Completely failed files: 384; Completely failed subtests: 410; Failure level: 410/894 (45.86%)
| Test | Sf12 |
|---|---|
| /content-security-policy/embedded-enforcement/required_csp-header.html (22/70, 31.43%, 2.46% of total) | OK |
| Test Required-CSP value on `csp` change: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>. | FAIL |
| Test Required-CSP value on `csp` change: Send Sec-Required-CSP Header on change of `src` attribute on iframe. | FAIL |
| Test Required-CSP value on `csp` change: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty. | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - gibberish csp | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - html encoded string | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - missing semicolon | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - misspeled 'none' | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - query values in path | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives | FAIL |
| Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - url encoded string | FAIL |
| Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP Header on change of `src` attribute on iframe. | FAIL |
| Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty. | FAIL |
| Test cross origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe. | FAIL |
| Test cross origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty. | FAIL |
| Test same origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe. | FAIL |
| Test same origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty. | FAIL |
| Test same origin: Send Sec-Required-CSP Header on change of `src` attribute on iframe. | FAIL |
| Test same origin: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty. | FAIL |
| /content-security-policy/prefetch-src/prefetch-allowed.html (2/3, 66.67%, 0.22% of total) | OK |
| Browser supports prefetch. | FAIL |
| Prefetch succeeds when allowed by prefetch-src | FAIL |
| /content-security-policy/reporting/report-uri-effective-directive.html (1/1, 100.00%, 0.11% of total) | OK |
| Violation report status OK. | FAIL |
| /content-security-policy/embedded-enforcement/allow_csp_from-header.html (5/11, 45.45%, 0.56% of total) | OK |
| Allow-CSP-From header enforces EmbeddingCSP. | FAIL |
| Cross origin iframe with an empty Allow-CSP-From header gets blocked. | FAIL |
| Cross origin iframe without Allow-CSP-From header gets blocked. | FAIL |
| Iframe with improper Allow-CSP-From header gets blocked. | FAIL |
| Star Allow-CSP-From header enforces EmbeddingCSP. | FAIL |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html (8/16, 50.00%, 0.89% of total) | TIMEOUT |
| 'unsafe-inline' is ineffective when nonces are present. | TIMEOUT |
| 'unsafe-inline' is only ineffective if the effective returned csp has hashes in `script-src`. | TIMEOUT |
| Effective returned csp allows 'unsafe-inline' | FAIL |
| Required csp allows `strict-dynamic`, but retuned csp does. | FAIL |
| Required csp does not allow `unsafe-inline`, but retuned csp does. | FAIL |
| Returned csp only loads 'unsafe-inline' scripts with 'nonce-abc'. | TIMEOUT |
| Returned csp whitelists a hash. | FAIL |
| Returned csp whitelists a nonce. | FAIL |
| /content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html (2/3, 66.67%, 0.22% of total) | TIMEOUT |
| Event is fired | TIMEOUT |
| Violation report status OK. | FAIL |
| /content-security-policy/generic/generic-0_8_1.sub.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Should fire violation events for every failed violation | NOTRUN |
| /content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Non-redirected cross-origin URLs are not stripped. | TIMEOUT |
| /content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Test that the child iframe navigation is blocked | FAIL |
| /content-security-policy/prefetch-src/prefetch-header-blocked.html (2/3, 66.67%, 0.22% of total) | TIMEOUT |
| Browser supports prefetch. | FAIL |
| Prefetch via `Link` header succeeds when allowed by prefetch-src | TIMEOUT |
| /content-security-policy/media-src/media-src-7_3.sub.html (2/2, 100.00%, 0.22% of total) | TIMEOUT |
| In-policy track element | NOTRUN |
| Should not fire policy violation events | NOTRUN |
| /content-security-policy/frame-src/frame-src-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["PASS IFrame #1 generated a load event.","violated-directive=frame-src"] | FAIL |
| /content-security-policy/reporting/report-multiple-violations-02.html (1/2, 50.00%, 0.11% of total) | OK |
| Test number of sent reports. | FAIL |
| /content-security-policy/form-action/form-action-self-allowed-target-blank.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| The form submission should not be blocked by the iframe's CSP. | TIMEOUT |
| /content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["PASS","violated-directive=script-src"] | FAIL |
| /content-security-policy/script-src/script-src-1_4_1.html (1/3, 33.33%, 0.11% of total) | TIMEOUT |
| Test that securitypolicyviolation event is fired | NOTRUN |
| /content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked.html (1/1, 100.00%, 0.11% of total) | OK |
| Should apply the style attribute | FAIL |
| /content-security-policy/securitypolicyviolation/blockeduri-eval.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Eval violations have a blockedURI of 'eval' | TIMEOUT |
| /content-security-policy/media-src/media-src-7_1.html (3/3, 100.00%, 0.34% of total) | TIMEOUT |
| In-policy async video source element | FAIL |
| In-policy async video src | FAIL |
| Should not fire policy violation events | NOTRUN |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. | NOTRUN |
| /content-security-policy/style-src/style-src-hash-blocked.html (1/3, 33.33%, 0.11% of total) | OK |
| Should fire a securitypolicyviolation event | FAIL |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. | NOTRUN |
| /content-security-policy/securitypolicyviolation/inside-service-worker.https.html (2/3, 66.67%, 0.22% of total) | TIMEOUT |
