafe-inline' is only ineffective if the effective returned csp has nonces in `style-src`. | PASS |
| 'unsafe-inline' is properly subsumed in `script-src`. | PASS |
| 'unsafe-inline' is properly subsumed in `style-src`. | PASS |
| Effective returned csp allows 'unsafe-inline' | FAIL |
| Effective returned csp does not allow 'sha512-321cba' hash. | PASS |
| Required csp allows `strict-dynamic`, but retuned csp does. | FAIL |
| Required csp does not allow `unsafe-inline`, but retuned csp does. | FAIL |
| Returned csp does not have to allow 'unsafe-inline' in `style-src` to be subsumed. | PASS |
| Returned csp only loads 'unsafe-inline' scripts with 'nonce-abc'. | PASS |
| Returned csp whitelists a hash. | FAIL |
| Returned csp whitelists a nonce. | FAIL |
| /content-security-policy/script-src/worker-importscripts-blocked.sub.html | OK |
| Expecting logs: ["TEST COMPLETE"] | PASS |
| worker-importscripts-blocked | PASS |
| /content-security-policy/svg/svg-from-guid.html | OK |
| Expecting logs: ["TEST COMPLETE"] | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html | TIMEOUT |
| undefined | TIMEOUT |
| /content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html | TIMEOUT |
| Test that the inline style attribute is blocked | NOTRUN |
| /content-security-policy/worker-src/dedicated-self.sub.html | OK |
| Same-origin dedicated worker allowed by 'self'. | PASS |
| /content-security-policy/img-src/icon-blocked.sub.html | OK |
| Test that image does not load | PASS |
| Test that spv event is fired | FAIL |
| /content-security-policy/img-src/report-blocked-data-uri.sub.html | OK |
| Expecting logs: ["violated-directive=img-src"] | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. | NOTRUN |
| /content-security-policy/worker-src/shared-none.sub.html | OK |
| Same-origin shared worker blocked by 'none'. | FAIL |
| blob: shared worker blocked by 'none'. | FAIL |
| /content-security-policy/navigate-to/meta-refresh-redirected-allowed.html | OK |
| Test that the child iframe navigation is allowed | PASS |
| /content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html | OK |
| Test that the child can't navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child which has the policy `navigate-to 'none'`) | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/securitypolicyviolation/blockeduri-eval.html | OK |
| Eval violations have a blockedURI of 'eval' | PASS |
| /content-security-policy/worker-src/dedicated-list.sub.html | OK |
| Same-origin dedicated worker allowed by host-source expression. | PASS |
| blob: dedicated worker allowed by 'blob:'. | PASS |
| /content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html | OK |
| img src matches correctly partial wildcard host csp directive | PASS |
| /content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html | OK |
| Violation report status OK. | PASS |
| /content-security-policy/style-src/style-src-error-event-fires.html | TIMEOUT |
| Test error event fires on inline style | NOTRUN |
| Test error event fires on stylesheet link | PASS |
| /content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html | TIMEOUT |
| Expecting logs: ["violated-directive=script-src-elem"] | NOTRUN |
| filesystem-urls-do-not-match-self | NOTRUN |
| /content-security-policy/sandbox/sandbox-allow-scripts.sub.html | OK |
| Expecting logs: ["Message"] | PASS |
| /content-security-policy/script-src/worker-function-function-blocked.sub.html | OK |
| Expecting logs: ["Function() function blocked"] | PASS |
| /content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html | TIMEOUT |
| Should fire a security policy violation for the inline block | NOTRUN |
| The inline style should not be applied and the attribute style should be applied | FAIL |
| /content-security-policy/generic/generic-0_10.html | OK |
| Test that script does not fire violation event | PASS |
| /content-security-policy/style-src/style-src-injected-inline-style-allowed.html | OK |
| Injected inline style should load with 'unsafe-inline' | PASS |
| /content-security-policy/generic/generic-0_9.sub.html | TIMEOUT |
| Test that script does not fire violation event | PASS |
| /content-security-policy/generic/directive-name-case-insensitive.sub.html | OK |
| Test that the www1 image is allowed to load | PASS |
| Test that the www2 image is not allowed to load | PASS |
| Test that the www2 image throws a violation event | PASS |
| /content-security-policy/navigate-to/href-location-allowed.html | TIMEOUT |
| Test that the child iframe navigation is allowed | NOTRUN |
| /content-security-policy/navigate-to/link-click-redirected-blocked.sub.html | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/worker-src/service-child.https.sub.html | OK |
| Same-origin service worker allowed by host-source expression. | PASS |
| /content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html | OK |
| Test that the child iframe navigation is blocked | FAIL |
| /content-security-policy/media-src/media-src-7_2_2.sub.html | OK |
| Disallaowed audio src | PASS |
| Disallowed audio source element | PASS |
| Test that securitypolicyviolation events are fired | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. | NOTRUN |
| /content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html | OK |
| Expecting logs: ["violated-directive=script-src-elem"] | FAIL |
| /content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html | OK |
| Should convert the script contents to UTF-8 before hashing | PASS |
| /content-security-policy/navigate-to/link-click-blocked.sub.html | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/img-src/img-src-none-blocks.html | OK |
| img-src with 'none' source should not match | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. | NOTRUN |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. | NOTRUN |
| /content-security-policy/prefetch-src/prefetch-header-allowed.html | TIMEOUT |
| Browser supports performance APIs. | PASS |
| Browser supports prefetch. | PASS |
| Prefetch via `Link` header succeeds when allowed by prefetch-src | TIMEOUT |
| /content-security-policy/blob/star-doesnt-match-blob.sub.html | OK |
| Expecting logs: ["violated-directive=worker-src","TEST COMPLETE"] | FAIL |
| /content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html | OK |
| Expecting alerts: ["PASS (1/1)"] | PASS |
| /content-security-policy/script-src/script-src-1_10_1.html | OK |
| Test that no report violation event was raised | PASS |
| Verify that data: as script src runs with this policy | PASS |
| /content-security-policy/reporting/report-uri-from-inline-javascript.html | OK |
| Violation report status OK. | PASS |
| /content-security-policy/embedded-enforcement/idlharness.window.html | OK |
| HTMLIFrameElement interface: attribute csp | FAIL |
| HTMLIFrameElement interface: document.createElement("iframe") must inherit property "csp" with the proper type | FAIL |
| Partial interface HTMLIFrameElement: original interface defined | PASS |
| idl_test setup | PASS |
| /content-security-policy/navigate-to/form-cross-origin-blocked.sub.html | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/script-src/script-src-1_2_1.html | OK |
| DOM manipulation inline tests | PASS |
| Test that securitypolicyviolation event is fired | FAIL |
| /content-security-policy/script-src/scriptnonce-redirect.sub.html | OK |
| Expecting alerts: ["PASS"] | PASS |
| /content-security-policy/generic/only-valid-whitespaces-are-allowed.html | OK |
| Should load image without any CSP - HTTP header | PASS |
| Should load image without any CSP - meta tag | PASS |
