<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[198591] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/198591">198591</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-03-23 13:58:40 -0700 (Wed, 23 Mar 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: Make violation console messages concise and consistent
https://bugs.webkit.org/show_bug.cgi?id=155777
<rdar://problem/25304031>
Reviewed by Darin Adler.
Source/WebCore:
As a first step towards making the log messages that are emitted by the ContentSecurityPolicy object
concise and consistent with the language and formatting used in other WebKit console messages, including
other Content Security Policy messages, make the violation error messages concise and consistent.
Being concise and consistent will help make it straightforward for a person to understand the reason
for the violation by taking advantage of their familiarity with the language and formatting seen in
other WebKit console messages.
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::consoleMessageForViolation): Added. Builds up a console message for violation.
(WebCore::ContentSecurityPolicyDirectiveList::allowJavaScriptURLs): Extract logic for logging a console message/reporting
a violation from ContentSecurityPolicyDirectiveList::checkInlineAndReportViolation() to here and make use of WebCore::consoleMessageForViolation()
to build the actual console message.
(WebCore::ContentSecurityPolicyDirectiveList::allowInlineEventHandlers): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::allowInlineScript): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::allowInlineStyle): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::allowEval): Extract logic for logging a console message/reporting
a violation from ContentSecurityPolicyDirectiveList::checkEvalAndReportViolation() to here and make use of WebCore::consoleMessageForViolation()
to build the actual console message.
(WebCore::ContentSecurityPolicyDirectiveList::allowPluginType): Extract logic for logging a console message/reporting
a violation from ContentSecurityPolicyDirectiveList::checkMediaTypeAndReportViolation() to here and make use of WebCore::consoleMessageForViolation()
to build the actual console message.
(WebCore::ContentSecurityPolicyDirectiveList::allowScriptFromSource): Extract logic for logging a console message/reporting
a violation from ContentSecurityPolicyDirectiveList::checkSourceAndReportViolation() to here and make use of WebCore::consoleMessageForViolation()
to build the actual console message.
(WebCore::ContentSecurityPolicyDirectiveList::allowObjectFromSource): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::allowChildContextFromSource): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::allowChildFrameFromSource): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::allowImageFromSource): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::allowStyleFromSource): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::allowFontFromSource): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::allowMediaFromSource): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::allowConnectToSource): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::allowFormAction): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::allowBaseURI): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::allowFrameAncestors): Extract logic for logging a console message/reporting
a violation from ContentSecurityPolicyDirectiveList::checkFrameAncestorsAndReportViolation() to here and make use of WebCore::consoleMessageForViolation()
to build the actual console message.
(WebCore::ContentSecurityPolicyDirectiveList::addDirective): Add FIXME comment to log that the frame-src directive is
deprecated. See <https://bugs.webkit.org/show_bug.cgi?id=155773> for more details.
(WebCore::ContentSecurityPolicyDirectiveList::checkEvalAndReportViolation): Deleted.
(WebCore::ContentSecurityPolicyDirectiveList::checkMediaTypeAndReportViolation): Deleted.
(WebCore::ContentSecurityPolicyDirectiveList::checkInlineAndReportViolation): Deleted.
(WebCore::ContentSecurityPolicyDirectiveList::checkSourceAndReportViolation): Deleted.
(WebCore::ContentSecurityPolicyDirectiveList::checkFrameAncestorsAndReportViolation): Deleted.
* page/csp/ContentSecurityPolicyDirectiveList.h:
LayoutTests:
Update expected results to reflect new violation message text.
* fast/workers/worker-inherits-csp-blocks-xhr-expected.txt:
* http/tests/contentextensions/block-cookies-in-csp-report-expected.txt:
* http/tests/contentextensions/block-csp-report-expected.txt:
* http/tests/contentextensions/hide-on-csp-report-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt:
...
* http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/xsl-img-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1-expected.txt:
* http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-expected.txt:
* http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp-expected.txt:
* media/csp-blocks-video-expected.txt:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsfastimagesimageerroreventnotfiringexpectedtxt">trunk/LayoutTests/fast/images/image-error-event-not-firing-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastworkersworkerinheritscspblocksxhrexpectedtxt">trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestscontentextensionsblockcookiesincspreportexpectedtxt">trunk/LayoutTests/http/tests/contentextensions/block-cookies-in-csp-report-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestscontentextensionsblockcspreportexpectedtxt">trunk/LayoutTests/http/tests/contentextensions/block-csp-report-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestscontentextensionshideoncspreportexpectedtxt">trunk/LayoutTests/http/tests/contentextensions/hide-on-csp-report-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11baseuridenyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframesrctakesprecedenceoverchildsrcexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkerblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkerredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcgetblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcjavascriptblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossnoneblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossselfblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossurlblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsamenoneblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsameselfblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsameurlblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossnoneblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossselfblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossurlblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsamenoneblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsameurlblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnoneblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsselfblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsurlblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginhttpsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginhttpsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11plugintypesaffectschildexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-affects-child-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11plugintypesinvalidexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11plugintypesnotypedataexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11plugintypesnotypeurlexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11plugintypesnourlblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-nourl-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11plugintypesurl02expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reporturieffectivedirectiveexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashbasicblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashignoreunsafeinlineexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashmultiplepoliciesexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-multiple-policies-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashtestsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceandscripthashexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnoncebasicblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-basic-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceignoreunsafeinlineexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-ignore-unsafeinline-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceinvalidnonceexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11securitypolicyviolationblockcrossoriginimageexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11securitypolicyviolationblockcrossoriginimagefromscriptexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11securitypolicyviolationblockimageexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11securitypolicyviolationblockimagefromscriptexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11securitypolicyviolationblockimagehttpsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylehashbasicblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylenonceallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylenonce-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylenonceblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylenonce-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockmixedcontenthideswarningexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicycachedframecspexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/cached-frame-csp-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicycombinemultiplepoliciesexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyconnectsrceventsourceblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyconnectsrceventsourceredirecttoblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyconnectsrcwebsocketblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyconnectsrcxmlhttprequestblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyconnectsrcxmlhttprequestredirecttoblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicydefaultsrcinlineblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicydirectiveparsing01expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicydirectiveparsing02expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicydirectiveparsing03expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicydirectiveparsingmultipleheadersexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedsrcurlblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedsrcurlblocked2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalallowedinreportonlymodeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalscriptssetIntervalblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalscriptssetTimeoutblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyfontredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyframesrcblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyframesrcredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyimageblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyimageredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyimgblockednogccrashexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/img-blocked-no-gc-crash-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyinjectedinlinescriptblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyinjectedinlinestyleblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyinlineeventhandlerblockedafterinjectingmetaexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyinlinescriptblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyinlinescriptblockedgoofyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyinlinescriptblockedjavascripturlexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyinlinestyleallowedwhilecloningobjectsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-allowed-while-cloning-objects-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyinlinestyleattributeblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyinlinestyleblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyjavascripturlblockedbydefaultsrcstarexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyjavascripturlblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicymediasrcblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/media-src-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicymediasrctrackblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/media-src-track-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectinsvgforeignobjectexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-in-svg-foreignobject-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcnourlblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcnoneblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamcodeblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparammovieblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamsrcblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamsrcblocked2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamurlblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcurlblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcurlblocked2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyregisterbypassingschemeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/register-bypassing-scheme-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportandenforceexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeddatauriexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockedfileuriexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeduricrossoriginexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeduriexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookiesexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyfromheaderexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookiesexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportstatuscodezerowhenusinghttpsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturiexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifromchildframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifrominlinejavascriptexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifromjavascriptexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturischemerelativeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptsrcappendedscriptexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-appended-script-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptsrcnoneexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptsrcnoneinlineeventexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptsrcredirectexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptsrcselfblocked01expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-01-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptsrcselfblocked02expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-02-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptsrcselfblocked03expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-03-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsing01expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-01-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsing03expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-03-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsing04expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-04-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsing05expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsing06expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsing07expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-07-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsing08expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-08-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsingmalformedmetaexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsingnoneexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-none-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsingpaths01expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsingpaths02expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysrcdocdoesntbypassscriptsrcexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicystyleblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicystylesheetredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgfontredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgimageredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicytrackredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyuserstylesheetfontcrasherexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyuserAgentShadowDOMblockloadinguseragentimagefromnonuseragentcontentexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/block-loading-user-agent-image-from-non-user-agent-content-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyuserAgentShadowDOMdefaultsrcobjectdataurlblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyuserAgentShadowDOMdefaultsrcobjectdataurlblocked2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyuserAgentShadowDOMdefaultsrcobjectdataurlblocked3expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked3-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspimportScriptsblockabortsallsubsequentimportsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerconnectsrcblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-connect-src-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerimportscriptsblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-importscripts-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkermultiplecspheadersexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkersettimeoutblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslimgblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-img-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslunaffectedbystylesrc1expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspforxhrexpectedtxt">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldimageloadshouldnotbypassmainworldcspexpectedtxt">trunk/LayoutTests/http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp-expected.txt</a></li>
<li><a href="#trunkLayoutTestsinspectordebuggercspexceptionsexpectedtxt">trunk/LayoutTests/inspector/debugger/csp-exceptions-expected.txt</a></li>
<li><a href="#trunkLayoutTestsmediacspblocksvideoexpectedtxt">trunk/LayoutTests/media/csp-blocks-video-expected.txt</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/ChangeLog 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,28 @@
</span><ins>+2016-03-23 Daniel Bates <dabates@apple.com>
+
+ CSP: Make violation console messages concise and consistent
+ https://bugs.webkit.org/show_bug.cgi?id=155777
+ <rdar://problem/25304031>
+
+ Reviewed by Darin Adler.
+
+ Update expected results to reflect new violation message text.
+
+ * fast/workers/worker-inherits-csp-blocks-xhr-expected.txt:
+ * http/tests/contentextensions/block-cookies-in-csp-report-expected.txt:
+ * http/tests/contentextensions/block-csp-report-expected.txt:
+ * http/tests/contentextensions/hide-on-csp-report-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt:
+ ...
+ * http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/xsl-img-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1-expected.txt:
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-expected.txt:
+ * http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp-expected.txt:
+ * media/csp-blocks-video-expected.txt:
+
</ins><span class="cx"> 2016-03-23 Brent Fulgham <bfulgham@apple.com>
</span><span class="cx">
</span><span class="cx"> [WebGL] Non-power-of-two texture optimization
</span></span></pre></div>
<a id="trunkLayoutTestsfastimagesimageerroreventnotfiringexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/fast/images/image-error-event-not-firing-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/images/image-error-event-not-firing-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/fast/images/image-error-event-not-firing-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://www.myfakesiteabc.com/image.png' because it violates the following Content Security Policy directive: "img-src 'self'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://www.myfakesiteabc.com/image.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> This tests onerror event is fired if we change image src to a url blocked by content-security-policy.
</span><span class="cx">
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span></span></pre></div>
<a id="trunkLayoutTestsfastworkersworkerinheritscspblocksxhrexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to connect to 'non-existent-file' because it violates the following Content Security Policy directive: "connect-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to connect to non-existent-file because it does not appear in the connect-src directive of the Content Security Policy.