| SecurityPolicyViolation event fired on global with the correct blockedURI. | TIMEOUT |
| SecurityPolicyViolation event fired on global. | TIMEOUT |
| /content-security-policy/reporting/report-original-url.sub.html (1/5, 20.00%, 0.11% of total) | TIMEOUT |
| Direct block, cross-origin = full URL in report | TIMEOUT |
| /content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Test that the child iframe navigation is allowed | NOTRUN |
| /content-security-policy/style-src/stylenonce-allowed.sub.html (1/3, 33.33%, 0.11% of total) | TIMEOUT |
| Should fire securitypolicyviolation | NOTRUN |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. | NOTRUN |
| /content-security-policy/script-src/injected-inline-script-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["violated-directive=script-src-elem",] | FAIL |
| /content-security-policy/generic/generic-0_2_2.sub.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Should fire violation events for every failed violation | NOTRUN |
| /content-security-policy/generic/filesystem-urls-match-filesystem.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["PASS (1/1)"] | NOTRUN |
| /content-security-policy/embedded-enforcement/idlharness.window.html (2/4, 50.00%, 0.22% of total) | OK |
| HTMLIFrameElement interface: attribute csp | FAIL |
| HTMLIFrameElement interface: document.createElement("iframe") must inherit property "csp" with the proper type | FAIL |
| /content-security-policy/frame-ancestors/frame-ancestors-self-block.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value 'self' should block rendering. | NOTRUN |
| /content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Event is fired | TIMEOUT |
| /content-security-policy/media-src/media-src-redir-bug.sub.html (5/5, 100.00%, 0.56% of total) | TIMEOUT |
| In-policy async video source element | FAIL |
| In-policy async video source element w/redir | NOTRUN |
| In-policy async video src | FAIL |
| Should not fire policy violation events | NOTRUN |
| in-policy async video src w/redir | FAIL |
| /content-security-policy/font-src/font-mismatch-blocked.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Test font does not load if it does not match font-src. | TIMEOUT |
| /content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| form submission targetting _blank allowed after a redirect | NOTRUN |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. | NOTRUN |
| /content-security-policy/embedded-enforcement/required-csp-header-cascade.html (9/9, 100.00%, 1.01% of total) | OK |
| Test same origin: Test invalid policy on first iframe (bad directive) | FAIL |
| Test same origin: Test invalid policy on first iframe (report directive) | FAIL |
| Test same origin: Test invalid policy on second iframe (bad directive) | FAIL |
| Test same origin: Test invalid policy on second iframe (report directive) | FAIL |
| Test same origin: Test less restrictive policy on second iframe | FAIL |
| Test same origin: Test more restrictive policy on second iframe | FAIL |
| Test same origin: Test no policy on first iframe | FAIL |
| Test same origin: Test no policy on second iframe | FAIL |
| Test same origin: Test same policy for both iframes | FAIL |
| /content-security-policy/media-src/media-src-blocked.sub.html (1/5, 20.00%, 0.11% of total) | TIMEOUT |
| Test that securitypolicyviolation events are fired | NOTRUN |
| /content-security-policy/connect-src/connect-src-eventsource-allowed.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["allowed"] | FAIL |
| /content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["violated-directive=script-src","PASS"] | FAIL |
| /content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| form submission targetting _blank allowed after a redirect | NOTRUN |
| /content-security-policy/script-src/scripthash-unicode-normalization.sub.html (2/2, 100.00%, 0.22% of total) | TIMEOUT |
| Only matching content runs even with NFC normalization. | FAIL |
| Should fire securitypolicyviolation | NOTRUN |
| /content-security-policy/sandbox/window-reuse-unsandboxed.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Window object should be reused | NOTRUN |
| /content-security-policy/object-src/object-src-url-redirect-blocked.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should block the object and fire a spv | NOTRUN |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html (4/15, 26.67%, 0.45% of total) | OK |
| Returned CSP should be subsumed if the port is specified but is not default for a more secure scheme. | FAIL |
| Specified ports must match. | FAIL |
| Wildcard port should not be subsumed by a default port. | FAIL |
| Wildcard port should not be subsumed by a spcified port. | FAIL |
| /content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Should fire a security policy violation for the attribute | NOTRUN |
| /content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Image that redirects to http:// URL prohibited by Report-Only must generate a violation report, even with upgrade-insecure-requests | TIMEOUT |
| /content-security-policy/navigate-to/href-location-redirected-blocked.sub.html (2/2, 100.00%, 0.22% of total) | TIMEOUT |
| Test that the child iframe navigation is not allowed | NOTRUN |
| Violation report status OK. | FAIL |
| /content-security-policy/navigate-to/link-click-redirected-blocked.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/child-src/child-src-cross-origin-load.sub.html (1/2, 50.00%, 0.11% of total) | OK |
| Expecting logs: ["PASS IFrame #1 generated a load event.","PASS IFrame #2 generated a load event.","PASS IFrame #3 generated a load event.", "violated-directive=frame-src"] | FAIL |
| /content-security-policy/style-src/style-src-none-blocked.html (1/2, 50.00%, 0.11% of total) | OK |
| Should fire a securitypolicyviolation event | FAIL |
| /content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Should fire a security policy violation for the attribute | NOTRUN |