| Should not load image with 'none' CSP - HTTP header | PASS |
| Should not load image with 'none' CSP - meta tag | PASS |
| U+0009 TAB should be properly parsed between directive name and value - HTTP header | PASS |
| U+0009 TAB should be properly parsed between directive name and value - meta tag | PASS |
| U+0009 TAB should be properly parsed inside directive value - HTTP header | PASS |
| U+0009 TAB should be properly parsed inside directive value - meta tag | PASS |
| U+000A LF should be properly parsed between directive name and value - meta tag | PASS |
| U+000A LF should be properly parsed inside directive value - meta tag | PASS |
| U+000C FF should be properly parsed between directive name and value - HTTP header | PASS |
| U+000C FF should be properly parsed between directive name and value - meta tag | PASS |
| U+000C FF should be properly parsed inside directive value - HTTP header | PASS |
| U+000C FF should be properly parsed inside directive value - meta tag | PASS |
| U+000D CR should be properly parsed between directive name and value - meta tag | PASS |
| U+000D CR should be properly parsed inside directive value - meta tag | PASS |
| U+0020 SPACE should be properly parsed between directive name and value - HTTP header | PASS |
| U+0020 SPACE should be properly parsed between directive name and value - meta tag | PASS |
| U+0020 SPACE should be properly parsed inside directive value - HTTP header | PASS |
| U+0020 SPACE should be properly parsed inside directive value - meta tag | PASS |
| U+00A0 NBSP should not be parsed between directive name and value - HTTP header | PASS |
| U+00A0 NBSP should not be parsed between directive name and value - meta tag | PASS |
| U+00A0 NBSP should not be parsed inside directive value - HTTP header | FAIL |
| U+00A0 NBSP should not be parsed inside directive value - meta tag | FAIL |
| /content-security-policy/frame-src/frame-src-redirect.html | TIMEOUT |
| Redirected iframe src should evaluate both enforced and report-only policies on both original request and when following redirect | TIMEOUT |
| /content-security-policy/inside-worker/shared-inheritance.html | TIMEOUT |
| Cross-origin 'fetch()' in http: | TIMEOUT |
| Cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27self%27) | PASS |
| Cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27) | PASS |
| Cross-origin XHR in http: | TIMEOUT |
| Cross-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27self%27) | PASS |
| Cross-origin XHR in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27) | PASS |
| Same-origin 'fetch()' in http: | PASS |
| Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27self%27) | PASS |
| Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27) | PASS |
| Same-origin => cross-origin 'fetch()' in http: | TIMEOUT |
| Same-origin => cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27self%27) | PASS |
| Same-origin => cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27) | PASS |
| Same-origin XHR in http: | PASS |
| Same-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27self%27) | PASS |
| Same-origin XHR in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27) | PASS |
| /content-security-policy/worker-src/service-none.https.sub.html | OK |
| Same-origin service worker blocked by 'none'. | FAIL |
| /content-security-policy/frame-src/frame-src-about-blank-allowed-by-scheme.sub.html | OK |
| Expecting logs: ["PASS"] | PASS |
| /content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html | TIMEOUT |
| Should execute the inline script attribute | PASS |
| Should fire a security policy violation for the attribute | NOTRUN |
| /content-security-policy/reporting/report-blocked-data-uri.html | OK |
| Violation report status OK. | PASS |
| /content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html | OK |
| Non-redirected cross-origin URLs are not stripped. | FAIL |
| /content-security-policy/style-src/style-src-imported-style-allowed.sub.html | OK |
| Imported style that violates policy should not load | PASS |
| /content-security-policy/reporting/report-uri-multiple.html | OK |
| Violation report status OK. | PASS |
| /content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html | TIMEOUT |
| Test that embedded iframe document image does not load | PASS |
| Test that parent document image loads | FAIL |
| Test that spv event is fired | NOTRUN |
| /content-security-policy/navigation/javascript-url-navigation-inherits-csp.html | OK |
| javascript-url-navigation-inherits-csp | FAIL |
| /content-security-policy/sandbox/window-reuse-sandboxed.html | TIMEOUT |
| Window object should not be reused | NOTRUN |
| /content-security-policy/unsafe-eval/function-constructor-blocked.sub.html | OK |
| Expecting logs: ["PASS EvalError","violated-directive=script-src"] | PASS |
| /content-security-policy/navigate-to/spv-only-sent-to-initiator.sub.html | TIMEOUT |
| Test that no spv event is raised | NOTRUN |
| Violation report status OK. | PASS |
| /content-security-policy/worker-src/dedicated-none.sub.html | OK |
| Same-origin dedicated worker blocked by host-source expression. | FAIL |
| blob: dedicated worker blocked by 'blob:'. | FAIL |
| /content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html | OK |
| Expecting logs: ["PASS","violated-directive=script-src"] | PASS |
| /content-security-policy/generic/generic-0_8.sub.html | OK |
| Test that script does not fire violation event | PASS |
| /content-security-policy/generic/generic-0_10_1.sub.html | OK |
| Prevents access to external scripts. | PASS |
| Should fire violation events for every failed violation | FAIL |
| /content-security-policy/style-src/style-src-inline-style-nonce-allowed.html | OK |
| Style with correct nonce should load | PASS |
| /content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html | OK |
| Inline style attributes should not have a sample. | PASS |
| Inline style blocks should not have a sample. | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html | OK |
| A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. | PASS |
| /content-security-policy/font-src/font-self-allowed.html | TIMEOUT |
| Test font loads if it matches font-src. | TIMEOUT |
| /content-security-policy/plugin-types/plugintypes-notype-url.html | TIMEOUT |
| Should not load the object because it does not have a declared type | NOTRUN |
| /content-security-policy/frame-ancestors/frame-ancestors-star-allow-crossorigin.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with '*' should allow rendering. | NOTRUN |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. | NOTRUN |
| /content-security-policy/plugin-types/plugintypes-mismatched-url.html | TIMEOUT |
| Should not load the object because its declared type does not match its actual type | NOTRUN |
| /content-security-policy/blob/self-doesnt-match-blob.sub.html | OK |
| Expecting logs: ["violated-directive=worker-src","TEST COMPLETE"] | FAIL |
| /content-security-policy/object-src/object-src-url-embed-blocked.html | OK |
| Should block the object and fire a spv | PASS |
| /content-security-policy/style-src/stylenonce-allowed.sub.html | OK |
| Should fire securitypolicyviolation | FAIL |
| stylenonce-allowed | PASS |
| stylenonce-allowed 1 | PASS |
| /content-security-policy/generic/generic-0_2_3.html | OK |
| Prevents access to external scripts. | PASS |
| Should fire violation events for every failed violation | FAIL |
| /content-security-policy/script-src/script-src-1_10.html | OK |
| Test that securitypolicyviolation event is fired | FAIL |