</ins><span class="cx"> This tests that the Content Security Policy (CSP) of the owner document (this page) blocks a file-URL Web Worker from making an XHR request because the parent's CSP contains "connect-src 'none'"
</span><span class="cx">
</span><span class="cx"> PASS threw exception Error: SecurityError: DOM Exception 18.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestscontentextensionsblockcookiesincspreportexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/contentextensions/block-cookies-in-csp-report-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentextensions/block-cookies-in-csp-report-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/contentextensions/block-cookies-in-csp-report-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://localhost/foo.png' because it violates the following Content Security Policy directive: "img-src 'self'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost/foo.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> This test creates a CSP violation report, but the report URL matches a 'block-cookie' rule.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestscontentextensionsblockcspreportexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/contentextensions/block-csp-report-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentextensions/block-csp-report-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/contentextensions/block-csp-report-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://localhost/foo.png' because it violates the following Content Security Policy directive: "img-src 'self'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost/foo.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: line 33: Content blocker prevented frame displaying http://127.0.0.1:8000/contentextensions/block-csp-report.php from loading a resource from http://localhost:8000/contentextensions/resources/save-ping.php?test=contentextensions-block-csp-report
</span><span class="cx"> This test creates a CSP violation report, but the report URL matches a 'block' rule.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestscontentextensionshideoncspreportexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/contentextensions/hide-on-csp-report-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentextensions/hide-on-csp-report-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/contentextensions/hide-on-csp-report-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://localhost/foo.png' because it violates the following Content Security Policy directive: "img-src 'self'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost/foo.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> This test creates a CSP violation report, but the report URL matches a 'css-display-none' rule.
</span><span class="cx"> This text should remain visible.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11baseuridenyexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to set the document's base URI to 'http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/resources/base-href/' because it violates the following Content Security Policy directive: "base-uri 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to change the document base URL to http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/resources/base-href/ because it does not appear in the base-uri directive of the Content Security Policy.
</ins><span class="cx"> ALERT: This is a safe script.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load frame 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "child-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
</ins><span class="cx"> This tests that an <iframe> load is blocked when using Content Security Policy child-src 'none'. This test PASSED if there is no JavaScript alert.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeredirectblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load frame 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "child-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
</ins><span class="cx"> This tests that the Content Security Policy of the page blocks an <iframe> from loading a document of a different origin through a redirect. This test PASSED if there is no JavaScript alert.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframesrctakesprecedenceoverchildsrcexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load frame 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "frame-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
</ins><span class="cx"> This tests that an <iframe> load is blocked when using Content Security Policy frame-src 'none'; child-src 'self' because the deprecated directive frame-src takes precedence over the directive child-src. This test PASSED if there is no JavaScript alert.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkerblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to create a child context containing 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "child-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.js because it does not appear in the child-src directive of the Content Security Policy.
</ins><span class="cx"> Workers should be governed by 'child-src'.
</span><span class="cx">
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkerredirectblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to create a child context containing 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "child-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js because it does not appear in the child-src directive of the Content Security Policy.
</ins><span class="cx"> This tests that the Content Security Policy of the page blocks loading a Web Worker's script from a different origin through a redirect.
</span><span class="cx">
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to send form data to 'http://127.0.0.1:8000/navigation/resources/form-target.pl' because it violates the following Content Security Policy directive: "form-action 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/navigation/resources/form-target.pl because it does not appear in the form-action directive of the Content Security Policy.
</ins><span class="cx">
</span><span class="cx"> Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcgetblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to send form data to 'http://127.0.0.1:8000/navigation/resources/form-target.pl?fieldname=fieldvalue' because it violates the following Content Security Policy directive: "form-action 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/navigation/resources/form-target.pl?fieldname=fieldvalue because it does not appear in the form-action directive of the Content Security Policy.
</ins><span class="cx">
</span><span class="cx"> Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcjavascriptblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to send form data to 'javascript:alert("FAIL!")' because it violates the following Content Security Policy directive: "form-action 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load javascript:alert("FAIL!") because it does not appear in the form-action directive of the Content Security Policy.
</ins><span class="cx">
</span><span class="cx"> Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a JavaScript alert.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcredirectblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to send form data to 'http://localhost:8000/navigation/resources/form-target.pl' because it violates the following Content Security Policy directive: "form-action 127.0.0.1:8000".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/navigation/resources/form-target.pl because it does not appear in the form-action directive of the Content Security Policy.
</ins><span class="cx">
</span><span class="cx"> Tests that blocking form redirect works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossnoneblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none' because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossselfblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='self'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='self' because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossurlblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://localhost:8080' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://localhost:8080".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://localhost:8080 because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsamenoneblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none' because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsameselfblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='self'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='self' because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsameurlblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://localhost:8080' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://localhost:8080".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://localhost:8080 because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossnoneblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none' because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossselfblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='self'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='self' because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossurlblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://127.0.0.1:8000' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://127.0.0.1:8000".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://127.0.0.1:8000 because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsamenoneblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none' because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsameurlblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://localhost:8080' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://localhost:8080".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://localhost:8080 because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnoneblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none' because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> A 'frame-ancestors' CSP directive with a value 'none' should block rendering. This test PASSED if you do not see any content in the iframe below. Otherwise, it FAILED.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsselfblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='self'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='self' because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> A 'frame-ancestors' CSP directive with a value 'self' should allow rendering. This test PASSED if you do not see any content in the iframe below. Otherwise, it FAILED.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsurlblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://example.com/' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://example.com/".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://example.com/ because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> A 'frame-ancestors' CSP directive with a URL which doesn't match this origin should be blocked. This test PASSED if you do not see any content in the iframe below. Otherwise, it FAILED.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> REQUEST_METHOD: POST
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginhttpsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> REQUEST_METHOD: POST
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> REQUEST_METHOD: POST
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginhttpsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> REQUEST_METHOD: POST
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11plugintypesaffectschildexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-affects-child-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-affects-child-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-affects-child-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' (MIME type 'application/x-webkit-test-netscape') because it violates the following Content Security Policy Directive: 'plugin-types text/plain'.
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/plugins/resources/mock-plugin.pl because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
</ins><span class="cx"> This tests that a plugin-types directive on a top-level page should be inherited by a PluginDocument embedded in the page. This test passes if a console error says that the plugin was blocked.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11plugintypesinvalidexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,35 +1,27 @@
</span><span class="cx"> CONSOLE MESSAGE: 'plugin-types' Content Security Policy directive is empty; all plugins will be blocked.
</span><span class="cx">
</span><del>-CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type 'application/x-webkit-test-netscape') because it violates the following Content Security Policy Directive: 'plugin-types '.
-
</del><ins>+CONSOLE MESSAGE: Refused to load data:application/x-webkit-test-netscape,logifloaded because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: 'plugin-types' Content Security Policy directive is empty; all plugins will be blocked.
</span><span class="cx">
</span><del>-CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type 'application/x-webkit-test-netscape') because it violates the following Content Security Policy Directive: 'plugin-types '.
-
</del><ins>+CONSOLE MESSAGE: Refused to load data:application/x-webkit-test-netscape,logifloaded because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: Invalid plugin type in 'plugin-types' Content Security Policy directive: ''none''.
</span><span class="cx">
</span><del>-CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type 'application/x-webkit-test-netscape') because it violates the following Content Security Policy Directive: 'plugin-types 'none''.
-
</del><ins>+CONSOLE MESSAGE: Refused to load data:application/x-webkit-test-netscape,logifloaded because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: Invalid plugin type in 'plugin-types' Content Security Policy directive: 'text'.
</span><span class="cx">
</span><del>-CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type 'application/x-webkit-test-netscape') because it violates the following Content Security Policy Directive: 'plugin-types text'.
-
</del><ins>+CONSOLE MESSAGE: Refused to load data:application/x-webkit-test-netscape,logifloaded because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: Invalid plugin type in 'plugin-types' Content Security Policy directive: 'text/'.
</span><span class="cx">
</span><del>-CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type 'application/x-webkit-test-netscape') because it violates the following Content Security Policy Directive: 'plugin-types text/'.
-
</del><ins>+CONSOLE MESSAGE: Refused to load data:application/x-webkit-test-netscape,logifloaded because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: Invalid plugin type in 'plugin-types' Content Security Policy directive: '/text'.
</span><span class="cx">
</span><del>-CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type 'application/x-webkit-test-netscape') because it violates the following Content Security Policy Directive: 'plugin-types /text'.
-
</del><ins>+CONSOLE MESSAGE: Refused to load data:application/x-webkit-test-netscape,logifloaded because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: Invalid plugin type in 'plugin-types' Content Security Policy directive: 'text//plain'.
</span><span class="cx">
</span><del>-CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type 'application/x-webkit-test-netscape') because it violates the following Content Security Policy Directive: 'plugin-types text//plain'.
-
</del><ins>+CONSOLE MESSAGE: Refused to load data:application/x-webkit-test-netscape,logifloaded because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: Invalid plugin type in 'plugin-types' Content Security Policy directive: 'text/plainapplication/nospace'.
</span><span class="cx">
</span><del>-CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type 'application/x-webkit-test-netscape') because it violates the following Content Security Policy Directive: 'plugin-types text/plainapplication/nospace'.
-
</del><ins>+CONSOLE MESSAGE: Refused to load data:application/x-webkit-test-netscape,logifloaded because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: Invalid plugin type in 'plugin-types' Content Security Policy directive: 'text'.
</span><span class="cx">
</span><span class="cx"> This tests our handling of invalid `plugin-types` CSP directives. Consider this test passing if each of the following frames contains either "PASS" or no text at all.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11plugintypesnotypedataexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'. When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type="[TYPE GOES HERE]" ...>').
-
</del><ins>+CONSOLE MESSAGE: Refused to load data:application/x-webkit-test-netscape,logifloaded because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
</ins><span class="cx"> Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there's a console message above and "FAIL!" isn't logged.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11plugintypesnotypeurlexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'. When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type="[TYPE GOES HERE]" ...>').
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/plugins/resources/mock-plugin.pl because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
</ins><span class="cx"> Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there's a console message above.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11plugintypesnourlblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-nourl-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-nourl-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-nourl-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load '' (MIME type 'application/x-webkit-test-netscape') because it violates the following Content Security Policy Directive: 'plugin-types text/plain'.
-
</del><ins>+CONSOLE MESSAGE: Refused to load because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
</ins><span class="cx"> This test passes if there is a console message saying the plugin was blocked.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11plugintypesurl02expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,9 +1,6 @@
</span><del>-CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type 'application/x-webkit-test-netscape') because it violates the following Content Security Policy Directive: 'plugin-types text/plain'.
-
-CONSOLE MESSAGE: Refused to load 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?url-doesnt-match-csp' (MIME type 'application/x-webkit-test-netscape') because it violates the following Content Security Policy Directive: 'plugin-types application/x-shockwave-flash'.
-
-CONSOLE MESSAGE: Refused to load 'http://127.0.0.1:8000/plugins/resources/mock-plugin-unknown-type.pl?type-attribute-doesnt-match-csp' (MIME type 'application/x-webkit-test-netscape') because it violates the following Content Security Policy Directive: 'plugin-types application/x-unknown-type'.