| /content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Test that the javascript: src is not allowed to run | NOTRUN |
| /content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html (2/2, 100.00%, 0.22% of total) | TIMEOUT |
| Event is fired | TIMEOUT |
| Violation report status OK. | FAIL |
| /content-security-policy/worker-src/dedicated-none.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Same-origin dedicated worker blocked by host-source expression. | FAIL |
| blob: dedicated worker blocked by 'blob:'. | FAIL |
| /content-security-policy/style-src/style-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["violated-directive=style-src","PASS"] | FAIL |
| /content-security-policy/worker-src/shared-fallback.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Same-origin dedicated worker allowed by 'self'. | FAIL |
| blob: dedicated worker allowed by 'blob:'. | FAIL |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. | NOTRUN |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a URL value should compare against each frame's origin rather than URL, so a nested frame with a sandboxed parent frame should be blocked due to the parent having a unique origin. | NOTRUN |
| /content-security-policy/blob/self-doesnt-match-blob.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["violated-directive=worker-src","TEST COMPLETE"] | FAIL |
| /content-security-policy/object-src/object-src-no-url-blocked.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should block the object and fire a spv | NOTRUN |
| /content-security-policy/sandbox/window-reuse-sandboxed.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Window object should not be reused | NOTRUN |
| /content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["violated-directive=connect-src"] | FAIL |
| /content-security-policy/unsafe-hashes/style_attribute_allowed.html (1/1, 100.00%, 0.11% of total) | OK |
| Test that the inline style attribute is loaded | FAIL |
| /content-security-policy/navigate-to/href-location-allowed.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Test that the child iframe navigation is allowed | NOTRUN |
| /content-security-policy/inheritance/window.html (4/4, 100.00%, 0.45% of total) | TIMEOUT |
| `document.write` into `window.open()` inherits policy. | FAIL |
| window.open('blob:...') inherits policy. | TIMEOUT |
| window.open('javascript:...') inherits policy. | TIMEOUT |
| window.open() inherits policy. | FAIL |
| /content-security-policy/object-src/object-src-url-embed-blocked.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should block the object and fire a spv | NOTRUN |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html (4/7, 57.14%, 0.45% of total) | OK |
| Effective policy is properly found where 'unsafe-eval' is not subsumed. | FAIL |
| No other keyword has the same effect as 'unsafe-eval'. | FAIL |
| Other expressions have to be subsumed. | FAIL |
| Required csp must allow 'unsafe-eval'. | FAIL |
| /content-security-policy/navigate-to/spv-only-sent-to-initiator.sub.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Test that no spv event is raised | NOTRUN |
| /content-security-policy/svg/object-in-svg-foreignobject.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Should throw a securitypolicyviolation | FAIL |
| /content-security-policy/inside-worker/dedicated-inheritance.html (11/26, 42.31%, 1.23% of total) | TIMEOUT |
| Cross-origin 'fetch()' in http: | TIMEOUT |
| Cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*) | TIMEOUT |
| Cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) | TIMEOUT |
| Cross-origin XHR in http: | TIMEOUT |
| Cross-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*) | TIMEOUT |
| Cross-origin XHR in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) | TIMEOUT |
| Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27) | TIMEOUT |
| Same-origin => cross-origin 'fetch()' in http: | TIMEOUT |
| Same-origin => cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*) | TIMEOUT |
| Same-origin => cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) | TIMEOUT |
| Same-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27) | FAIL |
| /content-security-policy/navigate-to/form-cross-origin-blocked.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Should fire a security policy violation event | NOTRUN |
| /content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/form-action/form-action-src-get-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["violated-directive=form-action","TEST COMPLETE"] | FAIL |
| /content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Should fire a security policy violation for the attribute | NOTRUN |
| /content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html (1/3, 33.33%, 0.11% of total) | TIMEOUT |
| Test that spv event is fired | NOTRUN |
| /content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Test that the javascript: src is allowed to run | NOTRUN |
| /content-security-policy/navigate-to/link-click-blocked.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/reporting/report-same-origin-with-cookies.html (1/3, 33.33%, 0.11% of total) | OK |
| Test report cookies. | FAIL |
| /content-security-policy/worker-src/service-none.https.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Same-origin service worker blocked by 'none'. | FAIL |
| /content-security-policy/securitypolicyviolation/constructor-required-fields.html (6/14, 42.86%, 0.67% of total) | OK |
| SecurityPolicyViolationEvent constructor requires disposition | FAIL |
| SecurityPolicyViolationEvent constructor requires documentURI | FAIL |
| SecurityPolicyViolationEvent constructor requires effectiveDirective | FAIL |
| SecurityPolicyViolationEvent constructor requires originalPolicy | FAIL |
| SecurityPolicyViolationEvent constructor requires statusCode | FAIL |
| SecurityPolicyViolationEvent constructor requires violatedDirective | FAIL |
| /content-security-policy/media-src/media-src-7_2_2.sub.html (1/3, 33.33%, 0.11% of total) | TIMEOUT |