| Verify that data: as script src doesn't run with this policy | PASS |
| /content-security-policy/script-src/script-src-1_2.html | OK |
| Inline event handler | PASS |
| Inline script block | PASS |
| Should fire policy violation events | FAIL |
| /content-security-policy/navigate-to/child-navigates-parent-allowed.html | OK |
| Test that the child can navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child, which has the policy `navigate-to 'self'`) | PASS |
| /content-security-policy/style-src/style-src-none-blocked.html | OK |
| Should fire a securitypolicyviolation event | FAIL |
| Should not stylesheet when style-src is 'none' | PASS |
| /content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html | OK |
| Should not have executed the javascript url | FAIL |
| /content-security-policy/sandbox/sandbox-empty-subframe.sub.html | OK |
| Expecting logs: ["PASS2"] | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. | NOTRUN |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. | NOTRUN |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. | NOTRUN |
| /content-security-policy/generic/generic-0_2.html | OK |
| Should fire violation events for every failed violation | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-none-block.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value 'none' should block rendering. | NOTRUN |
| /content-security-policy/form-action/form-action-src-allowed-target-frame.sub.html | OK |
| form submission targetting a frame allowed | PASS |
| /content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/media-src/media-src-7_3.sub.html | OK |
| In-policy track element | PASS |
| Should not fire policy violation events | PASS |
| /content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html | TIMEOUT |
| Should execute the inline script block | PASS |
| Should fire a security policy violation for the attribute | NOTRUN |
| /content-security-policy/object-src/object-src-url-blocked.html | OK |
| Should block the object and fire a spv | PASS |
| /content-security-policy/prefetch-src/prefetch-allowed.html | OK |
| Browser supports performance APIs. | PASS |
| Browser supports prefetch. | PASS |
| Prefetch succeeds when allowed by prefetch-src | FAIL |
| /content-security-policy/worker-src/service-worker-src-default-fallback.https.sub.html | OK |
| Same-origin service worker allowed by default-src 'self'. | PASS |
| /content-security-policy/securitypolicyviolation/style-sample.html | OK |
| Inline style attributes should have a sample. | PASS |
| Inline style blocks should have a sample. | PASS |
| /content-security-policy/sandbox/sandbox-empty.sub.html | OK |
| Expecting logs: ["PASS2"] | PASS |
| /content-security-policy/worker-src/shared-worker-src-default-fallback.sub.html | OK |
| Same-origin shared worker allowed by default-src 'self'. | PASS |
| /content-security-policy/base-uri/base-uri-allow.sub.html | OK |
| Check that base URIs can be set if they do not violate the page's policy. | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-star-allow-sameorigin.html | OK |
| A 'frame-ancestors' CSP directive with '*' should allow rendering. | PASS |
| /content-security-policy/connect-src/connect-src-eventsource-allowed.sub.html | OK |
| Expecting logs: ["allowed"] | PASS |
| /content-security-policy/style-src/inline-style-attribute-allowed.sub.html | OK |
| Expecting logs: ["PASS"] | FAIL |
| /content-security-policy/connect-src/shared-worker-connect-src-allowed.sub.html | OK |
| Expecting logs: ["xhr allowed","TEST COMPLETE"] | PASS |
| /content-security-policy/connect-src/connect-src-websocket-self.sub.html | OK |
| Expecting logs: ["allowed", "allowed"] | PASS |
| /content-security-policy/script-src/scripthash-default-src.sub.html | TIMEOUT |
| /content-security-policy/script-src/scripthash-default-src.sub.html | TIMEOUT |
| /content-security-policy/prefetch-src/prefetch-header-blocked.html | TIMEOUT |
| Browser supports performance APIs. | PASS |
| Browser supports prefetch. | PASS |
| Prefetch via `Link` header succeeds when allowed by prefetch-src | TIMEOUT |
| /content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html | OK |
| Should have executed the javascript url | PASS |
| /content-security-policy/script-src/scripthash-allowed.sub.html | OK |
| Expecting alerts: ["PASS (1/4)","PASS (2/4)","PASS (3/4)","PASS (4/4)"] | PASS |
| /content-security-policy/navigate-to/href-location-redirected-allowed.html | TIMEOUT |
| Test that the child iframe navigation is allowed | NOTRUN |
| /content-security-policy/inside-worker/dedicated-script.html | TIMEOUT |
| Cross-origin `importScripts()` blocked in blob: | PASS |
| Cross-origin `importScripts()` blocked in http: | TIMEOUT |
| Cross-origin `importScripts()` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) | TIMEOUT |
| Cross-origin `importScripts()` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20*) | TIMEOUT |
| Filesystem and blob. | PASS |
| `eval()` blocked in blob: | PASS |
| `setTimeout([string])` blocked in blob: | PASS |
| /content-security-policy/generic/filesystem-urls-match-filesystem.sub.html | OK |
| Expecting logs: ["PASS (1/1)"] | NOTRUN |
| /content-security-policy/navigate-to/form-redirected-blocked.sub.html | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo.html | TIMEOUT |
| A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would allow the page. | TIMEOUT |
| A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would block the page. | PASS |
| /content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html | OK |
| Test that the child iframe navigation is allowed | PASS |
| /content-security-policy/script-src/script-src-1_1.html | OK |
| Inline event handler | PASS |
| Inline script block | PASS |
| Should fire policy violation events | FAIL |
| /content-security-policy/img-src/img-src-wildcard-allowed.html | OK |
| img-src with wildcard should match all | PASS |
| img-src with wildcard should not match blob | PASS |
| /content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html | OK |
| form submission targetting _blank allowed after a redirect | PASS |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html | OK |
| All scheme sources are subsumed by their stronger variants. | PASS |
| All scheme sources must be subsumed. | FAIL |
| If scheme source is present in returned csp, it must be specified in required csp too. | FAIL |
| Matching `https` protocols. | PASS |
| The reverse allows iframe be to be loaded. | PASS |
| `http:` does not subsume other protocols. | FAIL |
| `http:` should subsume all host source expressions with `https:`. | PASS |
| `http:` should subsume all host source expressions with this protocol. | PASS |
| `http:` subsumes other `http:` source expression. | PASS |
| `http:` subsumes other `https:` source expression and expressions with `http:`. | PASS |
| `https` is more restrictive than `http`. | FAIL |
| /content-security-policy/reporting/report-blocked-uri.html | OK |
| Violation report status OK. | PASS |
| /content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html | OK |
| Event is fired | PASS |
| Test that image does not load | PASS |
| Violation report status OK. | FAIL |
| /content-security-policy/connect-src/connect-src-websocket-allowed.sub.html | OK |
| Expecting logs: ["allowed"] | PASS |
| /content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html | OK |
| Should convert the script contents to UTF-8 before hashing | FAIL |
| /content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked.html | OK |
| Should apply the style attribute | FAIL |