-
</del><ins>+CONSOLE MESSAGE: Refused to load data:application/x-webkit-test-netscape,logifloaded because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?url-doesnt-match-csp because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/plugins/resources/mock-plugin-unknown-type.pl?type-attribute-doesnt-match-csp because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
</ins><span class="cx"> This tests our handling of non-`data:` URLs, given a `plugin-types` CSP directive. Consider this test passing if none of the following frames contains "FAIL" and four sets of console logs appear above.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reporturieffectivedirectiveexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 4: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
-
</del><ins>+CONSOLE MESSAGE: line 4: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashbasicblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,10 +1,6 @@
</span><span class="cx"> ALERT: PASS (1/1)
</span><del>-CONSOLE MESSAGE: line 10: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-0WwzeJrO6lcDUe7o6BR3lx0b8uiBvXBX5MNFFKF7iYE'".
-
-CONSOLE MESSAGE: line 13: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-0WwzeJrO6lcDUe7o6BR3lx0b8uiBvXBX5MNFFKF7iYE'".
-
-CONSOLE MESSAGE: line 15: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-0WwzeJrO6lcDUe7o6BR3lx0b8uiBvXBX5MNFFKF7iYE'".
-
-CONSOLE MESSAGE: line 16: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-0WwzeJrO6lcDUe7o6BR3lx0b8uiBvXBX5MNFFKF7iYE'".
-
</del><ins>+CONSOLE MESSAGE: line 10: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 13: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 15: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 16: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> This tests the effect of a valid script-hash value, with one valid script and several invalid ones. It passes if one alert is executed and four console warings are visible.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashignoreunsafeinlineexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><span class="cx"> ALERT: PASS (1/1)
</span><del>-CONSOLE MESSAGE: line 10: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-0WwzeJrO6lcDUe7o6BR3lx0b8uiBvXBX5MNFFKF7iYE' 'unsafe-inline'".
-
</del><ins>+CONSOLE MESSAGE: line 10: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> This tests that a valid hash value disables inline JavaScript, even if 'unsafe-inline' is present.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashmultiplepoliciesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-multiple-policies-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-multiple-policies-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-multiple-policies-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,6 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 13: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-CYFBl0kdL4jzV5rJMIUoDtxfH9SQTP1JFh2GOcvAFGA=' 'sha256-F/ojdO7hFCTL+kP9GCfFTGQjf48FyI/WJIuqgntJh7Y='".
-
-CONSOLE MESSAGE: line 14: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-CYFBl0kdL4jzV5rJMIUoDtxfH9SQTP1JFh2GOcvAFGA=' 'sha256-F/ojdO7hFCTL+kP9GCfFTGQjf48FyI/WJIuqgntJh7Y='".
-
</del><ins>+CONSOLE MESSAGE: line 13: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 14: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS
</span><span class="cx"> Tests that an inline script is allowed to execute only if its hash appears in all policies. This test PASSED if there are two console warnings and a JavaScript alert with message PASS. Otherwise, it FAILED.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashtestsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,50 +1,33 @@
</span><del>-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-rrdh0QCl46qqHxfnnk08ydh/rkhVi2JvD6DLuUP30MI='".
-
-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-W4kKNfgvUMesHeVX1eGn6f3LfuntH7p4YjLeOauCA/I='".
-
</del><ins>+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA=''. It will be ignored.
</span><del>-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA='".
-
</del><ins>+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha-dummy''. It will be ignored.
</span><del>-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha-dummy'".
-
</del><ins>+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''d&mmy''. It will be ignored.
</span><del>-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'd&mmy'".
-
</del><ins>+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA=''. It will be ignored.
</span><del>-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' '/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA='".
-
-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha384-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA='".
-
-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha512-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA='".
-
</del><ins>+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-/Vet2Rva6wwsny8xybL+=bQal0Gtf0FZW7EOVqqg+Hna=''. It will be ignored.
</span><del>-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-/Vet2Rva6wwsny8xybL+=bQal0Gtf0FZW7EOVqqg+Hna='".
-
</del><ins>+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA==''. It will be ignored.
</span><del>-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA=='".
-
</del><ins>+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA===''. It will be ignored.
</span><del>-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA==='".
-
</del><ins>+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-'. It will be ignored.
</span><del>-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-".
-
</del><ins>+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-''. It will be ignored.
</span><del>-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-'".
-
</del><ins>+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-#''. It will be ignored.
</span><del>-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-#'".
-
</del><ins>+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-abc&=''. It will be ignored.
</span><del>-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-abc&='".
-
</del><ins>+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-abc&==''. It will be ignored.
</span><del>-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-abc&=='".
-
</del><ins>+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-LyogVGhpcyBpcyBhIGxvbmcgY29tbWVudCB0aGF0IHdpbGwgYmUgZW5jb2RlZCB1c2luZyBCYXNlNjQgdG8gcHJvZHVjZSBhbiBlbmNvZGVkIHN0cmluZyBvdXRwdXQgdGhhdCBpcyBsb25nZXIgdGhhbiBhIFNlY3VyZSBIYXNoIEFsZ29yaXRobS01MTIgZGlnZXN0LiAqLw==''. It will be ignored.
</span><del>-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-LyogVGhpcyBpcyBhIGxvbmcgY29tbWVudCB0aGF0IHdpbGwgYmUgZW5jb2RlZCB1c2luZyBCYXNlNjQgdG8gcHJvZHVjZSBhbiBlbmNvZGVkIHN0cmluZyBvdXRwdXQgdGhhdCBpcyBsb25nZXIgdGhhbiBhIFNlY3VyZSBIYXNoIEFsZ29yaXRobS01MTIgZGlnZXN0LiAqLw=='".
-
</del><ins>+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> This tests that script hashes work and conform to the Content Security Policy 2.0 specification.
</span><span class="cx">
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceandscripthashexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,8 +1,6 @@
</span><span class="cx"> ALERT: PASS (1/3)
</span><span class="cx"> ALERT: PASS (2/3)
</span><span class="cx"> ALERT: PASS (3/3)
</span><del>-CONSOLE MESSAGE: line 16: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-n8xN1Y8E6rPXuE8Iv++3Y3Smm6W4OGH6gqfZV7H8F1E=' 'nonce-nonceynonce'".
-
-CONSOLE MESSAGE: line 19: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-n8xN1Y8E6rPXuE8Iv++3Y3Smm6W4OGH6gqfZV7H8F1E=' 'nonce-nonceynonce'".
-
</del><ins>+CONSOLE MESSAGE: line 16: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 19: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> This tests the combined use of script hash and script nonce. It passes if two console warnings are visible and the three alerts show PASS.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnoncebasicblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-basic-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-basic-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-basic-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,9 +1,6 @@
</span><span class="cx"> ALERT: PASS (1/2)
</span><span class="cx"> ALERT: PASS (2/2)
</span><del>-CONSOLE MESSAGE: line 13: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-noncynonce'".
-
-CONSOLE MESSAGE: line 16: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-noncynonce'".
-
-CONSOLE MESSAGE: line 19: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-noncynonce'".
-
</del><ins>+CONSOLE MESSAGE: line 13: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 16: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 19: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> This tests the effect of a valid script-nonce value. It passes if three console warnings are visible, and the two PASS alerts are executed.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,5 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-nonce'".
-
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-notnonce'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> Only the first two of these scripts should execute even though there are parse errors in the policy.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceignoreunsafeinlineexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-ignore-unsafeinline-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-ignore-unsafeinline-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-ignore-unsafeinline-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><span class="cx"> ALERT: PASS (1/2)
</span><span class="cx"> ALERT: PASS (2/2)
</span><del>-CONSOLE MESSAGE: line 15: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-noncynonce' 'nonce-noncy+/=nonce' 'unsafe-inline'".
-
</del><ins>+CONSOLE MESSAGE: line 15: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> This tests that a valid nonce disables inline JavaScript, even if 'unsafe-inline' is present.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceinvalidnonceexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,35 +1,25 @@
</span><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''n'. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'n".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce'. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-''. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-".
-
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src nonce-abcd".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
</span><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '''. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce- '".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
</span><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '''. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce- '".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
</span><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'spaces''. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce- nonces have no spaces'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-{}''. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-{}'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-/\''. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-/\'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> None of these scripts should execute, as all the nonces are invalid.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11securitypolicyviolationblockcrossoriginimageexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> Check that a SecurityPolicyViolationEvent strips detail from cross-origin blocked URLs.
</span><span class="cx">
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11securitypolicyviolationblockcrossoriginimagefromscriptexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> Check that a SecurityPolicyViolationEvent strips detail from cross-origin URLs upon blocking an image injected via script.
</span><span class="cx">
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11securitypolicyviolationblockimageexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> Check that a SecurityPolicyViolationEvent is fired upon blocking an image.
</span><span class="cx">
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11securitypolicyviolationblockimagefromscriptexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> Check that a SecurityPolicyViolationEvent is fired upon blocking an image injected via script.
</span><span class="cx">
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11securitypolicyviolationblockimagehttpsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,6 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx">
</span><span class="cx">
</span><del>-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylehashbasicblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,8 +1,5 @@
</span><del>-CONSOLE MESSAGE: line 6: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'sha256-FSRZotz4y83Ib8ZaoVj9eXKaeWXVUawM8zAPfYeYySs='".
-
-CONSOLE MESSAGE: line 7: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'sha256-FSRZotz4y83Ib8ZaoVj9eXKaeWXVUawM8zAPfYeYySs='".
-
-CONSOLE MESSAGE: line 8: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'sha256-FSRZotz4y83Ib8ZaoVj9eXKaeWXVUawM8zAPfYeYySs='".
-
</del><ins>+CONSOLE MESSAGE: line 6: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 7: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 8: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS: The 'p' element's text is green, which means the style was correctly applied.
</span><span class="cx"> This tests the effect of a valid style-hash value, with one valid style and several invalid ones. It passes if the valid style is applied and three console warnings are visible.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylenonceallowedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylenonce-allowed-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylenonce-allowed-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylenonce-allowed-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,5 @@
</span><del>-CONSOLE MESSAGE: line 1: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'nonce-noncynonce' 'nonce-noncy+/=nonce'".
-
-CONSOLE MESSAGE: line 11: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'nonce-noncynonce' 'nonce-noncy+/=nonce'".
-
</del><ins>+CONSOLE MESSAGE: line 1: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 11: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
</ins><span class="cx"> Style correctly whitelisted via a 'nonce-*' expression in 'style-src' should be applied to the page.
</span><span class="cx">
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylenonceblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylenonce-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylenonce-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylenonce-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,5 @@
</span><del>-CONSOLE MESSAGE: line 1: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'".
-
-CONSOLE MESSAGE: line 6: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'".
-
</del><ins>+CONSOLE MESSAGE: line 1: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 6: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
</ins><span class="cx"> Style that does not match a 'nonce-*' expression in 'style-src' should not be applied to the page.