| Test that securitypolicyviolation events are fired | NOTRUN |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html (1/1, 100.00%, 0.11% of total) | OK |
| A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. | FAIL |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. | NOTRUN |
| /content-security-policy/frame-ancestors/frame-ancestors-star-allow-crossorigin.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with '*' should allow rendering. | NOTRUN |
| /content-security-policy/connect-src/connect-src-xmlhttprequest-redirect-to-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["PASS XMLHttpRequest.send() did not follow the disallowed redirect.","TEST COMPLETE","violated-directive=connect-src"] | FAIL |
| /content-security-policy/blob/blob-urls-do-not-match-self.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["violated-directive=script-src-elem"] | FAIL |
| /content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["PASS: eval() blocked.","violated-directive=script-src"] | FAIL |
| /content-security-policy/navigate-to/href-location-redirected-allowed.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Test that the child iframe navigation is allowed | NOTRUN |
| /content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html (2/2, 100.00%, 0.22% of total) | TIMEOUT |
| Inline style attributes should not have a sample. | TIMEOUT |
| Inline style blocks should not have a sample. | TIMEOUT |
| /content-security-policy/securitypolicyviolation/inside-shared-worker.html (1/1, 100.00%, 0.11% of total) | OK |
| inside-shared-worker | FAIL |
| /content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Non-redirected same-origin URLs are not stripped. | TIMEOUT |
| /content-security-policy/generic/generic-0_1-script-src.html (1/3, 33.33%, 0.11% of total) | TIMEOUT |
| Should fire violation events for every failed violation | NOTRUN |
| /content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html (2/2, 100.00%, 0.22% of total) | OK |
| Test that style loads if allowed by proper hash values | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/style-src/style-src-inline-style-attribute-blocked.html (1/2, 50.00%, 0.11% of total) | OK |
| Should fire a securitypolicyviolation event | FAIL |
| /content-security-policy/style-src/style-src-imported-style-blocked.html (1/2, 50.00%, 0.11% of total) | OK |
| Should fire a securitypolicyviolation event | FAIL |
| /content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Test that form-action overrides navigate-to when present. | NOTRUN |
| /content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo.html (1/2, 50.00%, 0.11% of total) | OK |
| A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would block the page. | FAIL |
| /content-security-policy/child-src/child-src-redirect-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"] | FAIL |
| /content-security-policy/unsafe-eval/function-constructor-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["PASS EvalError","violated-directive=script-src"] | FAIL |
| /content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should convert the script contents to UTF-8 before hashing | NOTRUN |
| /content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html (2/2, 100.00%, 0.22% of total) | TIMEOUT |
| Should fire a securitypolicyviolation event | FAIL |
| Test that paragraph remains unmodified and error events received. | NOTRUN |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. | NOTRUN |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html (4/5, 80.00%, 0.45% of total) | OK |
| Host must match. | FAIL |
| Hosts without wildcards must match. | FAIL |
| More specific subdomain should not match. | FAIL |
| Specified host should not match a wildcard host. | FAIL |
| /content-security-policy/plugin-types/plugintypes-mismatched-data.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should not load the object because its declared type does not match its actual type | NOTRUN |
| /content-security-policy/style-src/style-src-inline-style-blocked.html (1/2, 50.00%, 0.11% of total) | OK |
| Should fire a securitypolicyviolation event | FAIL |
| /content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Test that form-action overrides navigate-to when present. | NOTRUN |
| /content-security-policy/navigate-to/form-redirected-blocked.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/securitypolicyviolation/inside-dedicated-worker.html (3/3, 100.00%, 0.34% of total) | TIMEOUT |
| No SecurityPolicyViolation event fired for successful load. | FAIL |
| SecurityPolicyViolation event fired on global with the correct blockedURI. | TIMEOUT |
| SecurityPolicyViolation event fired on global. | TIMEOUT |
| /content-security-policy/navigate-to/parent-navigates-child-blocked.html (2/2, 100.00%, 0.22% of total) | OK |
| Test that the parent can't navigate the child because the relevant policy belongs to the navigation initiator (in this case the parent, which has the policy `navigate-to support/wait_for_navigation.html;`) | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html (2/2, 100.00%, 0.22% of total) | TIMEOUT |
| Expecting logs: ["violated-directive=script-src-elem"] | NOTRUN |
| filesystem-urls-do-not-match-self | NOTRUN |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. | NOTRUN |
| /content-security-policy/generic/generic-0_2_3.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Should fire violation events for every failed violation | NOTRUN |
| /content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html (3/3, 100.00%, 0.34% of total) | OK |
| Navigated iframe is upgraded and reported | FAIL |
| Upgraded iframe is reported | FAIL |
| Upgraded image is reported | FAIL |
| /content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should convert the script contents to UTF-8 before hashing | NOTRUN |
| /content-security-policy/frame-src/frame-src-redirect.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Redirected iframe src should evaluate both enforced and report-only policies on both original request and when following redirect | TIMEOUT |