| /content-security-policy/frame-ancestors/frame-ancestors-url-allow.sub.html | OK |
| A 'frame-ancestors' CSP directive with a URL matching this origin should allow rendering. | PASS |
| /content-security-policy/connect-src/connect-src-xmlhttprequest-allowed.sub.html | OK |
| Expecting logs: ["Pass"] | PASS |
| /content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html | OK |
| Programatically injected stylesheet should not load | PASS |
| Should fire a securitypolicyviolation event | FAIL |
| /content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html | TIMEOUT |
| Test that the child iframe navigation is not allowed | NOTRUN |
| Violation report status OK. | FAIL |
| /content-security-policy/object-src/object-src-url-redirect-blocked.sub.html | OK |
| Should block the object and fire a spv | PASS |
| /content-security-policy/script-src/script-src-wildcards-disallowed.html | OK |
| blob: URIs should not match * | PASS |
| data: URIs should not match * | PASS |
| filesystem URIs should not match * | PASS |
| /content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html | OK |
| Event is fired | PASS |
| Test that image does not load | PASS |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-self.html | OK |
| 'self' keywords should match. | PASS |
| Required 'self' should match to a origin's url. | PASS |
| Required 'self' should subsume a more secure version of origin's url. | PASS |
| Returned 'self' should match to an origin's url. | PASS |
| Returned 'self' should not be subsumed by a more secure version of origin's url. | FAIL |
| Returned CSP does not have to specify 'self'. | PASS |
| Returned CSP must not allow 'self' if required CSP does not. | FAIL |
| /content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/style-src/style-src-star-allowed.html | OK |
| * should allow any style | PASS |
| /content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub.html | OK |
| <iframe sandbox src='blob:...'>'s inherits policy. (opaque origin sandbox) | PASS |
| <iframe src='blob:...'>'s inherits policy. | PASS |
| <iframe src='data:...'>'s inherits policy. | PASS |
| <iframe src='javascript:...'>'s inherits policy. | PASS |
| <iframe srcdoc>'s inherits policy. | PASS |
| <iframe>'s about:blank inherits policy. | PASS |
| /content-security-policy/child-src/child-src-cross-origin-load.sub.html | OK |
| Expecting alerts: ["PASS","PASS"] | PASS |
| Expecting logs: ["PASS IFrame #1 generated a load event.","PASS IFrame #2 generated a load event.","PASS IFrame #3 generated a load event.", "violated-directive=frame-src"] | FAIL |
| /content-security-policy/embedded-enforcement/allow_csp_from-header.html | OK |
| Allow-CSP-From header enforces EmbeddingCSP. | FAIL |
| Allow-CSP-From header with a star value can be returned. | PASS |
| Cross origin iframe with an empty Allow-CSP-From header gets blocked. | FAIL |
| Cross origin iframe without Allow-CSP-From header gets blocked. | FAIL |
| Iframe with improper Allow-CSP-From header gets blocked. | FAIL |
| Same origin iframes are allowed even if Allow-CSP-From does not match origin. | PASS |
| Same origin iframes are allowed even if the Allow-CSP-From is empty. | PASS |
| Same origin iframes are allowed even if the Allow-CSP-From is not present. | PASS |
| Same origin iframes are always allowed. | PASS |
| Star Allow-CSP-From header enforces EmbeddingCSP. | FAIL |
| iframe from cross origin does not load without Allow-CSP-From header. | PASS |
| /content-security-policy/reporting/report-uri-multiple-reversed.html | OK |
| Violation report status OK. | PASS |
| /content-security-policy/generic/generic-0_1-img-src.html | OK |
| Should fire violation events for every failed violation | FAIL |
| Verify cascading of default-src to img-src policy | PASS |
| /content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html | TIMEOUT |
| Test that the child iframe navigation is allowed | NOTRUN |
| /content-security-policy/frame-src/frame-src-allowed.sub.html | OK |
| Expecting alerts: ["PASS"] | PASS |
| Expecting logs: ["PASS IFrame #1 generated a load event."] | PASS |
| /content-security-policy/securitypolicyviolation/inside-dedicated-worker.html | OK |
| No SecurityPolicyViolation event fired for successful load. | PASS |
| SecurityPolicyViolation event fired on global with the correct blockedURI. | PASS |
| SecurityPolicyViolation event fired on global. | PASS |
| /content-security-policy/generic/duplicate-directive.sub.html | OK |
| Expecting alerts: ["PASS (1/1)"] | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. | NOTRUN |
| /content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html | TIMEOUT |
| Test that the javascript: src is not allowed to run | NOTRUN |
| /content-security-policy/style-src/stylehash-allowed.sub.html | OK |
| Expecting alerts: ["PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied.","PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied.","PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied.","PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied."] | PASS |
| /content-security-policy/worker-src/service-self.https.sub.html | OK |
| Same-origin service worker allowed by 'self'. | PASS |
| /content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html | OK |
| Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"] | FAIL |
| /content-security-policy/script-src/script-src-1_3.html | OK |
| Inline script in a script tag should run with an unsafe-inline directive | PASS |
| Should not fire policy violation events | PASS |
| /content-security-policy/meta/meta-outside-head.sub.html | OK |
| Expecting alerts: ["PASS (1/1)"] | PASS |
| /content-security-policy/navigate-to/link-click-redirected-allowed.html | OK |
| Test that the child iframe navigation is allowed | PASS |
| /content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html | OK |
| Check that frames load without throwing any violation events | PASS |
| /content-security-policy/default-src/default-src-inline-blocked.sub.html | OK |
| Expecting logs: ["violated-directive=script-src-elem","violated-directive=script-src-elem"] | FAIL |
| /content-security-policy/prefetch-src/prefetch-blocked.html | TIMEOUT |
| Blocked prefetch generates report. | TIMEOUT |
| Browser supports performance APIs. | PASS |
| Browser supports prefetch. | PASS |
| /content-security-policy/style-src/style-src-inline-style-allowed.html | OK |
| Inline style should apply with 'unsafe-inline' | PASS |
| /content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html | OK |
| Eval is allowed because the CSP is report-only | PASS |
| Violation report status OK. | PASS |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html | OK |
| A wildcard host should match a more specific host. | PASS |
| Host must match. | FAIL |
| Hosts without wildcards must match. | FAIL |
| More specific subdomain should not match. | FAIL |
| Specified host should not match a wildcard host. | FAIL |
| /content-security-policy/reporting/multiple-report-policies.html | OK |
| 1-Violation report status OK | PASS |
| 2-Violation report status OK | PASS |
| /content-security-policy/navigate-to/meta-refresh-blocked.sub.html | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html | TIMEOUT |
| undefined | TIMEOUT |
| /content-security-policy/navigate-to/anchor-navigation-always-allowed.html | OK |
| Test that anchor navigation is allowed regardless of the `navigate-to` directive | PASS |
| /content-security-policy/worker-src/shared-fallback.sub.html | OK |
| Same-origin dedicated worker allowed by 'self'. | PASS |
| blob: dedicated worker allowed by 'blob:'. | PASS |