</span><span class="cx">
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockmixedcontenthideswarningexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8080/security/contentSecurityPolicy/resources/alert-fail.js because it appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
</ins><span class="cx"> This page should neither alert "FAIL" nor generate any mixed content warnings in the console.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicycachedframecspexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/cached-frame-csp-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/cached-frame-csp-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/cached-frame-csp-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,5 @@
</span><del>-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'none'".
-
-CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 5: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> Check that a CSP header added by a 304 response does not override one from the original request.
</span><span class="cx">
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicycombinemultiplepoliciesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 11: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
-
-CONSOLE MESSAGE: line 14: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: line 11: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 14: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
</ins><span class="cx"> This test checks that we enforce all the supplied policies. This test passes if it doesn't alert fail and if the style doesn't apply.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyconnectsrceventsourceblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to connect to 'http://127.0.0.1:8000/eventsource/resources/simple-event-stream.asis' because it violates the following Content Security Policy directive: "connect-src http://localhost:8000".
-
</del><ins>+CONSOLE MESSAGE: Refused to connect to http://127.0.0.1:8000/eventsource/resources/simple-event-stream.asis because it does not appear in the connect-src directive of the Content Security Policy.
</ins><span class="cx"> Pass
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyconnectsrceventsourceredirecttoblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to connect to 'http://localhost:8000/eventsource/resources/simple-event-stream.asis' because it violates the following Content Security Policy directive: "connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php".
-
</del><ins>+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/eventsource/resources/simple-event-stream.asis because it does not appear in the connect-src directive of the Content Security Policy.
</ins><span class="cx"> PASS EventSource() did not follow the disallowed redirect.
</span><span class="cx"> PASS successfullyParsed is true
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyconnectsrcwebsocketblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to connect to 'ws://localhost:8880/websocket/tests/hybi/echo' because it violates the following Content Security Policy directive: "connect-src ws://127.0.0.1:8880".
-
</del><ins>+CONSOLE MESSAGE: Refused to connect to ws://localhost:8880/websocket/tests/hybi/echo because it does not appear in the connect-src directive of the Content Security Policy.
</ins><span class="cx"> Pass
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyconnectsrcxmlhttprequestblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to connect to 'http://localhost:8000/xmlhttprequest/resources/get.txt' because it violates the following Content Security Policy directive: "connect-src http://127.0.0.1:8000".
-
</del><ins>+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/xmlhttprequest/resources/get.txt because it does not appear in the connect-src directive of the Content Security Policy.
</ins><span class="cx"> Pass
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyconnectsrcxmlhttprequestredirecttoblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to connect to 'http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl' because it violates the following Content Security Policy directive: "connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php".
-
</del><ins>+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl because it does not appear in the connect-src directive of the Content Security Policy.
</ins><span class="cx"> PASS XMLHttpRequest.send() did not follow the disallowed redirect.
</span><span class="cx"> PASS successfullyParsed is true
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicydefaultsrcinlineblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 9: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
-
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
-
</del><ins>+CONSOLE MESSAGE: line 9: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
</ins><span class="cx"> This test passes if it doesn't alert fail.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicydirectiveparsing01expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,6 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> This script should not execute even though there are parse errors in the policy.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicydirectiveparsing02expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,6 @@
</span><span class="cx"> CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'aaa'.
</span><span class="cx">
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> This script should not execute even though there are parse errors in the policy.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicydirectiveparsing03expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,6 @@
</span><span class="cx"> CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'a�aa'.
</span><span class="cx">
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> This script should not execute even though there are parse errors in the policy.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicydirectiveparsingmultipleheadersexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,6 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/script.js because it appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
</ins><span class="cx"> This script should not execute even through the second CSP header would allow it.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedsrcurlblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' because it violates the following Content Security Policy directive: "object-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/plugins/resources/mock-plugin.pl because it does not appear in the object-src directive of the Content Security Policy.
</ins><span class="cx"> This test passes if there is a console message saying the plugin was blocked.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedsrcurlblocked2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "object-src 'none'".
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the object-src directive of the Content Security Policy.
</ins><span class="cx">
</span><del>-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalallowedinreportonlymodeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><span class="cx"> CONSOLE MESSAGE: The Content Security Policy 'script-src 'self'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
</span><del>-CONSOLE MESSAGE: line 7: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
-
</del><ins>+CONSOLE MESSAGE: line 7: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS: eval() executed as expected.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalscriptssetIntervalblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 13: Refused to evaluate script because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
-
</del><ins>+CONSOLE MESSAGE: line 13: Refused to execute a script because 'unsafe-eval' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalscriptssetTimeoutblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 13: Refused to evaluate script because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
-
</del><ins>+CONSOLE MESSAGE: line 13: Refused to execute a script because 'unsafe-eval' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyfontredirectblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the font 'http://localhost:8000/resources/Ahem.woff' because it violates the following Content Security Policy directive: "font-src http://127.0.0.1:8000/resources/redirect.php".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/resources/Ahem.woff because it does not appear in the font-src directive of the Content Security Policy.
</ins><span class="cx"> Tests that a cross-origin CSS font loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
</span><span class="cx">
</span><span class="cx"> .
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyframesrcblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load frame 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "frame-src 'none'".
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
</ins><span class="cx">
</span><del>-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyframesrcredirectblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-redirect-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-redirect-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-redirect-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load frame 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "frame-src 127.0.0.1:8000".
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
</ins><span class="cx">
</span><del>-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyimageblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS
</span><span class="cx"> This test passes if it doesn't alert FAIL and does alert PASS.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyimageredirectblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src http://127.0.0.1:8000/resources/redirect.php".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> Tests that a cross-origin image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyimgblockednogccrashexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/img-blocked-no-gc-crash-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/img-blocked-no-gc-crash-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/img-blocked-no-gc-crash-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS (1/1)
</span><span class="cx"> This test ensures that blocking an image via CSP doesn't crash if GC executes before the error event fires.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyinjectedinlinescriptblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
</del><ins>+CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
-
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyinjectedinlinestyleblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,5 @@
</span><del>-CONSOLE MESSAGE: line 1: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
-
-CONSOLE MESSAGE: line 1: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: line 1: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 1: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
</ins><span class="cx"> PASS 1/2
</span><span class="cx"> PASS 2/2
</span><span class="cx"> 0
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyinlineeventhandlerblockedafterinjectingmetaexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -2,6 +2,5 @@
</span><span class="cx"> CONSOLE MESSAGE: line 21: PASS: Event handler triggered pre-policy.
</span><span class="cx"> CONSOLE MESSAGE: line 14: Injecting Content-Security-Policy.
</span><span class="cx"> CONSOLE MESSAGE: line 19: Clicking a link, post-policy:
</span><del>-CONSOLE MESSAGE: line 21: Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
-
</del><ins>+CONSOLE MESSAGE: line 21: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
</ins><span class="cx"> This test checks that CSP is evaluated on each call to an inline event handler, even if it's been executed pre-policy. It passes if one 'PASS' and no 'FAIL' messages appear.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyinlinescriptblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 9: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
-
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
-
</del><ins>+CONSOLE MESSAGE: line 9: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> This test passes if it doesn't alert fail.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyinlinescriptblockedgoofyexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,6 +1,4 @@
</span><span class="cx"> CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
</span><del>-CONSOLE MESSAGE: line 9: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
-
-CONSOLE MESSAGE: line 7: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
-
</del><ins>+CONSOLE MESSAGE: line 9: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 7: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> This test passes if it doesn't alert fail.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyinlinescriptblockedjavascripturlexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,6 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
</span><span class="cx"> CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
</span><span class="cx"> CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
</span><del>-CONSOLE MESSAGE: line 1: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
-
</del><ins>+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> This test passes if it doesn't alert fail.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyinlinestyleallowedwhilecloningobjectsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-allowed-while-cloning-objects-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-allowed-while-cloning-objects-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-allowed-while-cloning-objects-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,5 @@
</span><del>-CONSOLE MESSAGE: line 1: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'".
-
-CONSOLE MESSAGE: line 79: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'".
-
</del><ins>+CONSOLE MESSAGE: line 1: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 79: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
</ins><span class="cx"> This test ensures that styles can be set by object.cloneNode()
</span><span class="cx"> PASS node1.style.background is "yellow"
</span><span class="cx"> PASS node2.style.background is "yellow"
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyinlinestyleattributeblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 10: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: line 10: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
</ins><span class="cx"> PASS
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyinlinestyleblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 5: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: line 5: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
</ins><span class="cx"> PASS
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyjavascripturlblockedbydefaultsrcstarexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 1: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "default-src *". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
</del><ins>+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load javascript:alert('FAIL'); because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load javascript:alert('FAIL'); because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy.
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from 'javascript:alert('FAIL');' because it violates the following Content Security Policy directive: "default-src *". Note that 'object-src' was not explicitly set, so 'default-src' is used as a fallback.
-
-CONSOLE MESSAGE: Refused to load plugin data from 'javascript:alert('FAIL');' because it violates the following Content Security Policy directive: "default-src *". Note that 'object-src' was not explicitly set, so 'default-src' is used as a fallback.
-
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyjavascripturlblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,8 +1,7 @@
</span><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><del>-CONSOLE MESSAGE: line 1: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicymediasrcblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/media-src-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/media-src-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/media-src-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load media from 'http://127.0.0.1:8000/resources/load-and-stall.cgi?name=../../../media/content/test.mp4&mimeType=video/mp4&stallAt=100000' because it violates the following Content Security Policy directive: "media-src 'none'".
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/load-and-stall.cgi?name=../../../media/content/test.mp4&mimeType=video/mp4&stallAt=100000 because it does not appear in the media-src directive of the Content Security Policy.
</ins><span class="cx">
</span><del>-
</del><span class="cx"> END OF TEST
</span><span class="cx"> This test passes if it doesn't alert failure.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicymediasrctrackblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/media-src-track-block-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/media-src-track-block-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/media-src-track-block-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to load media from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/track.vtt' because it violates the following Content Security Policy directive: "media-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/track.vtt because it does not appear in the media-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectinsvgforeignobjectexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-in-svg-foreignobject-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-in-svg-foreignobject-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-in-svg-foreignobject-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' because it violates the following Content Security Policy directive: "object-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/plugins/resources/mock-plugin.pl because it does not appear in the object-src directive of the Content Security Policy.
</ins><span class="cx"> This test ensures that objects inside SVG foreignobject elements are beholden to the same policy as the rest of the document. This test passes if there is a console message saying the plugin was blocked.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcnourlblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from '' because it violates the following Content Security Policy directive: "object-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load because it does not appear in the object-src directive of the Content Security Policy.
</ins><span class="cx"> This test passes if there is a console message saying the plugin was blocked.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcnoneblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,6 @@
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from 'data:application/x-webkit-test-netscape,logifloaded' because it violates the following Content Security Policy directive: "object-src 'none'".
</del><ins>+CONSOLE MESSAGE: Refused to load data:application/x-webkit-test-netscape,logifloaded because it does not appear in the object-src directive of the Content Security Policy.
</ins><span class="cx">
</span><span class="cx">
</span><del>-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamcodeblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?code' because it violates the following Content Security Policy directive: "object-src http://localhost:8000".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?code because it does not appear in the object-src directive of the Content Security Policy.