| /content-security-policy/media-src/media-src-7_2.html (3/3, 100.00%, 0.34% of total) | TIMEOUT |
| In-policy audio source element | FAIL |
| In-policy audio src | FAIL |
| Should not fire policy violation events | NOTRUN |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html (1/11, 9.09%, 0.11% of total) | OK |
| 'strict-dynamic' has to be allowed by required csp if it is present in returned csp. | FAIL |
| /content-security-policy/media-src/media-src-7_3_2.sub.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Test that securitypolicyviolation events are fired | NOTRUN |
| /content-security-policy/script-src/script-src-1_2.html (1/3, 33.33%, 0.11% of total) | TIMEOUT |
| Should fire policy violation events | NOTRUN |
| /content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Event is fired | TIMEOUT |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. | NOTRUN |
| /content-security-policy/script-src/script-src-1_2_1.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Test that securitypolicyviolation event is fired | NOTRUN |
| /content-security-policy/connect-src/connect-src-beacon-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["Pass", "violated-directive=connect-src"] | FAIL |
| /content-security-policy/securitypolicyviolation/idlharness.window.html (12/41, 29.27%, 1.34% of total) | OK |
| SecurityPolicyViolationEvent interface: attribute blockedURL | FAIL |
| SecurityPolicyViolationEvent interface: attribute colno | FAIL |
| SecurityPolicyViolationEvent interface: attribute disposition | FAIL |
| SecurityPolicyViolationEvent interface: attribute documentURL | FAIL |
| SecurityPolicyViolationEvent interface: attribute lineno | FAIL |
| SecurityPolicyViolationEvent interface: attribute sample | FAIL |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "blockedURL" with the proper type | FAIL |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "colno" with the proper type | FAIL |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "disposition" with the proper type | FAIL |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "documentURL" with the proper type | FAIL |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "lineno" with the proper type | FAIL |
| SecurityPolicyViolationEvent interface: new SecurityPolicyViolationEvent("securitypolicyviolation") must inherit property "sample" with the proper type | FAIL |
| /content-security-policy/worker-src/dedicated-fallback.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Same-origin dedicated worker allowed by host-source expression. | FAIL |
| blob: dedicated worker allowed by 'blob:'. | FAIL |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html (1/1, 100.00%, 0.11% of total) | OK |
| A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. | FAIL |
| /content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html (2/3, 66.67%, 0.22% of total) | TIMEOUT |
| Event is fired | TIMEOUT |
| Violation report status OK. | FAIL |
| /content-security-policy/script-src/scriptnonce-basic-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting alerts: ["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src-elem", "violated-directive=script-src-elem", "violated-directive=script-src-elem"] | FAIL |
| /content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Test that the inline style attribute is blocked | NOTRUN |
| /content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should convert the script contents to UTF-8 before hashing | NOTRUN |
| /content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html (2/2, 100.00%, 0.22% of total) | TIMEOUT |
| Should fire a security policy violation event | NOTRUN |
| The inline style should not be applied | FAIL |
| /content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["Pass","violated-directive=connect-src"] | FAIL |
| /content-security-policy/img-src/icon-blocked.sub.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Test that spv event is fired | NOTRUN |
| /content-security-policy/securitypolicyviolation/style-sample.html (2/2, 100.00%, 0.22% of total) | TIMEOUT |
| Inline style attributes should have a sample. | TIMEOUT |
| Inline style blocks should have a sample. | TIMEOUT |
| /content-security-policy/reporting/report-strips-fragment.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Reported document URI does not contain fragments. | TIMEOUT |
| /content-security-policy/plugin-types/plugintypes-mismatched-url.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should not load the object because its declared type does not match its actual type | NOTRUN |
| /content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/form-action/form-action-src-javascript-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["violated-directive=form-action","TEST COMPLETE"] | FAIL |
| /content-security-policy/frame-ancestors/frame-ancestors-none-block.html (1/1, 100.00%, 0.11% of total) | OK |
| A 'frame-ancestors' CSP directive with a value 'none' should block rendering. | FAIL |
| /content-security-policy/inside-worker/shared-inheritance.html (1/1, 100.00%, 0.11% of total) | OK |
| shared-inheritance | FAIL |
| /content-security-policy/connect-src/connect-src-websocket-self.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["allowed", "allowed"] | FAIL |
| /content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Violation report status OK. | FAIL |
| /content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"] | TIMEOUT |
| /content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked.html (1/1, 100.00%, 0.11% of total) | OK |
| Inline style should be applied | FAIL |
| /content-security-policy/worker-src/shared-none.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Same-origin shared worker blocked by 'none'. | FAIL |
| blob: shared worker blocked by 'none'. | FAIL |
| /content-security-policy/inheritance/iframe-srcdoc-inheritance.html (2/2, 100.00%, 0.22% of total) | TIMEOUT |