| /content-security-policy/unsafe-hashes/style_attribute_allowed.html | OK |
| Test that the inline style attribute is loaded | FAIL |
| /content-security-policy/reporting/report-and-enforce.html | OK |
| The image should be blocked | PASS |
| The stylesheet should load | PASS |
| Violation report status OK. | PASS |
| /content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html | OK |
| Should convert the script contents to UTF-8 before hashing | FAIL |
| /content-security-policy/media-src/media-src-7_1_2.sub.html | OK |
| Disallowed async video source element | PASS |
| Disallowed async video src | PASS |
| Test that securitypolicyviolation events are fired | PASS |
| /content-security-policy/securitypolicyviolation/inside-shared-worker.html | OK |
| No SecurityPolicyViolation event fired for successful load. | PASS |
| SecurityPolicyViolation event fired on global with the correct blockedURI. | PASS |
| SecurityPolicyViolation event fired on global. | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html | TIMEOUT |
| undefined | TIMEOUT |
| /content-security-policy/connect-src/connect-src-eventsource-redirect-to-blocked.sub.html | OK |
| Expecting logs: ["PASS EventSource() did not follow the disallowed redirect.","TEST COMPLETE", "violated-directive=connect-src"] | PASS |
| /content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html | TIMEOUT |
| Should fire a security policy violation event | NOTRUN |
| /content-security-policy/style-src/inline-style-allowed.sub.html | OK |
| Expecting logs: ["PASS"] | PASS |
| /content-security-policy/worker-src/service-list.https.sub.html | OK |
| Same-origin service worker allowed by host-source expression. | PASS |
| /content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub.html | OK |
| Expecting logs: ["violated-directive=connect-src"] | PASS |
| /content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html | OK |
| Whitelisted script without a correct nonce is not allowed with `strict-dynamic`. | FAIL |
| /content-security-policy/inside-worker/dedicated-inheritance.html | TIMEOUT |
| Cross-origin 'fetch()' in blob: | PASS |
| Cross-origin 'fetch()' in http: | TIMEOUT |
| Cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27) | PASS |
| Cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*) | TIMEOUT |
| Cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) | TIMEOUT |
| Cross-origin XHR in blob: | PASS |
| Cross-origin XHR in http: | TIMEOUT |
| Cross-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27) | PASS |
| Cross-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*) | TIMEOUT |
| Cross-origin XHR in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) | TIMEOUT |
| Filesystem and blob. | PASS |
| Same-origin 'fetch()' in blob: | PASS |
| Same-origin 'fetch()' in http: | PASS |
| Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27) | FAIL |
| Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*) | PASS |
| Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) | PASS |
| Same-origin => cross-origin 'fetch()' in blob: | PASS |
| Same-origin => cross-origin 'fetch()' in http: | TIMEOUT |
| Same-origin => cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27) | PASS |
| Same-origin => cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*) | TIMEOUT |
| Same-origin => cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) | TIMEOUT |
| Same-origin XHR in blob: | PASS |
| Same-origin XHR in http: | PASS |
| Same-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27) | FAIL |
| Same-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*) | PASS |
| Same-origin XHR in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) | PASS |
| /content-security-policy/generic/generic-0_2_2.sub.html | OK |
| Prevents access to external scripts. | PASS |
| Should fire violation events for every failed violation | FAIL |
| /content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html | OK |
| Should convert the script contents to UTF-8 before hashing | FAIL |
| /content-security-policy/navigate-to/form-blocked.sub.html | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/style-src/style-src-hash-blocked.html | OK |
| Should fire a securitypolicyviolation event | FAIL |
| Should load the style with a correct hash | PASS |
| Should not load style that does not match hash | PASS |
| /content-security-policy/child-src/child-src-redirect-blocked.sub.html | OK |
| Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"] | FAIL |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-general.html | OK |
| If there is no required csp, iframe should load. | PASS |
| Iframe should load even if the ports are different but are default for the protocols. | PASS |
| Iframe with a different CSP should be blocked. | FAIL |
| Iframe with a matching and more restrictive ports should load. | PASS |
| Iframe with empty returned CSP should be blocked. | FAIL |
| Iframe with less restricting CSP should be blocked. | PASS |
| Iframe with matching CSP should load. | PASS |
| Iframe with more restricting CSP should load. | PASS |
| /content-security-policy/generic/no-default-src.sub.html | OK |
| Allows scripts from the same host. | PASS |
| Violation report status OK. | PASS |
| /content-security-policy/reporting/report-same-origin-with-cookies.html | OK |
| Image should not load | PASS |
| Test report cookies. | FAIL |
| Violation report status OK. | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html | OK |
| A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. | PASS |
| /content-security-policy/script-src/scripthash-unicode-normalization.sub.html | OK |
| Only matching content runs even with NFC normalization. | PASS |
| Should fire securitypolicyviolation | FAIL |
| /content-security-policy/script-src/scriptnonce-allowed.sub.html | OK |
| Expecting alerts: ["PASS (1/2)","PASS (2/2)"] | PASS |
| /content-security-policy/child-src/child-src-conflicting-frame-src.sub.html | OK |
| Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"] | FAIL |
| /content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub.html | OK |
| Test that form-action overrides navigate-to when present. | PASS |
| /content-security-policy/style-src/style-blocked.sub.html | OK |
| Expecting logs: ["violated-directive=style-src","PASS"] | PASS |
| /content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html | OK |
| Non-redirected cross-origin URLs are not stripped. | PASS |
| /content-security-policy/font-src/font-mismatch-blocked.sub.html | TIMEOUT |
| Test font does not load if it does not match font-src. | TIMEOUT |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html | OK |
| A nonce has to be returned if required by the embedder. | PASS |
| Any nonce subsumes. | PASS |
| Exact nonce subsumes. | PASS |
| Multiples nonces returned subsume. | PASS |
| Nonce intersection is still done on exact match - matching nonces. | PASS |
| Nonce intersection is still done on exact match - non-matching nonces. | PASS |
| Other expressions still have to be subsumed - negative test | PASS |
| Other expressions still have to be subsumed - positive test. | PASS |
| /content-security-policy/connect-src/connect-src-beacon-allowed.sub.html | OK |
| Expecting logs: ["Pass"] | PASS |
| /content-security-policy/media-src/media-src-7_3_2.sub.html | OK |
| Disallowed track element onerror handler fires. | PASS |
| Test that securitypolicyviolation events are fired | PASS |
| /content-security-policy/img-src/img-src-self-unique-origin.html | OK |
| Image's url must not match with 'self'. Image must be blocked. | PASS |