</ins><span class="cx"> This test passes if there is a console message saying the plugin was blocked.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparammovieblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?movie' because it violates the following Content Security Policy directive: "object-src http://localhost:8000".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?movie because it does not appear in the object-src directive of the Content Security Policy.
</ins><span class="cx"> This test passes if there is a console message saying the plugin was blocked.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamsrcblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?src' because it violates the following Content Security Policy directive: "object-src http://localhost:8000".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?src because it does not appear in the object-src directive of the Content Security Policy.
</ins><span class="cx"> This test passes if there is a console message saying the plugin was blocked.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamsrcblocked2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "object-src 'none'".
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the object-src directive of the Content Security Policy.
</ins><span class="cx">
</span><del>-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamurlblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?url' because it violates the following Content Security Policy directive: "object-src http://localhost:8000".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?url because it does not appear in the object-src directive of the Content Security Policy.
</ins><span class="cx"> This test passes if there is a console message saying the plugin was blocked.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcurlblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' because it violates the following Content Security Policy directive: "object-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/plugins/resources/mock-plugin.pl because it does not appear in the object-src directive of the Content Security Policy.
</ins><span class="cx"> This test passes if there is a console message saying the plugin was blocked.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcurlblocked2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "object-src 'none'".
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the object-src directive of the Content Security Policy.
</ins><span class="cx">
</span><del>-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyregisterbypassingschemeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/register-bypassing-scheme-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/register-bypassing-scheme-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/register-bypassing-scheme-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,8 +1,6 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src https:".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS (1/3)
</span><span class="cx"> ALERT: PASS (2/3)
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src https:".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS (3/3)
</span><span class="cx"> This test ensures that registering a scheme as bypassing CSP actually bypasses CSP. This test passes if three PASSes are generated.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportandenforceexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,5 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
-CONSOLE MESSAGE: line 9: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 9: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeddatauriexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw== because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.php
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockedfileuriexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'compass.jpg' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load compass.jpg because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeduricrossoriginexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: [Report Only] Refused to load the image 'http://localhost:8080/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: [Report Only] Refused to load http://localhost:8080/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeduriexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: [Report Only] Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: [Report Only] Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.php
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookiesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 1: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
-
</del><ins>+CONSOLE MESSAGE: line 1: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyfromheaderexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 1: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
-
</del><ins>+CONSOLE MESSAGE: line 1: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookiesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_COOKIE: hello=world
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportstatuscodezerowhenusinghttpsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 1: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
-
</del><ins>+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> This tests that the status-code is 0 in the Content Security Policy violation report for a protected resource delivered over HTTPS.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturiexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 1: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
-
</del><ins>+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.php
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifromchildframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,6 @@
</span><del>-CONSOLE MESSAGE: line 1: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
</del><ins>+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx">
</span><span class="cx">
</span><del>-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifrominlinejavascriptexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifromjavascriptexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-javascript.php
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturischemerelativeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 1: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
-
</del><ins>+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.php
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptredirectblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptsrcappendedscriptexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-appended-script-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-appended-script-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-appended-script-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> PASS
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptsrcnoneexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,6 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptsrcnoneinlineeventexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 3: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: line 3: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx">
</span><span class="cx">
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptsrcredirectexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,5 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src localhost".
-
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> Loads an iframe which in turns tries to load an external script. The request for the script is redirected to 'localhost'. The iframe has a content security policy disabling external scripts from hosts other than 'localhost'. So the script should be allowed to run.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptsrcselfblocked01expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-01-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-01-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-01-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,6 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'self'".
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx">
</span><span class="cx">
</span><del>-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptsrcselfblocked02expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-02-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-02-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-02-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,6 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'self'".
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8080/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx">
</span><span class="cx">
</span><del>-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptsrcselfblocked03expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-03-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-03-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-03-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,6 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'self'".
</del><ins>+CONSOLE MESSAGE: Refused to load https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx">
</span><span class="cx">
</span><del>-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsing01expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-01-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-01-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-01-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,9 +1,6 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https://127.0.0.1:8000".
-
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https://127.0.0.1:*".
-
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https://127.0.0.1:*".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> None of these scripts should execute even though there are parse errors in the policy.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsing03expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-03-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-03-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-03-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,5 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https:".
-
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https:".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> None of these scripts should execute.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsing04expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-04-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-04-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-04-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,8 +1,6 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https: taco".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The value for Content Security Policy directive 'script-src' contains an invalid character: 'https: �'. Non-whitespace characters outside ASCII 0x21-0x7E must be percent-encoded, as described in RFC 3986, section 2.1: http://tools.ietf.org/html/rfc3986#section-2.1.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> None of these scripts should execute even though there are parse errors in the policy.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsing05expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,25 +1,17 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path?query=string'. The query component, including the '?', will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path?query=string".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path#anchor'. The fragment identifier, including the '#', will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path#anchor".
-
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path?query=string'. The query component, including the '?', will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path?query=string".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path#anchor'. The fragment identifier, including the '#', will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path#anchor".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'pathwithasemicolon'.
</span><span class="cx">
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/thisisa".
-
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/this is a path with spaces".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> Paths should be ignored when evaluating sources. This test passes if FAIL does not appear in the output, and each of the tests generates a warning about the path component.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsing06expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,25 +1,17 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path?query=string'. The query component, including the '?', will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path?query=string".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path#anchor'. The fragment identifier, including the '#', will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path#anchor".
-
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path?query=string'. The query component, including the '?', will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path?query=string".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path#anchor'. The fragment identifier, including the '#', will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path#anchor".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'pathwithasemicolon'.
</span><span class="cx">
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/thisisa".
-
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/this is a path with spaces".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> Paths should be ignored when evaluating sources. This test passes if FAIL does not appear in the output, and each of the tests generates a warning about the path component.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsing07expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-07-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-07-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-07-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,27 +1,19 @@
</span><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http:/'. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http:/".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://'. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http:/127.0.0.1'. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http:/127.0.0.1".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http:///127.0.0.1'. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http:///127.0.0.1".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:/'. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:/".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'https://127.?.0.1:*'. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https://127.?.0.1:*".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'https://127.0.0.1:'. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https://127.0.0.1:".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''slef''. It will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'slef'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'https://127.0.0.1:'. It will be ignored.
</span><span class="cx"> Invalid source expressions should log a console warning, and be ignored.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsing08expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-08-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-08-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-08-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,5 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'data:application/javascript;base64,dmFyIHJlc3VsdCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdyZXN1bHQnKTtyZXN1bHQuZmlyc3RDaGlsZC5ub2RlVmFsdWUgPSByZXN1bHQuYXR0cmlidXRlcy5nZXROYW1lZEl0ZW0oJ3RleHQnKS52YWx1ZTs=' because it violates the following Content Security Policy directive: "script-src 'self'".
-
-CONSOLE MESSAGE: Refused to load the script 'data:application/javascript;base64,dmFyIHJlc3VsdCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdyZXN1bHQnKTtyZXN1bHQuZmlyc3RDaGlsZC5ub2RlVmFsdWUgPSByZXN1bHQuYXR0cmlidXRlcy5nZXROYW1lZEl0ZW0oJ3RleHQnKS52YWx1ZTs=' because it violates the following Content Security Policy directive: "script-src https://127.0.0.1:8000".
-
</del><ins>+CONSOLE MESSAGE: Refused to load data:application/javascript;base64,dmFyIHJlc3VsdCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdyZXN1bHQnKTtyZXN1bHQuZmlyc3RDaGlsZC5ub2RlVmFsdWUgPSByZXN1bHQuYXR0cmlidXRlcy5nZXROYW1lZEl0ZW0oJ3RleHQnKS52YWx1ZTs= because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load data:application/javascript;base64,dmFyIHJlc3VsdCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdyZXN1bHQnKTtyZXN1bHQuZmlyc3RDaGlsZC5ub2RlVmFsdWUgPSByZXN1bHQuYXR0cmlidXRlcy5nZXROYW1lZEl0ZW0oJ3RleHQnKS52YWx1ZTs= because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> Test proper handling of data: URLs.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsingmalformedmetaexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to connect to 'http://127.0.0.1:8000/xmlhttprequest/resources/get.txt' because it violates the following Content Security Policy directive: "connect-src http://localhost:8000".
-
</del><ins>+CONSOLE MESSAGE: Refused to connect to http://127.0.0.1:8000/xmlhttprequest/resources/get.txt because it does not appear in the connect-src directive of the Content Security Policy.
</ins><span class="cx"> Pass
</span><span class="cx"> This test passes if the malformed meta tag doesn't cause a crash and the resource is blocked.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsingnoneexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-none-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-none-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-none-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,14 +1,11 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'".
-
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''none''. It will be ignored. Note that 'none' has no effect unless it is the only expression in the source list.
</span><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''none''. It will be ignored. Note that 'none' has no effect unless it is the only expression in the source list.
</span><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''none''. It will be ignored. Note that 'none' has no effect unless it is the only expression in the source list.
</span><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''none''. It will be ignored. Note that 'none' has no effect unless it is the only expression in the source list.
</span><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''none''. It will be ignored. Note that 'none' has no effect unless it is the only expression in the source list.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none' 'none' 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> 'none' should be ignored in source lists, unless it is the only token.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsingpaths01expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,11 +1,7 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/sec".
-
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/sec/".
-
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/not-security".
-
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/security%3bnot-contentSecurityPolicy".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> Resources should be rejected unless they match a whitelisted path.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsingpaths02expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,15 +1,11 @@
</span><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/security/#query=string'. The fragment identifier, including the '#', will be ignored.
</span><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/security/?query=string'. The query component, including the '?', will be ignored.
</span><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/not-security/#query=string'. The fragment identifier, including the '#', will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security/#query=string".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/not-security/?query=string'. The query component, including the '?', will be ignored.
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security/?query=string".
-
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/security".
-
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/security/contentSecurityPolicy/resources/script.js/".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> Resources should be rejected unless they match a whitelisted path.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysrcdocdoesntbypassscriptsrcexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: line 1: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
-
</del><ins>+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> This test passes if it doesn't alert fail.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicystyleblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load the stylesheet 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/blue.css' because it violates the following Content Security Policy directive: "style-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/blue.css because it does not appear in the style-src directive of the Content Security Policy.
</ins><span class="cx"> PASS
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicystylesheetredirectblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to load the stylesheet 'http://localhost:8000/security/contentSecurityPolicy/resources/blue.css' because it violates the following Content Security Policy directive: "style-src http://127.0.0.1:8000/resources/redirect.php".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/blue.css because it does not appear in the style-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgfontredirectblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the font 'http://localhost:8000/security/contentSecurityPolicy/resources/ABCFont.svg' because it violates the following Content Security Policy directive: "font-src http://127.0.0.1:8000/resources/redirect.php".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/ABCFont.svg because it does not appear in the font-src directive of the Content Security Policy.