| First image should be blocked | NOTRUN |
| Second image should be blocked | NOTRUN |
| /content-security-policy/media-src/media-src-7_1_2.sub.html (1/3, 33.33%, 0.11% of total) | TIMEOUT |
| Test that securitypolicyviolation events are fired | NOTRUN |
| /content-security-policy/img-src/report-blocked-data-uri.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["violated-directive=img-src"] | FAIL |
| /content-security-policy/inside-worker/dedicated-script.html (4/7, 57.14%, 0.45% of total) | TIMEOUT |
| Cross-origin `importScripts()` blocked in http: | TIMEOUT |
| Cross-origin `importScripts()` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) | TIMEOUT |
| Cross-origin `importScripts()` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20*) | TIMEOUT |
| `setTimeout([string])` blocked in blob: | TIMEOUT |
| /content-security-policy/embedded-enforcement/iframe-csp-attribute.html (4/4, 100.00%, 0.45% of total) | OK |
| <iframe> has a 'csp' attibute which is an empty string if undefined. | FAIL |
| <iframe>'s 'csp content attribute reflects the IDL attribute. | FAIL |
| <iframe>'s IDL attribute reflects the DOM attribute. | FAIL |
| <iframe>'s csp attribute is always a string. | FAIL |
| /content-security-policy/prefetch-src/prefetch-blocked.html (2/3, 66.67%, 0.22% of total) | TIMEOUT |
| Blocked prefetch generates report. | TIMEOUT |
| Browser supports prefetch. | FAIL |
| /content-security-policy/child-src/child-src-conflicting-frame-src.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"] | FAIL |
| /content-security-policy/worker-src/shared-child.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Same-origin dedicated worker allowed by 'self'. | FAIL |
| blob: dedicated worker allowed by 'blob:'. | FAIL |
| /content-security-policy/default-src/default-src-inline-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["violated-directive=script-src-elem","violated-directive=script-src-elem"] | FAIL |
| /content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| img src does not match full host and wildcard csp directive | FAIL |
| /content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html (5/23, 21.74%, 0.56% of total) | TIMEOUT |
| Test that violation report event was fired | NOTRUN |
| inline-style-allowed-while-cloning-objects 1 | FAIL |
| inline-style-allowed-while-cloning-objects 18 | FAIL |
| inline-style-allowed-while-cloning-objects 19 | FAIL |
| inline-style-allowed-while-cloning-objects 3 | FAIL |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. | NOTRUN |
| /content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html (2/2, 100.00%, 0.22% of total) | TIMEOUT |
| Violation report status OK. | FAIL |
| iframe still inherits correct CSP | NOTRUN |
| /content-security-policy/script-src/script-src-1_4_2.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Test that securitypolicyviolation event is fired | NOTRUN |
| /content-security-policy/connect-src/connect-src-websocket-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["blocked","violated-directive=connect-src"] | FAIL |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. | NOTRUN |
| /content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should not have executed the javascript url | NOTRUN |
| /content-security-policy/worker-src/shared-self.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Same-origin dedicated worker allowed by 'self'. | FAIL |
| /content-security-policy/unsafe-eval/eval-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["PASS EvalError","PASS EvalError", "violated-directive=script-src"] | FAIL |
| /content-security-policy/script-src/script-src-1_1.html (1/3, 33.33%, 0.11% of total) | TIMEOUT |
| Should fire policy violation events | NOTRUN |
| /content-security-policy/prefetch-src/prefetch-header-allowed.html (2/3, 66.67%, 0.22% of total) | TIMEOUT |
| Browser supports prefetch. | FAIL |
| Prefetch via `Link` header succeeds when allowed by prefetch-src | TIMEOUT |
| /content-security-policy/style-src/inline-style-attribute-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["violated-directive=style-src-attr","PASS"] | FAIL |
| /content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Test that the child can't navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child which has the policy `navigate-to 'none'`) | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/generic/generic-0_10_1.sub.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Should fire violation events for every failed violation | NOTRUN |
| /content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should fire a security policy violation event | NOTRUN |
| /content-security-policy/connect-src/shared-worker-connect-src-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["xhr blocked","TEST COMPLETE"] | NOTRUN |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. | NOTRUN |
| /content-security-policy/font-src/font-stylesheet-font-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Test font does not load if it does not match font-src. | FAIL |
| /content-security-policy/child-src/child-src-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"] | FAIL |
| /content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Test that the inline style attribute is blocked | NOTRUN |
| /content-security-policy/meta/combine-header-and-meta-policies.sub.html (1/2, 50.00%, 0.11% of total) | OK |
| Expecting logs: ["TEST COMPLETE", "violated-directive=img-src", "violated-directive=style-src-elem"] | FAIL |
| /content-security-policy/frame-ancestors/frame-ancestors-url-block.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a URL which doesn't match this origin should be blocked. | NOTRUN |
| /content-security-policy/generic/directive-name-case-insensitive.sub.html (1/3, 33.33%, 0.11% of total) | TIMEOUT |
| Test that the www2 image throws a violation event | NOTRUN |