| /content-security-policy/connect-src/worker-connect-src-allowed.sub.html | OK |
| Expecting logs: ["xhr allowed"] | PASS |
| /content-security-policy/form-action/form-action-src-blocked.sub.html | OK |
| Expecting logs: ["violated-directive=form-action","TEST COMPLETE"] | PASS |
| /content-security-policy/style-src/style-src-imported-style-blocked.html | OK |
| @import stylesheet should not load because it does not match style-src | PASS |
| Should fire a securitypolicyviolation event | FAIL |
| /content-security-policy/navigate-to/form-allowed.html | OK |
| Test that the child iframe navigation is allowed | PASS |
| /content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html | OK |
| Non-redirected cross-origin URLs are not stripped. | FAIL |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-none.html | OK |
| Both required and returned csp are `none` for only one directive. | FAIL |
| Both required and returned csp are `none`. | PASS |
| Both required and returned csp are effectively 'none'. | PASS |
| Both required and returned csp are empty. | PASS |
| Empty required csp subsumes a policy with `none`. | PASS |
| Empty required csp subsumes any list of policies. | PASS |
| Empty required csp subsumes empty list of returned policies. | PASS |
| Required csp with `none` does not subsume `none` of another directive. | FAIL |
| Required csp with `none` does not subsume `none` of different directives. | FAIL |
| Required csp with `none` does not subsume a host source expression. | FAIL |
| Required csp with `none` subsumes effective list of `none` despite other keywords. | PASS |
| Required csp with `none` subsumes effective list of `none`. | PASS |
| Required csp with effective `none` does not subsume `none` of another directive. | FAIL |
| Required csp with effective `none` does not subsume a host source expression. | FAIL |
| Required policy that allows `none` does not subsume empty list of policies. | FAIL |
| Returned csp with `none` is subsumed by any required csp. | PASS |
| Returned csp with effective `none` is subsumed by any required csp. | PASS |
| Source list with exprssions other than `none` make `none` ineffective. | PASS |
| /content-security-policy/connect-src/worker-from-guid.sub.html | OK |
| Expecting logs: ["violated-directive=connect-src","xhr blocked","TEST COMPLETE"] | PASS |
| /content-security-policy/reporting/report-only-in-meta.sub.html | OK |
| Image should load | PASS |
| Violation report status OK. | PASS |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html | OK |
| 'strict-dynamic' has to be allowed by required csp if it is present in returned csp. | FAIL |
| 'strict-dynamic' is effective only for `script-src`. | PASS |
| 'strict-dynamic' is ineffective for `child-src`. | PASS |
| 'strict-dynamic' is ineffective for `frame-src`. | PASS |
| 'strict-dynamic' is ineffective for `img-src`. | PASS |
| 'strict-dynamic' is ineffective for `style-src`. | PASS |
| 'strict-dynamic' is proper handled for finding effective policy. | PASS |
| 'strict-dynamic' makes 'self' ineffective. | PASS |
| 'strict-dynamic' makes 'unsafe-inline' ineffective. | PASS |
| 'strict-dynamic' makes host source expressions ineffective. | PASS |
| 'strict-dynamic' makes scheme source expressions ineffective. | PASS |
| /content-security-policy/worker-src/dedicated-worker-src-default-fallback.sub.html | OK |
| Same-origin dedicated worker allowed by default-src 'self'. | PASS |
| /content-security-policy/object-src/object-src-url-redirect-allowed.html | OK |
| Violation report status OK. | PASS |
| /content-security-policy/worker-src/shared-child.sub.html | OK |
| Same-origin dedicated worker allowed by 'self'. | PASS |
| blob: dedicated worker allowed by 'blob:'. | PASS |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html | OK |
| 'unsafe-hashes' is properly subsumed. | PASS |
| Effective policy is properly found where 'unsafe-hashes' is not part of it. | PASS |
| Effective policy is properly found where 'unsafe-hashes' is not subsumed. | FAIL |
| Effective policy is properly found. | PASS |
| No other keyword has the same effect as 'unsafe-hashes'. | FAIL |
| Other expressions have to be subsumed. | FAIL |
| Required csp must allow 'unsafe-hashes'. | FAIL |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html | OK |
| Returned CSP should be subsumed even if the port is not specified but is a default port for a more secure scheme. | PASS |
| Returned CSP should be subsumed even if the port is not specified but is a default port for a scheme. | PASS |
| Returned CSP should be subsumed if the port is specified but is not default for a more secure scheme. | FAIL |
| Returned CSP should be subsumed if the port is specified but the scheme is more secure. | PASS |
| Returned CSP should be subsumed if the port is specified. | PASS |
| Returned CSP should be subsumed if the ports match but schemes are not identical for `ws`. | PASS |
| Returned CSP should be subsumed if the ports match but schemes are not identical. | PASS |
| Specified ports must match. | FAIL |
| The same should hold for `ws` case. | PASS |
| Unspecified ports must match if schemes match. | PASS |
| Wildcard port should match a wildcard. | PASS |
| Wildcard port should match any specific port. | PASS |
| Wildcard port should match unspecified port. | PASS |
| Wildcard port should not be subsumed by a default port. | FAIL |
| Wildcard port should not be subsumed by a spcified port. | FAIL |
| /content-security-policy/script-src/scripthash-basic-blocked.sub.html | OK |
| Expecting alerts: ["PASS (1/1)"] | PASS |
| /content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html | OK |
| Event is fired | PASS |
| Test that image does not load | PASS |
| Violation report status OK. | PASS |
| /content-security-policy/generic/generic-0_8_1.sub.html | OK |
| Should fire violation events for every failed violation | FAIL |
| /content-security-policy/reporting/report-uri-scheme-relative.html | OK |
| Violation report status OK. | PASS |
| /content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html | OK |
| Event is fired | PASS |
| Test that image does not load | PASS |
| Violation report status OK. | FAIL |
| /content-security-policy/svg/svg-policy-with-resource.html | OK |
| Expecting logs: ["TEST COMPLETE"] | PASS |
| /content-security-policy/style-src/inline-style-blocked.sub.html | OK |
| Expecting logs: ["PASS"] | PASS |
| /content-security-policy/img-src/icon-allowed.sub.html | OK |
| Test that image loads | PASS |
| /content-security-policy/style-src/style-src-hash-allowed.html | OK |
| All style elements should load because they have proper hashes | PASS |
| /content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html | OK |
| Event is fired | PASS |
| Test that image does not load | PASS |
| /content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub.html | OK |
| Test that form-action overrides navigate-to when present. | PASS |
| /content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html | OK |
| Check that frames load without throwing any violation events | PASS |
| /content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html | OK |
| Image that redirects to http:// URL prohibited by Report-Only must generate a violation report, even with upgrade-insecure-requests | PASS |
| /content-security-policy/navigate-to/meta-refresh-allowed.html | OK |
| Test that the child iframe navigation is allowed | PASS |
| /content-security-policy/inside-worker/shared-script.html | TIMEOUT |