</ins><span class="cx"> Tests that a SVG font-face element is blocked from loading a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there is a console warning message.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgimageredirectblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/contentSecurityPolicy/resources/red-square.svg' because it violates the following Content Security Policy directive: "img-src http://127.0.0.1:8000/resources/redirect.php".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/red-square.svg because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> Tests that a cross-origin SVG image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicytrackredirectblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to load media from 'http://localhost:8000/security/contentSecurityPolicy/resources/track.vtt' because it violates the following Content Security Policy directive: "media-src http://127.0.0.1:8000/resources/redirect.php".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/track.vtt because it does not appear in the media-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyuserstylesheetfontcrasherexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,6 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the font 'http://127.0.0.1:8000/security/contentSecurityPolicy/example_font.woff' because it violates the following Content Security Policy directive: "font-src http://webkit.org".
-
-CONSOLE MESSAGE: Refused to load the font 'http://127.0.0.1:8000/security/contentSecurityPolicy/example_font.woff' because it violates the following Content Security Policy directive: "font-src http://webkit.org".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/example_font.woff because it does not appear in the font-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/example_font.woff because it does not appear in the font-src directive of the Content Security Policy.
</ins><span class="cx"> The iframe below triggers a violation report creating the initial empty document. It should not crash the web process.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyuserAgentShadowDOMblockloadinguseragentimagefromnonuseragentcontentexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/block-loading-user-agent-image-from-non-user-agent-content-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/block-loading-user-agent-image-from-non-user-agent-content-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/block-loading-user-agent-image-from-non-user-agent-content-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> Tests that we prevent the document from loading an image that was loaded earlier from a user agent shadow tree. This test can only be run in the test tool. This test PASSED if you see the word PASS below and there is exactly one Content Security Policy console message about a blocked image load.
</span><span class="cx">
</span><span class="cx"> PASS image was not loaded by document.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyuserAgentShadowDOMdefaultsrcobjectdataurlblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/resources/abe.png because it appears in neither the img-src directive nor the default-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS
</span><span class="cx"> This test passes if it doesn't alert FAIL and does alert PASS.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyuserAgentShadowDOMdefaultsrcobjectdataurlblocked2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked2-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked2-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked2-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/resources/abe.png because it appears in neither the img-src directive nor the default-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS
</span><span class="cx"> This test passes if it doesn't alert FAIL and does alert PASS.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyuserAgentShadowDOMdefaultsrcobjectdataurlblocked3expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked3-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked3-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked3-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/resources/abe.png because it appears in neither the img-src directive nor the default-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: PASS
</span><span class="cx"> This test passes if it doesn't alert FAIL and does alert PASS.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/post-message.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' http://127.0.0.1:8000".
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/post-message.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx">
</span><del>-
</del><span class="cx"> PASS Blob worker inherits CSP
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspimportScriptsblockabortsallsubsequentimportsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/workers/resources/worker-importScripts-source1.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/workers/resources/worker-importScripts-source1.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> This tests that when calling WorkerGlobalScope.importScripts() will two script URLs that the second script is not loaded if the first script URL was blocked by the Content Security Policy of the worker (inherited from this page).
</span><span class="cx">
</span><span class="cx"> PASS threw exception Error: NetworkError: DOM Exception 19.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerconnectsrcblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-connect-src-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-connect-src-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-connect-src-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to connect to 'http://127.0.0.1:8000/xmlhttprequest/resources/get.txt' because it violates the following Content Security Policy directive: "connect-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to connect to http://127.0.0.1:8000/xmlhttprequest/resources/get.txt because it does not appear in the connect-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: xhr blocked
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerimportscriptsblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-importscripts-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-importscripts-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-importscripts-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/post-message.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'unsafe-inline' 127.0.0.1:8000".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/post-message.js because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> PASS result is "importScripts blocked: Error: NetworkError: DOM Exception 19"
</span><span class="cx"> PASS successfullyParsed is true
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkermultiplecspheadersexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to connect to 'http://127.0.0.1:8000/xmlhttprequest/resources/get.txt' because it violates the following Content Security Policy directive: "connect-src 'none'".
</del><ins>+CONSOLE MESSAGE: Refused to connect to http://127.0.0.1:8000/xmlhttprequest/resources/get.txt because it does not appear in the connect-src directive of the Content Security Policy.
</ins><span class="cx">
</span><del>-
</del><span class="cx"> PASS Worker can have multiple CSP headers
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkersettimeoutblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to evaluate script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
-
</del><ins>+CONSOLE MESSAGE: Refused to execute a script because 'unsafe-eval' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: setTimeout blocked
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> layer at (0,0) size 800x600
</span><span class="cx"> RenderView at (0,0) size 800x600
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslimgblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-img-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-img-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-img-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> Here is an image:
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,2 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.xsl' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'".
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.xsl because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx">
</span><del>-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslunaffectedbystylesrc1expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl because it does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> layer at (0,0) size 800x600
</span><span class="cx"> RenderView at (0,0) size 800x600
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspforxhrexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to connect to 'http://localhost:8000/security/isolatedWorld/resources/cross-origin-xhr.txt' because it violates the following Content Security Policy directive: "connect-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/isolatedWorld/resources/cross-origin-xhr.txt because it does not appear in the connect-src directive of the Content Security Policy.
</ins><span class="cx"> Tests that isolated worlds can have XHRs that the page's CSP wouldn't allow.
</span><span class="cx">
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldimageloadshouldnotbypassmainworldcspexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,8 +1,6 @@
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: BLOCKED in main world
</span><del>-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</ins><span class="cx"> ALERT: BLOCKED in isolated world
</span><span class="cx"> CONSOLE MESSAGE: line 38: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestsinspectordebuggercspexceptionsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/inspector/debugger/csp-exceptions-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/inspector/debugger/csp-exceptions-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/inspector/debugger/csp-exceptions-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,7 +1,6 @@
</span><span class="cx"> CONSOLE MESSAGE: line 11: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
</span><span class="cx">
</span><del>-CONSOLE MESSAGE: line 7: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'none'".
-
</del><ins>+CONSOLE MESSAGE: line 7: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> Test for the CSP exception handling when pause on all exceptions is enabled.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestsmediacspblocksvideoexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/media/csp-blocks-video-expected.txt (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/media/csp-blocks-video-expected.txt 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/LayoutTests/media/csp-blocks-video-expected.txt 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,5 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load media from 'test.mp4' because it violates the following Content Security Policy directive: "media-src 'none'".
</del><ins>+CONSOLE MESSAGE: Refused to load test.mp4 because it does not appear in the media-src directive of the Content Security Policy.
</ins><span class="cx">
</span><del>-
</del><span class="cx"> END OF TEST
</span><span class="cx"> This test passes if it doesn't alert failure.
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/Source/WebCore/ChangeLog 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -1,3 +1,57 @@
</span><ins>+2016-03-23 Daniel Bates <dabates@apple.com>
+
+ CSP: Make violation console messages concise and consistent
+ https://bugs.webkit.org/show_bug.cgi?id=155777
+ <rdar://problem/25304031>
+
+ Reviewed by Darin Adler.
+
+ As a first step towards making the log messages that are emitted by the ContentSecurityPolicy object
+ concise and consistent with the language and formatting used in other WebKit console messages, including
+ other Content Security Policy messages, make the violation error messages concise and consistent.
+ Being concise and consistent will help make it straightforward for a person to understand the reason
+ for the violation by taking advantage of their familiarity with the language and formatting seen in
+ other WebKit console messages.
+
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::consoleMessageForViolation): Added. Builds up a console message for violation.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowJavaScriptURLs): Extract logic for logging a console message/reporting
+ a violation from ContentSecurityPolicyDirectiveList::checkInlineAndReportViolation() to here and make use of WebCore::consoleMessageForViolation()
+ to build the actual console message.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowInlineEventHandlers): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowInlineScript): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowInlineStyle): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowEval): Extract logic for logging a console message/reporting
+ a violation from ContentSecurityPolicyDirectiveList::checkEvalAndReportViolation() to here and make use of WebCore::consoleMessageForViolation()
+ to build the actual console message.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowPluginType): Extract logic for logging a console message/reporting
+ a violation from ContentSecurityPolicyDirectiveList::checkMediaTypeAndReportViolation() to here and make use of WebCore::consoleMessageForViolation()
+ to build the actual console message.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowScriptFromSource): Extract logic for logging a console message/reporting
+ a violation from ContentSecurityPolicyDirectiveList::checkSourceAndReportViolation() to here and make use of WebCore::consoleMessageForViolation()
+ to build the actual console message.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowObjectFromSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowChildContextFromSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowChildFrameFromSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowImageFromSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowStyleFromSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowFontFromSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowMediaFromSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowConnectToSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowFormAction): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowBaseURI): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowFrameAncestors): Extract logic for logging a console message/reporting
+ a violation from ContentSecurityPolicyDirectiveList::checkFrameAncestorsAndReportViolation() to here and make use of WebCore::consoleMessageForViolation()
+ to build the actual console message.
+ (WebCore::ContentSecurityPolicyDirectiveList::addDirective): Add FIXME comment to log that the frame-src directive is
+ deprecated. See <https://bugs.webkit.org/show_bug.cgi?id=155773> for more details.
+ (WebCore::ContentSecurityPolicyDirectiveList::checkEvalAndReportViolation): Deleted.
+ (WebCore::ContentSecurityPolicyDirectiveList::checkMediaTypeAndReportViolation): Deleted.
+ (WebCore::ContentSecurityPolicyDirectiveList::checkInlineAndReportViolation): Deleted.
+ (WebCore::ContentSecurityPolicyDirectiveList::checkSourceAndReportViolation): Deleted.
+ (WebCore::ContentSecurityPolicyDirectiveList::checkFrameAncestorsAndReportViolation): Deleted.