| /content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/style-src/injected-inline-style-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["violated-directive=style-src-elem","PASS"] | FAIL |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html (4/11, 36.36%, 0.45% of total) | OK |
| All scheme sources must be subsumed. | FAIL |
| If scheme source is present in returned csp, it must be specified in required csp too. | FAIL |
| `http:` does not subsume other protocols. | FAIL |
| `https` is more restrictive than `http`. | FAIL |
| /content-security-policy/inside-worker/shared-script.html (1/1, 100.00%, 0.11% of total) | OK |
| shared-script | FAIL |
| /content-security-policy/style-src/inline-style-attribute-allowed.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["PASS"] | FAIL |
| /content-security-policy/img-src/img-src-self-unique-origin.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Image's url must not match with 'self'. Image must be blocked. | TIMEOUT |
| /content-security-policy/script-src/scriptnonce-and-scripthash.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"] | TIMEOUT |
| /content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html (1/2, 50.00%, 0.11% of total) | OK |
| Should fire a securitypolicyviolation event | FAIL |
| /content-security-policy/style-src/style-src-injected-inline-style-blocked.html (1/2, 50.00%, 0.11% of total) | OK |
| Should fire a securitypolicyviolation event | FAIL |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html (6/13, 46.15%, 0.67% of total) | OK |
| 'sha256-abc123' is not subsumed by 'sha256-abc456'. | FAIL |
| Effective policy is properly found where 'sha256-abc123' is not subsumed. | FAIL |
| Hashes do not have to be present in returned csp but must not allow all inline behavior. | FAIL |
| Other expressions have to be subsumed. | FAIL |
| Required csp must allow 'sha256-abc123'. | FAIL |
| Returned should not include hashes not present in required csp. | FAIL |
| /content-security-policy/style-src/style-src-error-event-fires.html (2/2, 100.00%, 0.22% of total) | TIMEOUT |
| Test error event fires on inline style | NOTRUN |
| Test error event fires on stylesheet link | NOTRUN |
| /content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Non-redirected cross-origin URLs are not stripped. | TIMEOUT |
| /content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should convert the script contents to UTF-8 before hashing | NOTRUN |
| /content-security-policy/style-src/stylehash-basic-blocked.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Expecting alerts: ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"] | TIMEOUT |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-self.html (2/7, 28.57%, 0.22% of total) | OK |
| Returned 'self' should not be subsumed by a more secure version of origin's url. | FAIL |
| Returned CSP must not allow 'self' if required CSP does not. | FAIL |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-general.html (2/8, 25.00%, 0.22% of total) | OK |
| Iframe with a different CSP should be blocked. | FAIL |
| Iframe with empty returned CSP should be blocked. | FAIL |
| /content-security-policy/object-src/object-src-url-blocked.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should block the object and fire a spv | NOTRUN |
| /content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Test that the javascript: src is not allowed to run | NOTRUN |
| /content-security-policy/script-src/script-src-1_4.html (1/3, 33.33%, 0.11% of total) | TIMEOUT |
| Test that securitypolicyviolation event is fired | NOTRUN |
| /content-security-policy/navigation/javascript-url-navigation-inherits-csp.html (1/1, 100.00%, 0.11% of total) | OK |
| javascript-url-navigation-inherits-csp | FAIL |
| /content-security-policy/inheritance/iframe-all-local-schemes.sub.html (3/6, 50.00%, 0.34% of total) | OK |
| <iframe sandbox src='blob:...'>'s inherits policy. (opaque origin sandbox) | FAIL |
| <iframe src='blob:...'>'s inherits policy. | FAIL |
| <iframe src='data:...'>'s inherits policy. | FAIL |
| /content-security-policy/worker-src/shared-list.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Same-origin dedicated worker allowed by 'self'. | FAIL |
| blob: dedicated worker allowed by 'blob:'. | FAIL |
| /content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html (1/1, 100.00%, 0.11% of total) | OK |
| Whitelisted script without a correct nonce is not allowed with `strict-dynamic`. | FAIL |
| /content-security-policy/style-src/stylenonce-blocked.sub.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Should fire securitypolicyviolation | NOTRUN |
| /content-security-policy/connect-src/connect-src-eventsource-redirect-to-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["PASS EventSource() did not follow the disallowed redirect.","TEST COMPLETE", "violated-directive=connect-src"] | FAIL |
| /content-security-policy/font-src/font-none-blocked.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Test font does not load if it does not match font-src. | TIMEOUT |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. | NOTRUN |
| /content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html (1/2, 50.00%, 0.11% of total) | OK |
| Should fire a securitypolicyviolation event | FAIL |
| /content-security-policy/plugin-types/plugintypes-notype-data.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should not load the object because it does not have a declared type | NOTRUN |
| /content-security-policy/generic/304-response-should-update-csp.sub.html (3/4, 75.00%, 0.34% of total) | TIMEOUT |
| Test that the first frame does not use nonce def | NOTRUN |
| Test that the second frame does not use nonce abc | FAIL |
| Test that the second frame uses nonce def | FAIL |
| /content-security-policy/connect-src/connect-src-eventsource-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["blocked","violated-directive=connect-src"] | FAIL |
| /content-security-policy/connect-src/shared-worker-connect-src-allowed.sub.html (1/1, 100.00%, 0.11% of total) | ERROR |