| Cross-origin `importScripts()` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27 | PASS |
| Cross-origin `importScripts()` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20%27self%27 | PASS |
| `eval()` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27 | PASS |
| `eval()` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20%27self%27 | PASS |
| `setTimeout([string])` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27 | PASS |
| `setTimeout([string])` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20%27self%27 | PASS |
| /content-security-policy/unsafe-eval/function-constructor-allowed.sub.html | OK |
| Expecting logs: ["PASS"] | PASS |
| /content-security-policy/worker-src/shared-self.sub.html | OK |
| Same-origin dedicated worker allowed by 'self'. | PASS |
| /content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub.html | OK |
| Test that the child iframe navigation is allowed | PASS |
| /content-security-policy/img-src/img-src-4_1.sub.html | OK |
| img-src for relative path should load | PASS |
| img-src from approved domains should load | PASS |
| img-src from unapproved domains should not load | PASS |
| /content-security-policy/connect-src/connect-src-beacon-blocked.sub.html | OK |
| Expecting logs: ["Pass", "violated-directive=connect-src"] | PASS |
| /content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub.html | TIMEOUT |
| undefined | TIMEOUT |
| /content-security-policy/object-src/object-src-no-url-blocked.html | TIMEOUT |
| Should block the object and fire a spv | NOTRUN |
| /content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked.html | OK |
| Inline style should be applied | FAIL |
| /content-security-policy/font-src/font-none-blocked.sub.html | TIMEOUT |
| Test font does not load if it does not match font-src. | TIMEOUT |
| /content-security-policy/script-src/script-src-1_4_2.html | OK |
| Test that securitypolicyviolation event is fired | PASS |
| Unsafe eval ran in Function() constructor. | PASS |
| /content-security-policy/child-src/child-src-blocked.sub.html | OK |
| Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"] | FAIL |
| /content-security-policy/style-src/inline-style-attribute-on-html.sub.html | OK |
| Expecting logs: ["PASS"] | PASS |
| /content-security-policy/navigate-to/href-location-redirected-blocked.sub.html | TIMEOUT |
| Test that the child iframe navigation is not allowed | NOTRUN |
| Violation report status OK. | FAIL |
| /content-security-policy/inheritance/iframe-all-local-schemes.sub.html | OK |
| <iframe sandbox src='blob:...'>'s inherits policy. (opaque origin sandbox) | FAIL |
| <iframe src='blob:...'>'s inherits policy. | PASS |
| <iframe src='data:...'>'s inherits policy. | PASS |
| <iframe src='javascript:...'>'s inherits policy. | PASS |
| <iframe srcdoc>'s inherits policy. | PASS |
| <iframe>'s about:blank inherits policy. | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. | NOTRUN |
| /content-security-policy/connect-src/connect-src-eventsource-blocked.sub.html | OK |
| Expecting logs: ["blocked","violated-directive=connect-src"] | PASS |
| /content-security-policy/form-action/form-action-self-allowed-target-blank.html | OK |
| The form submission should not be blocked by the iframe's CSP. | PASS |
| /content-security-policy/default-src/default-src-inline-allowed.sub.html | OK |
| Expecting alerts: ["PASS 1 of 2","PASS 2 of 2"] | PASS |
| /content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html | TIMEOUT |
| Violation report status OK. | PASS |
| iframe still inherits correct CSP | NOTRUN |
| /content-security-policy/script-src/worker-script-src.sub.html | OK |
| Expecting logs: ["PASS"] | PASS |
| /content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/unsafe-eval/eval-allowed.sub.html | OK |
| Expecting alerts: ["PASS (1 of 2)","PASS (2 of 2)"] | PASS |
| /content-security-policy/media-src/media-src-blocked.sub.html | TIMEOUT |
| Disallaowed audio src | PASS |
| Disallowed async video source element | PASS |
| Disallowed async video src | PASS |
| Disallowed audio source element | PASS |
| Test that securitypolicyviolation events are fired | TIMEOUT |
| /content-security-policy/meta/meta-modified.html | OK |
| Expecting logs: ["PASS", "PASS","TEST COMPLETE"] | PASS |
| /content-security-policy/reporting/report-multiple-violations-01.html | OK |
| Test number of sent reports. | FAIL |
| Violation report status OK. | PASS |
| /content-security-policy/font-src/font-stylesheet-font-blocked.sub.html | OK |
| Test font does not load if it does not match font-src. | PASS |
| /content-security-policy/embedded-enforcement/required-csp-header-cascade.html | OK |
| Test same origin: Test invalid policy on first iframe (bad directive) | FAIL |
| Test same origin: Test invalid policy on first iframe (report directive) | FAIL |
| Test same origin: Test invalid policy on second iframe (bad directive) | FAIL |
| Test same origin: Test invalid policy on second iframe (report directive) | FAIL |
| Test same origin: Test less restrictive policy on second iframe | FAIL |
| Test same origin: Test more restrictive policy on second iframe | FAIL |
| Test same origin: Test no policy on first iframe | FAIL |
| Test same origin: Test no policy on second iframe | FAIL |
| Test same origin: Test same policy for both iframes | FAIL |
| /content-security-policy/generic/generic-0_1-script-src.html | OK |
| Should fire violation events for every failed violation | FAIL |
| Verify cascading of default-src to script-src policy: allow | PASS |
| Verify cascading of default-src to script-src policy: block | PASS |
| /content-security-policy/embedded-enforcement/iframe-csp-attribute.html | OK |
| <iframe> has a 'csp' attibute which is an empty string if undefined. | FAIL |
| <iframe>'s 'csp content attribute reflects the IDL attribute. | FAIL |
| <iframe>'s IDL attribute reflects the DOM attribute. | FAIL |
| <iframe>'s csp attribute is always a string. | FAIL |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. | NOTRUN |
| /content-security-policy/style-src/style-src-stylesheet-nonce-allowed.html | OK |
| Stylesheet link should load with correct nonce | PASS |
| /content-security-policy/generic/policy-does-not-affect-child.sub.html | OK |
| Expecting logs: ["PASS"] | PASS |
| /content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html | OK |
| img src does not match full host and wildcard csp directive | PASS |
| /content-security-policy/script-src/injected-inline-script-blocked.sub.html | OK |
| Expecting logs: ["violated-directive=script-src-elem",] | FAIL |
| /content-security-policy/frame-src/frame-src-about-blank-allowed-by-default.sub.html | OK |
| Expecting logs: ["PASS"] | PASS |
| /content-security-policy/style-src/style-src-inline-style-attribute-allowed.html | OK |
| Inline style attribute should apply with 'unsafe-inline' | PASS |
| /content-security-policy/reporting/report-multiple-violations-02.html | OK |
| Test number of sent reports. | FAIL |
| Violation report status OK. | PASS |
| /content-security-policy/style-src/style-src-inline-style-attribute-blocked.html | OK |
| Inline style attribute should not be applied without 'unsafe-inline' | PASS |
| Should fire a securitypolicyviolation event | FAIL |
| /content-security-policy/navigate-to/form-cross-origin-allowed.sub.html | OK |
| Test that the child iframe navigation is allowed | PASS |
| /content-security-policy/script-src/scriptnonce-and-scripthash.sub.html | OK |
| Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"] | FAIL |
| /content-security-policy/style-src/injected-inline-style-allowed.sub.html | OK |