+ * page/csp/ContentSecurityPolicyDirectiveList.h:
+
</ins><span class="cx"> 2016-03-23 Brent Fulgham <bfulgham@apple.com>
</span><span class="cx">
</span><span class="cx"> [WebGL] Non-power-of-two texture optimization
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -32,6 +32,8 @@
</span><span class="cx"> #include "ParsingUtilities.h"
</span><span class="cx"> #include "SecurityContext.h"
</span><span class="cx"> #include <wtf/NeverDestroyed.h>
</span><ins>+#include <wtf/Optional.h>
+#include <wtf/text/StringBuilder.h>
</ins><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><span class="lines">@@ -190,126 +192,70 @@
</span><span class="cx"> return directive ? directive : m_defaultSrc.get();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicyDirectiveList::checkEvalAndReportViolation(ContentSecurityPolicySourceListDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, JSC::ExecState* state) const
</del><ins>+static String consoleMessageForViolation(const String& effectiveDirective, const URL& blockedURL, bool violatesDefaultSrc, const char* prefix, const char* subject = "it")
</ins><span class="cx"> {
</span><del>- if (checkEval(directive))
- return true;
-
- String suffix = String();
- if (directive == m_defaultSrc.get())
- suffix = " Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.";
-
- reportViolation(directive->text(), scriptSrc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", URL(), contextURL, contextLine, state);
- if (!m_reportOnly) {
- m_policy.reportBlockedScriptExecutionToInspector(directive->text());
- return false;
</del><ins>+ StringBuilder result;
+ result.append(prefix);
+ if (!blockedURL.isEmpty()) {
+ result.append(' ');
+ result.append(blockedURL.stringCenterEllipsizedToLength());
</ins><span class="cx"> }
</span><del>- return true;
</del><ins>+ result.appendLiteral(" because ");
+ result.append(subject);
+ if (violatesDefaultSrc) {
+ result.appendLiteral(" appears in neither the ");
+ result.append(effectiveDirective);
+ result.appendLiteral(" directive nor the default-src directive of the Content Security Policy.");
+ } else {
+ result.appendLiteral(" does not appear in the ");
+ result.append(effectiveDirective);
+ result.appendLiteral(" directive of the Content Security Policy.");
+ }
+ return result.toString();
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicyDirectiveList::checkMediaTypeAndReportViolation(ContentSecurityPolicyMediaListDirective* directive, const String& type, const String& typeAttribute, const String& consoleMessage) const
</del><ins>+bool ContentSecurityPolicyDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus reportingStatus) const
</ins><span class="cx"> {
</span><del>- if (checkMediaType(directive, type, typeAttribute))
</del><ins>+ ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
+ if (checkInline(operativeDirective))
</ins><span class="cx"> return true;
</span><del>-
- String message = makeString(consoleMessage, '\'', directive->text(), "\'.");
- if (typeAttribute.isEmpty())
- message = message + " When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type=\"[TYPE GOES HERE]\" ...>').";
-
- reportViolation(directive->text(), pluginTypes, message + "\n", URL());
</del><ins>+ if (reportingStatus == ReportingStatus::SendReport) {
+ String consoleMessage = consoleMessageForViolation(scriptSrc, URL(), operativeDirective == m_defaultSrc.get(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
+ reportViolation(operativeDirective->text(), scriptSrc, consoleMessage, URL(), contextURL, contextLine);
+ if (!m_reportOnly)
+ m_policy.reportBlockedScriptExecutionToInspector(operativeDirective->text());
+ }
</ins><span class="cx"> return denyIfEnforcingPolicy();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicyDirectiveList::checkInlineAndReportViolation(ContentSecurityPolicySourceListDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript) const
</del><ins>+bool ContentSecurityPolicyDirectiveList::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus reportingStatus) const
</ins><span class="cx"> {
</span><del>- if (checkInline(directive))
</del><ins>+ ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
+ if (checkInline(operativeDirective))
</ins><span class="cx"> return true;
</span><del>-
- String suffix = String();
- if (directive == m_defaultSrc.get())
- suffix = makeString(" Note that '", (isScript ? "script" : "style"), "-src' was not explicitly set, so 'default-src' is used as a fallback.");
-
- reportViolation(directive->text(), isScript ? scriptSrc : styleSrc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", URL(), contextURL, contextLine);
-
- if (!m_reportOnly) {
- if (isScript)
- m_policy.reportBlockedScriptExecutionToInspector(directive->text());
- return false;
</del><ins>+ if (reportingStatus == ReportingStatus::SendReport) {
+ String consoleMessage = consoleMessageForViolation(scriptSrc, URL(), operativeDirective == m_defaultSrc.get(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
+ reportViolation(operativeDirective->text(), scriptSrc, consoleMessage, URL(), contextURL, contextLine);
+ if (!m_reportOnly)
+ m_policy.reportBlockedScriptExecutionToInspector(operativeDirective->text());
</ins><span class="cx"> }
</span><del>- return true;
-}
-
-bool ContentSecurityPolicyDirectiveList::checkSourceAndReportViolation(ContentSecurityPolicySourceListDirective* directive, const URL& url, const String& effectiveDirective) const
-{
- if (checkSource(directive, url))
- return true;
-
- const char* prefix;
- if (baseURI == effectiveDirective)
- prefix = "Refused to set the document's base URI to '";
- else if (childSrc == effectiveDirective)
- prefix = "Refused to create a child context containing '";
- else if (connectSrc == effectiveDirective)
- prefix = "Refused to connect to '";
- else if (fontSrc == effectiveDirective)
- prefix = "Refused to load the font '";
- else if (formAction == effectiveDirective)
- prefix = "Refused to send form data to '";
- else if (frameSrc == effectiveDirective)
- prefix = "Refused to load frame '";
- else if (imgSrc == effectiveDirective)
- prefix = "Refused to load the image '";
- else if (mediaSrc == effectiveDirective)
- prefix = "Refused to load media from '";
- else if (objectSrc == effectiveDirective)
- prefix = "Refused to load plugin data from '";
- else if (scriptSrc == effectiveDirective)
- prefix = "Refused to load the script '";
- else if (styleSrc == effectiveDirective)
- prefix = "Refused to load the stylesheet '";
- else
- prefix = "";
-
- String suffix;
- if (directive == m_defaultSrc.get())
- suffix = " Note that '" + effectiveDirective + "' was not explicitly set, so 'default-src' is used as a fallback.";
-
- reportViolation(directive->text(), effectiveDirective, makeString(prefix, url.stringCenterEllipsizedToLength(), "' because it violates the following Content Security Policy directive: \"", directive->text(), "\".", suffix, '\n'), url);
</del><span class="cx"> return denyIfEnforcingPolicy();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicyDirectiveList::checkFrameAncestorsAndReportViolation(ContentSecurityPolicySourceListDirective* directive, const Frame& frame, const URL& url, const String& effectiveDirective) const
</del><ins>+bool ContentSecurityPolicyDirectiveList::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus reportingStatus) const
</ins><span class="cx"> {
</span><del>- if (checkFrameAncestors(directive, frame))
</del><ins>+ ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
+ if (checkInline(operativeDirective))
</ins><span class="cx"> return true;
</span><del>- reportViolation(directive->text(), effectiveDirective, makeString("Refused to display '", url.stringCenterEllipsizedToLength(), "' in a frame because an ancestor violates the following Content Security Policy directive: \"", directive->text(), "\".", '\n'), url);
</del><ins>+ if (reportingStatus == ReportingStatus::SendReport) {
+ String consoleMessage = consoleMessageForViolation(scriptSrc, URL(), operativeDirective == m_defaultSrc.get(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
+ reportViolation(operativeDirective->text(), scriptSrc, consoleMessage, URL(), contextURL, contextLine);
+ if (!m_reportOnly)
+ m_policy.reportBlockedScriptExecutionToInspector(operativeDirective->text());
+ }
</ins><span class="cx"> return denyIfEnforcingPolicy();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicyDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus reportingStatus) const
-{
- static NeverDestroyed<String> consoleMessage(ASCIILiteral("Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "));
- if (reportingStatus == ReportingStatus::SendReport)
- return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true);
- return m_reportOnly || checkInline(operativeDirective(m_scriptSrc.get()));
-}
-
-bool ContentSecurityPolicyDirectiveList::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus reportingStatus) const
-{
- static NeverDestroyed<String> consoleMessage(ASCIILiteral("Refused to execute inline event handler because it violates the following Content Security Policy directive: "));
- if (reportingStatus == ReportingStatus::SendReport)
- return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true);
- return m_reportOnly || checkInline(operativeDirective(m_scriptSrc.get()));
-}
-
-bool ContentSecurityPolicyDirectiveList::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus reportingStatus) const
-{
- static NeverDestroyed<String> consoleMessage(ASCIILiteral("Refused to execute inline script because it violates the following Content Security Policy directive: "));
- if (reportingStatus == ReportingStatus::SendReport)
- return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true);
- return m_reportOnly || checkInline(operativeDirective(m_scriptSrc.get()));
-}
-
</del><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowInlineScriptWithHash(const ContentSecurityPolicyHash& hash) const
</span><span class="cx"> {
</span><span class="cx"> return checkHash(operativeDirective(m_scriptSrc.get()), hash);
</span><span class="lines">@@ -322,10 +268,14 @@
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><del>- static NeverDestroyed<String> consoleMessage(ASCIILiteral("Refused to apply inline style because it violates the following Content Security Policy directive: "));
- if (reportingStatus == ReportingStatus::SendReport)
- return checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage, contextURL, contextLine, false);
- return m_reportOnly || checkInline(operativeDirective(m_styleSrc.get()));
</del><ins>+ ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get());
+ if (checkInline(operativeDirective))
+ return true;
+ if (reportingStatus == ReportingStatus::SendReport) {
+ String consoleMessage = consoleMessageForViolation(styleSrc, URL(), operativeDirective == m_defaultSrc.get(), "Refused to apply a stylesheet", "its hash, its nonce, or 'unsafe-inline'");
+ reportViolation(operativeDirective->text(), styleSrc, consoleMessage, URL(), contextURL, contextLine);
+ }
+ return denyIfEnforcingPolicy();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowInlineStyleWithHash(const ContentSecurityPolicyHash& hash) const
</span><span class="lines">@@ -340,40 +290,67 @@
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowEval(JSC::ExecState* state, ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><del>- static NeverDestroyed<String> consoleMessage(ASCIILiteral("Refused to evaluate script because it violates the following Content Security Policy directive: "));
- if (reportingStatus == ReportingStatus::SendReport)
- return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst(), state);
- return m_reportOnly || checkEval(operativeDirective(m_scriptSrc.get()));
</del><ins>+ ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
+ if (checkEval(operativeDirective))
+ return true;
+ if (reportingStatus == ReportingStatus::SendReport) {
+ String consoleMessage = consoleMessageForViolation(scriptSrc, URL(), operativeDirective == m_defaultSrc.get(), "Refused to execute a script", "'unsafe-eval'");
+ // FIXME: Query JSC::ExecState for source file, line and column information.