| Expecting logs: ["xhr allowed","TEST COMPLETE"] | FAIL |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html (3/9, 33.33%, 0.34% of total) | OK |
| Empty path is not subsumed by specified paths. | FAIL |
| Returned CSP must specify a path. | FAIL |
| That should not be true when required csp specifies a specific page. | FAIL |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. | NOTRUN |
| /content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html (2/2, 100.00%, 0.22% of total) | TIMEOUT |
| Should fire a security policy violation for the inline block | NOTRUN |
| The inline style should not be applied and the attribute style should be applied | FAIL |
| /content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html (2/2, 100.00%, 0.22% of total) | TIMEOUT |
| Test that the child iframe navigation is not allowed | NOTRUN |
| Violation report status OK. | FAIL |
| /content-security-policy/worker-src/shared-worker-src-default-fallback.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Same-origin shared worker allowed by default-src 'self'. | FAIL |
| /content-security-policy/plugin-types/plugintypes-nourl-blocked.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should not load the object because it does not match plugin-types | NOTRUN |
| /content-security-policy/navigate-to/meta-refresh-blocked.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Test that the child iframe navigation is not allowed | FAIL |
| Violation report status OK. | FAIL |
| /content-security-policy/form-action/form-action-src-redirect-blocked.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Expecting logs: ["violated-directive=form-action","TEST COMPLETE"] | FAIL |
| form-action-src-redirect-blocked | FAIL |
| /content-security-policy/blob/star-doesnt-match-blob.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["violated-directive=worker-src","TEST COMPLETE"] | FAIL |
| /content-security-policy/plugin-types/plugintypes-notype-url.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should not load the object because it does not have a declared type | NOTRUN |
| /content-security-policy/frame-src/frame-src-cross-origin-load.sub.html (1/2, 50.00%, 0.11% of total) | OK |
| Expecting logs: ["PASS IFrame #1 generated a load event.","PASS IFrame #2 generated a load event.","PASS IFrame #3 generated a load event.","violated-directive=frame-src"] | FAIL |
| /content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. | NOTRUN |
| /content-security-policy/frame-src/frame-src-self-unique-origin.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Iframe's url must not match with 'self'. It must be blocked. | TIMEOUT |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-none.html (7/18, 38.89%, 0.78% of total) | OK |
| Both required and returned csp are `none` for only one directive. | FAIL |
| Required csp with `none` does not subsume `none` of another directive. | FAIL |
| Required csp with `none` does not subsume `none` of different directives. | FAIL |
| Required csp with `none` does not subsume a host source expression. | FAIL |
| Required csp with effective `none` does not subsume `none` of another directive. | FAIL |
| Required csp with effective `none` does not subsume a host source expression. | FAIL |
| Required policy that allows `none` does not subsume empty list of policies. | FAIL |
| /content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html (4/7, 57.14%, 0.45% of total) | OK |
| Effective policy is properly found where 'unsafe-hashes' is not subsumed. | FAIL |
| No other keyword has the same effect as 'unsafe-hashes'. | FAIL |
| Other expressions have to be subsumed. | FAIL |
| Required csp must allow 'unsafe-hashes'. | FAIL |
| /content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["PASS","violated-directive=script-src"] | FAIL |
| /content-security-policy/form-action/form-action-src-blocked.sub.html (2/2, 100.00%, 0.22% of total) | OK |
| Expecting logs: ["violated-directive=form-action","TEST COMPLETE"] | FAIL |
| form-action-src-blocked | FAIL |
| /content-security-policy/style-src/style-src-inline-style-nonce-blocked.html (1/2, 50.00%, 0.11% of total) | OK |
| Should fire a securitypolicyviolation event | FAIL |
| /content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should convert the script contents to UTF-8 before hashing | NOTRUN |
| /content-security-policy/script-src/script-src-1_10.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Test that securitypolicyviolation event is fired | NOTRUN |
| /content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["violated-directive=script-src-elem"] | FAIL |
| /content-security-policy/navigate-to/href-location-blocked.sub.html (2/2, 100.00%, 0.22% of total) | TIMEOUT |
| Test that the child iframe navigation is not allowed | NOTRUN |
| Violation report status OK. | FAIL |
| /content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html (1/3, 33.33%, 0.11% of total) | TIMEOUT |
| Event is fired | TIMEOUT |
| /content-security-policy/connect-src/worker-from-guid.sub.html (1/1, 100.00%, 0.11% of total) | OK |
| Expecting logs: ["violated-directive=connect-src","xhr blocked","TEST COMPLETE"] | FAIL |
| /content-security-policy/generic/generic-0_1-img-src.html (1/2, 50.00%, 0.11% of total) | TIMEOUT |
| Should fire violation events for every failed violation | NOTRUN |
| /content-security-policy/reporting/report-multiple-violations-01.html (1/2, 50.00%, 0.11% of total) | OK |
| Test number of sent reports. | FAIL |
| /content-security-policy/plugin-types/plugintypes-empty.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should not load the object because plugin-types allows no plugins | NOTRUN |
| /content-security-policy/svg/svg-inline.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Should fire violation event | NOTRUN |
| /content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| Non-redirected cross-origin URLs are not stripped. | TIMEOUT |
| /content-security-policy/navigate-to/form-blocked.sub.html (1/1, 100.00%, 0.11% of total) | TIMEOUT |
| undefined | TIMEOUT |