| Expecting logs: ["PASS: 2 stylesheets on the page."] | PASS |
| /content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html | OK |
| Event is fired | PASS |
| Violation report status OK. | FAIL |
| /content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html | OK |
| form submission targetting _blank allowed after a redirect | PASS |
| /content-security-policy/blob/blob-urls-match-blob.sub.html | OK |
| Expecting logs: ["PASS (1/1)"] | PASS |
| /content-security-policy/reporting/report-uri-from-javascript.html | OK |
| Violation report status OK. | PASS |
| /content-security-policy/object-src/object-src-no-url-allowed.html | OK |
| Violation report status OK. | PASS |
| /content-security-policy/reporting/report-uri-effective-directive.html | OK |
| Violation report status OK. | FAIL |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html | OK |
| 'unsafe-eval' is properly subsumed. | PASS |
| Effective policy is properly found where 'unsafe-eval' is not part of it. | PASS |
| Effective policy is properly found where 'unsafe-eval' is not subsumed. | FAIL |
| Effective policy is properly found. | PASS |
| No other keyword has the same effect as 'unsafe-eval'. | FAIL |
| Other expressions have to be subsumed. | FAIL |
| Required csp must allow 'unsafe-eval'. | FAIL |
| /content-security-policy/form-action/form-action-src-get-blocked.sub.html | OK |
| Expecting logs: ["violated-directive=form-action","TEST COMPLETE"] | PASS |
| /content-security-policy/script-src/script-src-1_4_1.html | OK |
| Test that securitypolicyviolation event is fired | PASS |
| window.setInterval() | PASS |
| window.setTimeout() | PASS |
| /content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html | TIMEOUT |
| Test that the javascript: src is allowed to run | NOTRUN |
| /content-security-policy/frame-src/frame-src-self-unique-origin.html | OK |
| Iframe's url must not match with 'self'. It must be blocked. | PASS |
| /content-security-policy/worker-src/shared-list.sub.html | OK |
| Same-origin dedicated worker allowed by 'self'. | PASS |
| blob: dedicated worker allowed by 'blob:'. | PASS |
| /content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html | ERROR |
| base-uri 'self' blocks foreign-origin sandboxed iframes. | PASS |
| base-uri 'self' works with same-origin sandboxed iframes. | PASS |
| /content-security-policy/style-src/style-allowed.sub.html | OK |
| Expecting logs: ["PASS"] | PASS |
| /content-security-policy/worker-src/dedicated-child.sub.html | OK |
| Same-origin dedicated worker allowed by host-source expression. | PASS |
| blob: dedicated worker allowed by 'blob:'. | PASS |
| /content-security-policy/frame-src/frame-src-cross-origin-load.sub.html | OK |
| Expecting alerts: ["PASS","PASS"] | PASS |
| Expecting logs: ["PASS IFrame #1 generated a load event.","PASS IFrame #2 generated a load event.","PASS IFrame #3 generated a load event.","violated-directive=frame-src"] | FAIL |
| /content-security-policy/navigate-to/link-click-allowed.html | OK |
| Test that the child iframe navigation is allowed | PASS |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html | OK |
| All specific paths match except the order. | PASS |
| Empty path is not subsumed by specified paths. | FAIL |
| Matching paths. | PASS |
| Returned CSP allows only one path. | PASS |
| Returned CSP has a more specific path. | PASS |
| Returned CSP must specify a path. | FAIL |
| That should not be true when required csp specifies a specific page. | FAIL |
| Unspecified path should be subsumed by `/`. | PASS |
| `/` path should be subsumed by an empty path. | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-self-allow.html | OK |
| A 'frame-ancestors' CSP directive with a value 'self' should allow rendering. | PASS |
| /content-security-policy/connect-src/connect-src-xmlhttprequest-redirect-to-blocked.sub.html | OK |
| Expecting logs: ["PASS XMLHttpRequest.send() did not follow the disallowed redirect.","TEST COMPLETE","violated-directive=connect-src"] | PASS |
| /content-security-policy/navigate-to/parent-navigates-child-blocked.html | OK |
| Test that the parent can't navigate the child because the relevant policy belongs to the navigation initiator (in this case the parent, which has the policy `navigate-to support/wait_for_navigation.html;`) | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/plugin-types/plugintypes-empty.sub.html | TIMEOUT |
| Should not load the object because plugin-types allows no plugins | NOTRUN |
| /content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html | OK |
| img-src with wildcard port should match any port | PASS |
| /content-security-policy/style-src/stylenonce-blocked.sub.html | OK |
| Should fire securitypolicyviolation | FAIL |
| stylenonce-blocked | PASS |
| /content-security-policy/generic/304-response-should-update-csp.sub.html | OK |
| Test that the first frame does not use nonce def | FAIL |
| Test that the first frame uses nonce abc | PASS |
| Test that the second frame does not use nonce abc | FAIL |
| Test that the second frame uses nonce def | PASS |
| /content-security-policy/style-src/style-src-inline-style-nonce-blocked.html | OK |
| Should fire a securitypolicyviolation event | FAIL |
| Should not load inline style element with invalid nonce | PASS |
| /content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html | OK |
| `strict-dynamic` does not drop whitelists in `img-src`. | PASS |
| /content-security-policy/securitypolicyviolation/inside-service-worker.https.html | OK |
| No SecurityPolicyViolation event fired for successful load. | PASS |
| SecurityPolicyViolation event fired on global with the correct blockedURI. | PASS |
| SecurityPolicyViolation event fired on global. | PASS |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. | NOTRUN |
| /content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html | OK |
| Should convert the script contents to UTF-8 before hashing - greek small letter mu | PASS |
| Should convert the script contents to UTF-8 before hashing - latin capital letter g with breve | PASS |
| Should convert the script contents to UTF-8 before hashing - latin micro sign | PASS |
| /content-security-policy/sandbox/sandbox-allow-scripts-subframe.sub.html | OK |
| Expecting logs: ["Message"] | PASS |
| /content-security-policy/svg/object-in-svg-foreignobject.sub.html | TIMEOUT |
| Should throw a securitypolicyviolation | TIMEOUT |
| /content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html | OK |
| Expecting logs: ["PASS","violated-directive=script-src"] | PASS |
| /content-security-policy/script-src/script-src-1_4.html | OK |
| Test that securitypolicyviolation event is fired | PASS |
| eval() should not run without 'unsafe-eval' script-src directive. | PASS |
| eval() should throw without 'unsafe-eval' keyword source in script-src directive. | PASS |
| /content-security-policy/reporting/report-original-url.sub.html | TIMEOUT |
| Block after redirect, cross-origin = original URL in report | TIMEOUT |
| Block after redirect, same-origin = original URL in report | TIMEOUT |
| Direct block, cross-origin = full URL in report | PASS |
| Direct block, same-origin = full URL in report | PASS |
| Violation report status OK. | PASS |
| /content-security-policy/inheritance/window.html | TIMEOUT |
| `document.write` into `window.open()` inherits policy. | FAIL |
| window.open('blob:...') inherits policy. | TIMEOUT |
| window.open('javascript:...') inherits policy. | TIMEOUT |
| window.open() inherits policy. | FAIL |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. | NOTRUN |