+ reportViolation(operativeDirective->text(), scriptSrc, consoleMessage, URL(), String(), WTF::OrdinalNumber::beforeFirst(), state);
+ if (!m_reportOnly)
+ m_policy.reportBlockedScriptExecutionToInspector(operativeDirective->text());
+ }
+ return denyIfEnforcingPolicy();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowPluginType(const String& type, const String& typeAttribute, const URL& url, ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><del>- if (reportingStatus == ReportingStatus::SendReport)
- return checkMediaTypeAndReportViolation(m_pluginTypes.get(), type, typeAttribute, "Refused to load '" + url.stringCenterEllipsizedToLength() + "' (MIME type '" + typeAttribute + "') because it violates the following Content Security Policy Directive: ");
- return m_reportOnly || checkMediaType(m_pluginTypes.get(), type, typeAttribute);
</del><ins>+ if (checkMediaType(m_pluginTypes.get(), type, typeAttribute))
+ return true;
+ if (reportingStatus == ReportingStatus::SendReport) {
+ bool violatesDefaultSrc = false;
+ String consoleMessage = consoleMessageForViolation(pluginTypes, url, violatesDefaultSrc, "Refused to load", "its MIME type");
+ reportViolation(m_pluginTypes->text(), pluginTypes, consoleMessage, url);
+ }
+ return denyIfEnforcingPolicy();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowScriptFromSource(const URL& url, ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><del>- if (reportingStatus == ReportingStatus::SendReport)
- return checkSourceAndReportViolation(operativeDirective(m_scriptSrc.get()), url, scriptSrc);
- return m_reportOnly || checkSource(operativeDirective(m_scriptSrc.get()), url);
</del><ins>+ ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
+ if (checkSource(operativeDirective, url))
+ return true;
+ if (reportingStatus == ReportingStatus::SendReport) {
+ String consoleMessage = consoleMessageForViolation(scriptSrc, url, operativeDirective == m_defaultSrc.get(), "Refused to load");
+ reportViolation(operativeDirective->text(), scriptSrc, consoleMessage, url);
+ }
+ return denyIfEnforcingPolicy();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowObjectFromSource(const URL& url, ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><span class="cx"> if (url.isBlankURL())
</span><span class="cx"> return true;
</span><del>- if (reportingStatus == ReportingStatus::SendReport)
- return checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, objectSrc);
- return m_reportOnly || checkSource(operativeDirective(m_objectSrc.get()), url);
</del><ins>+ ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_objectSrc.get());
+ if (checkSource(operativeDirective, url))
+ return true;
+ if (reportingStatus == ReportingStatus::SendReport) {
+ String consoleMessage = consoleMessageForViolation(objectSrc, url, operativeDirective == m_defaultSrc.get(), "Refused to load");
+ reportViolation(operativeDirective->text(), objectSrc, consoleMessage, url);
+ }
+ return denyIfEnforcingPolicy();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowChildContextFromSource(const URL& url, ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><del>- if (reportingStatus == ReportingStatus::SendReport)
- return checkSourceAndReportViolation(operativeDirective(m_childSrc.get()), url, childSrc);
- return m_reportOnly || checkSource(operativeDirective(m_childSrc.get()), url);
</del><ins>+ ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_childSrc.get());
+ if (checkSource(operativeDirective, url))
+ return true;
+ if (reportingStatus == ReportingStatus::SendReport) {
+ String consoleMessage = consoleMessageForViolation(childSrc, url, operativeDirective == m_defaultSrc.get(), "Refused to load");
+ reportViolation(operativeDirective->text(), childSrc, consoleMessage, url);
+ }
+ return denyIfEnforcingPolicy();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowChildFrameFromSource(const URL& url, ReportingStatus reportingStatus) const
</span><span class="lines">@@ -383,66 +360,110 @@
</span><span class="cx">
</span><span class="cx"> // We must enforce the frame-src directive (if specified) before enforcing the child-src directive for a nested browsing
</span><span class="cx"> // context by <https://w3c.github.io/webappsec-csp/2/#directive-child-src-nested> (29 August 2015).
</span><del>- ContentSecurityPolicySourceListDirective* directiveToEnforce = operativeDirective(m_frameSrc ? m_frameSrc.get() : m_childSrc.get());
- if (reportingStatus == ReportingStatus::SendReport)
- return checkSourceAndReportViolation(directiveToEnforce, url, frameSrc);
- return m_reportOnly || checkSource(directiveToEnforce, url);
</del><ins>+ ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_frameSrc ? m_frameSrc.get() : m_childSrc.get());
+ if (checkSource(operativeDirective, url))
+ return true;
+ if (reportingStatus == ReportingStatus::SendReport) {
+ String consoleMessage = consoleMessageForViolation(frameSrc, url, operativeDirective == m_defaultSrc.get(), "Refused to load");
+ reportViolation(operativeDirective->text(), frameSrc, consoleMessage, url);
+ }
+ return denyIfEnforcingPolicy();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowImageFromSource(const URL& url, ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><del>- if (reportingStatus == ReportingStatus::SendReport)
- return checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, imgSrc);
- return m_reportOnly || checkSource(operativeDirective(m_imgSrc.get()), url);
</del><ins>+ ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_imgSrc.get());
+ if (checkSource(operativeDirective, url))
+ return true;
+ if (reportingStatus == ReportingStatus::SendReport) {
+ String consoleMessage = consoleMessageForViolation(imgSrc, url, operativeDirective == m_defaultSrc.get(), "Refused to load");
+ reportViolation(operativeDirective->text(), imgSrc, consoleMessage, url);
+ }
+ return denyIfEnforcingPolicy();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowStyleFromSource(const URL& url, ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><del>- if (reportingStatus == ReportingStatus::SendReport)
- return checkSourceAndReportViolation(operativeDirective(m_styleSrc.get()), url, styleSrc);
- return m_reportOnly || checkSource(operativeDirective(m_styleSrc.get()), url);
</del><ins>+ ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get());
+ if (checkSource(operativeDirective, url))
+ return true;
+ if (reportingStatus == ReportingStatus::SendReport) {
+ String consoleMessage = consoleMessageForViolation(styleSrc, url, operativeDirective == m_defaultSrc.get(), "Refused to load");
+ reportViolation(operativeDirective->text(), styleSrc, consoleMessage, url);
+ }
+ return denyIfEnforcingPolicy();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowFontFromSource(const URL& url, ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><del>- if (reportingStatus == ReportingStatus::SendReport)
- return checkSourceAndReportViolation(operativeDirective(m_fontSrc.get()), url, fontSrc);
- return m_reportOnly || checkSource(operativeDirective(m_fontSrc.get()), url);
</del><ins>+ ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_fontSrc.get());
+ if (checkSource(operativeDirective, url))
+ return true;
+ if (reportingStatus == ReportingStatus::SendReport) {
+ String consoleMessage = consoleMessageForViolation(fontSrc, url, operativeDirective == m_defaultSrc.get(), "Refused to load");
+ reportViolation(operativeDirective->text(), fontSrc, consoleMessage, url);
+ }
+ return denyIfEnforcingPolicy();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowMediaFromSource(const URL& url, ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><del>- if (reportingStatus == ReportingStatus::SendReport)
- return checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, mediaSrc);
- return m_reportOnly || checkSource(operativeDirective(m_mediaSrc.get()), url);
</del><ins>+ ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_mediaSrc.get());
+ if (checkSource(operativeDirective, url))
+ return true;
+ if (reportingStatus == ReportingStatus::SendReport) {
+ String consoleMessage = consoleMessageForViolation(mediaSrc, url, operativeDirective == m_defaultSrc.get(), "Refused to load");
+ reportViolation(operativeDirective->text(), mediaSrc, consoleMessage, url);
+ }
+ return denyIfEnforcingPolicy();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowConnectToSource(const URL& url, ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><del>- if (reportingStatus == ReportingStatus::SendReport)
- return checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, connectSrc);
- return m_reportOnly || checkSource(operativeDirective(m_connectSrc.get()), url);
</del><ins>+ ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_connectSrc.get());
+ if (checkSource(operativeDirective, url))
+ return true;
+ if (reportingStatus == ReportingStatus::SendReport) {
+ String consoleMessage = consoleMessageForViolation(connectSrc, url, operativeDirective == m_defaultSrc.get(), "Refused to connect to");
+ reportViolation(operativeDirective->text(), connectSrc, consoleMessage, url);
+ }
+ return denyIfEnforcingPolicy();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowFormAction(const URL& url, ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><del>- if (reportingStatus == ReportingStatus::SendReport)
- return checkSourceAndReportViolation(m_formAction.get(), url, formAction);
- return m_reportOnly || checkSource(m_formAction.get(), url);
</del><ins>+ if (checkSource(m_formAction.get(), url))
+ return true;
+ if (reportingStatus == ReportingStatus::SendReport) {
+ bool violatesDefaultSrc = false;
+ String consoleMessage = consoleMessageForViolation(formAction, url, violatesDefaultSrc, "Refused to load");
+ reportViolation(m_formAction->text(), formAction, consoleMessage, url);
+ }
+ return denyIfEnforcingPolicy();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowBaseURI(const URL& url, ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><del>- if (reportingStatus == ReportingStatus::SendReport)
- return checkSourceAndReportViolation(m_baseURI.get(), url, baseURI);
- return m_reportOnly || checkSource(m_baseURI.get(), url);
</del><ins>+ if (checkSource(m_baseURI.get(), url))
+ return true;
+ if (reportingStatus == ReportingStatus::SendReport) {
+ bool violatesDefaultSrc = false;
+ String consoleMessage = consoleMessageForViolation(baseURI, url, violatesDefaultSrc, "Refused to change the document base URL to");
+ reportViolation(m_baseURI->text(), baseURI, consoleMessage, url);
+ }
+ return denyIfEnforcingPolicy();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowFrameAncestors(const Frame& frame, const URL& url, ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><del>- if (reportingStatus == ReportingStatus::SendReport)
- return checkFrameAncestorsAndReportViolation(m_frameAncestors.get(), frame, url, frameAncestors);
- return m_reportOnly || checkFrameAncestors(m_frameAncestors.get(), frame);
</del><ins>+ if (checkFrameAncestors(m_frameAncestors.get(), frame))
+ return true;
+ if (reportingStatus == ReportingStatus::SendReport) {
+ bool violatesDefaultSrc = false;
+ String consoleMessage = consoleMessageForViolation(frameAncestors, url, violatesDefaultSrc, "Refused to load");
+ reportViolation(m_frameAncestors->text(), frameAncestors, consoleMessage, url);
+ }
+ return denyIfEnforcingPolicy();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // policy = directive-list
</span><span class="lines">@@ -651,9 +672,11 @@
</span><span class="cx"> m_policy.addHashAlgorithmsForInlineStylesheets(m_styleSrc->hashAlgorithmsUsed());
</span><span class="cx"> } else if (equalLettersIgnoringASCIICase(name, objectSrc))
</span><span class="cx"> setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_objectSrc);
</span><del>- else if (equalLettersIgnoringASCIICase(name, frameSrc))
</del><ins>+ else if (equalLettersIgnoringASCIICase(name, frameSrc)) {
+ // FIXME: Log to console "The frame-src directive is deprecated. Use the child-src directive instead."
+ // See <https://bugs.webkit.org/show_bug.cgi?id=155773>.
</ins><span class="cx"> setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_frameSrc);
</span><del>- else if (equalLettersIgnoringASCIICase(name, imgSrc))
</del><ins>+ } else if (equalLettersIgnoringASCIICase(name, imgSrc))
</ins><span class="cx"> setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_imgSrc);
</span><span class="cx"> else if (equalLettersIgnoringASCIICase(name, fontSrc))
</span><span class="cx"> setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_fontSrc);
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (198590 => 198591)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-03-23 20:08:47 UTC (rev 198590)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-03-23 20:58:40 UTC (rev 198591)
</span><span class="lines">@@ -100,13 +100,6 @@
</span><span class="cx">
</span><span class="cx"> void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisabledErrorMessage = errorMessage; }
</span><span class="cx">
</span><del>- bool checkEvalAndReportViolation(ContentSecurityPolicySourceListDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
- bool checkInlineAndReportViolation(ContentSecurityPolicySourceListDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript) const;
-
- bool checkSourceAndReportViolation(ContentSecurityPolicySourceListDirective*, const URL&, const String& effectiveDirective) const;
- bool checkFrameAncestorsAndReportViolation(ContentSecurityPolicySourceListDirective*, const Frame&, const URL&, const String& effectiveDirective) const;
- bool checkMediaTypeAndReportViolation(ContentSecurityPolicyMediaListDirective*, const String& type, const String& typeAttribute, const String& consoleMessage) const;
-
</del><span class="cx"> bool denyIfEnforcingPolicy() const { return m_reportOnly; }
</span><span class="cx">
</span><span class="cx"> // FIXME: Make this a const reference once we teach applySandboxPolicy() to store its policy as opposed to applying it directly onto ContentSecurityPolicy.
</span></span></pre>
</div>
</div>
</body>
</html>