<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[259902] branches/safari-609-branch</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/259902">259902</a></dd>
<dt>Author</dt> <dd>alancoon@apple.com</dd>
<dt>Date</dt> <dd>2020-04-10 14:23:42 -0700 (Fri, 10 Apr 2020)</dd>
</dl>

<h3>Log Message</h3>
<pre>Cherry-pick <a href="http://trac.webkit.org/projects/webkit/changeset/259829">r259829</a>. rdar://problem/61596883

    Remove legacy X-WebKit-CSP header support
    https://bugs.webkit.org/show_bug.cgi?id=210256
    Source/WebCore:

    <rdar://problem/60634363>

    Reviewed by Geoffrey Garen.

    Supporting this header is causes compatibly issues for some sites
    and they appear to be misconfigured. Additionally, no other
    browser has supported these headers in many years. This patch
    removes all support for the legacy X-WebKit-CSP header.

    * dom/Document.cpp:
    (WebCore::Document::processHttpEquiv):
    * page/csp/ContentSecurityPolicyDirectiveList.cpp:
    (WebCore::ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList):
    * page/csp/ContentSecurityPolicyResponseHeaders.cpp:
    (WebCore::ContentSecurityPolicyResponseHeaders::ContentSecurityPolicyResponseHeaders):
    * page/csp/ContentSecurityPolicyResponseHeaders.h:
    * platform/network/HTTPHeaderNames.in:
    * platform/network/ResourceResponseBase.cpp:
    (WebCore::isSafeCrossOriginResponseHeader):

    LayoutTests:

    Reviewed by Geoffrey Garen.

    Fix tests so they ensure we don't respect legacy CSP headers anymore.

    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked.html:
    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked.html:
    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked.html:
    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked.html:
    * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-blocked-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-blocked.html:
    * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-invalidnonce-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-invalidnonce.html:
    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.php:
    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php:
    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2.php:
    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php:
    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php:
    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php:
    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2.php:
    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php:
    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php:
    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html:
    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html:

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259829 268f45cc-cd09-0410-ab3c-d52691b4dbfc</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari609branchLayoutTestsChangeLog">branches/safari-609-branch/LayoutTests/ChangeLog</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcblockedexpectedtxt">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked-expected.txt</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcblockedhtml">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked.html</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcgetblockedexpectedtxt">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcgetblockedhtml">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked.html</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcjavascriptblockedexpectedtxt">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked-expected.txt</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcjavascriptblockedhtml">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked.html</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcredirectblockedexpectedtxt">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcredirectblockedhtml">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked.html</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11modulescriptnonceblockedexpectedtxt">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-blocked-expected.txt</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11modulescriptnonceblockedhtml">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-blocked.html</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11modulescriptnonceinvalidnonceexpectedtxt">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-invalidnonce-expected.txt</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11modulescriptnonceinvalidnoncehtml">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-invalidnonce.html</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandallowedbyreportpolicyexpectedtxt">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandallowedbyreportpolicyphp">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandallowedbyreportpolicy2expectedtxt">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2-expected.txt</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandallowedbyreportpolicy2php">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2.php</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandblockedbyreportpolicyexpectedtxt">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandblockedbyreportpolicyphp">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandblockedbyreportpolicy2expectedtxt">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandblockedbyreportpolicy2php">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandallowedbyreportpolicyexpectedtxt">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandallowedbyreportpolicyphp">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandallowedbyreportpolicy2expectedtxt">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2-expected.txt</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandallowedbyreportpolicy2php">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2.php</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandblockedbyreportpolicyexpectedtxt">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandblockedbyreportpolicyphp">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandblockedbyreportpolicy2expectedtxt">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandblockedbyreportpolicy2php">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedexpectedtxt">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedhtml">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceinvalidnonceexpectedtxt">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt</a></li>
<li><a href="#branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceinvalidnoncehtml">branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html</a></li>
<li><a href="#branchessafari609branchSourceWebCoreChangeLog">branches/safari-609-branch/Source/WebCore/ChangeLog</a></li>
<li><a href="#branchessafari609branchSourceWebCoredomDocumentcpp">branches/safari-609-branch/Source/WebCore/dom/Document.cpp</a></li>
<li><a href="#branchessafari609branchSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp">branches/safari-609-branch/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp</a></li>
<li><a href="#branchessafari609branchSourceWebCorepagecspContentSecurityPolicyResponseHeaderscpp">branches/safari-609-branch/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.cpp</a></li>
<li><a href="#branchessafari609branchSourceWebCorepagecspContentSecurityPolicyResponseHeadersh">branches/safari-609-branch/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h</a></li>
<li><a href="#branchessafari609branchSourceWebCoreplatformnetworkHTTPHeaderNamesin">branches/safari-609-branch/Source/WebCore/platform/network/HTTPHeaderNames.in</a></li>
<li><a href="#branchessafari609branchSourceWebCoreplatformnetworkResourceResponseBasecpp">branches/safari-609-branch/Source/WebCore/platform/network/ResourceResponseBase.cpp</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari609branchLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/ChangeLog (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/ChangeLog 2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/ChangeLog    2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,3 +1,119 @@
</span><ins>+2020-04-10  Alan Coon  <alancoon@apple.com>
+
+        Cherry-pick r259829. rdar://problem/61596883
+
+    Remove legacy X-WebKit-CSP header support
+    https://bugs.webkit.org/show_bug.cgi?id=210256
+    Source/WebCore:
+    
+    <rdar://problem/60634363>
+    
+    Reviewed by Geoffrey Garen.
+    
+    Supporting this header is causes compatibly issues for some sites
+    and they appear to be misconfigured. Additionally, no other
+    browser has supported these headers in many years. This patch
+    removes all support for the legacy X-WebKit-CSP header.
+    
+    * dom/Document.cpp:
+    (WebCore::Document::processHttpEquiv):
+    * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+    (WebCore::ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList):
+    * page/csp/ContentSecurityPolicyResponseHeaders.cpp:
+    (WebCore::ContentSecurityPolicyResponseHeaders::ContentSecurityPolicyResponseHeaders):
+    * page/csp/ContentSecurityPolicyResponseHeaders.h:
+    * platform/network/HTTPHeaderNames.in:
+    * platform/network/ResourceResponseBase.cpp:
+    (WebCore::isSafeCrossOriginResponseHeader):
+    
+    LayoutTests:
+    
+    Reviewed by Geoffrey Garen.
+    
+    Fix tests so they ensure we don't respect legacy CSP headers anymore.
+    
+    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked.html:
+    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked.html:
+    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked.html:
+    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked.html:
+    * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-blocked-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-blocked.html:
+    * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-invalidnonce-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-invalidnonce.html:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html:
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259829 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2020-04-09  Keith Miller  <keith_miller@apple.com>
+
+            Remove legacy X-WebKit-CSP header support
+            https://bugs.webkit.org/show_bug.cgi?id=210256
+
+            Reviewed by Geoffrey Garen.
+
+            Fix tests so they ensure we don't respect legacy CSP headers anymore.
+
+            * http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked.html:
+            * http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked.html:
+            * http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked.html:
+            * http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked.html:
+            * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-blocked-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-blocked.html:
+            * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-invalidnonce-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-invalidnonce.html:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.php:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2.php:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php:
+            * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php:
+            * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2.php:
+            * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php:
+            * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php:
+            * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html:
+            * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html:
+
</ins><span class="cx"> 2020-04-10  Ryan Haddad  <ryanhaddad@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Cherry-pick r255832. rdar://problem/61601064
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked-expected.txt (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked-expected.txt        2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked-expected.txt   2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,7 +1,10 @@
</span><del>-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/navigation/resources/form-target.pl because it does not appear in the form-action directive of the Content Security Policy.
-  
-Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.
</del><ins>+This page was requested with the HTTP method POST.
</ins><span class="cx"> 
</span><ins>+Parameters:
+
+fieldname = fieldvalue
+
</ins><span class="cx"> ============== Back Forward List ==============
</span><del>-curr->  http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/form-action-src-blocked.html  **nav target**
</del><ins>+        http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/form-action-src-blocked.html  **nav target**
+curr->  http://127.0.0.1:8000/navigation/resources/form-target.pl  **nav target**
</ins><span class="cx"> ===============================================
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcblockedhtml"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked.html (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked.html        2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked.html   2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -25,6 +25,10 @@
</span><span class="cx">         <input type='submit' id='submit' value='submit'>
</span><span class="cx">     </form>
</span><span class="cx"> 
</span><del>-    <p>Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.</p>
</del><ins>+    <p>
+    Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.
+
+    Update: Since we no longer support X-WebKit-CSP all the form should be submitted.
+    </p>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcgetblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt    2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt       2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,7 +1,9 @@
</span><del>-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/navigation/resources/form-target.pl?fieldname=fieldvalue because it does not appear in the form-action directive of the Content Security Policy.
-  
-Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.
</del><ins>+This page was requested with the HTTP method GET.
</ins><span class="cx"> 
</span><ins>+Parameters:
+
+fieldname = fieldvalue
+
</ins><span class="cx"> ============== Back Forward List ==============
</span><del>-curr->  http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/form-action-src-get-blocked.html  **nav target**
</del><ins>+curr->  http://127.0.0.1:8000/navigation/resources/form-target.pl?fieldname=fieldvalue  **nav target**
</ins><span class="cx"> ===============================================
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcgetblockedhtml"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked.html (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked.html    2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked.html       2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -23,6 +23,10 @@
</span><span class="cx">         <input type='submit' id='submit' value='submit'>
</span><span class="cx">     </form>
</span><span class="cx"> 
</span><del>-    <p>Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.</p>
</del><ins>+    <p>
+    Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.
+
+    Update: Since we no longer support X-WebKit-CSP the form should be submitted.
+    </p>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcjavascriptblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked-expected.txt (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked-expected.txt     2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked-expected.txt        2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><del>-CONSOLE MESSAGE: Refused to load javascript:alert("FAIL!") because it does not appear in the form-action directive of the Content Security Policy.
</del><ins>+ALERT: RAN CODE CORRECTLY!
</ins><span class="cx">   
</span><del>-Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a JavaScript alert.
</del><ins>+Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a JavaScript alert. Update: Since we no longer support X-WebKit-CSP the form should be submitted.
</ins><span class="cx"> 
</span><span class="cx"> ============== Back Forward List ==============
</span><span class="cx"> curr->  http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked.html  **nav target**
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcjavascriptblockedhtml"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked.html (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked.html     2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked.html        2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -20,11 +20,15 @@
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>-    <form action='javascript:alert("FAIL!")' id='theform' method='post'>
</del><ins>+    <form action='javascript:alert("RAN CODE CORRECTLY!")' id='theform' method='post'>
</ins><span class="cx">         <input type='text' name='fieldname' value='fieldvalue'>
</span><span class="cx">         <input type='submit' id='submit' value='submit'>
</span><span class="cx">     </form>
</span><span class="cx"> 
</span><del>-    <p>Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a JavaScript alert.</p>
</del><ins>+    <p>
+    Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a JavaScript alert.
+
+    Update: Since we no longer support X-WebKit-CSP the form should be submitted.
+    </p>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcredirectblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt       2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt  2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,7 +1,5 @@
</span><del>-CONSOLE MESSAGE: Refused to load http://localhost:8000/navigation/resources/form-target.pl because it does not appear in the form-action directive of the Content Security Policy.
-  
-Tests that blocking form redirect works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.
</del><ins>+This page was requested with the HTTP method GET.
</ins><span class="cx"> 
</span><del>-============== Back Forward List ==============
-curr->  http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked.html  **nav target**
-===============================================
</del><ins>+Parameters:
+
+
</ins></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcredirectblockedhtml"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked.html (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked.html       2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked.html  2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -25,6 +25,10 @@
</span><span class="cx">         <input type='submit' id='submit' value='submit'>
</span><span class="cx">     </form>
</span><span class="cx"> 
</span><del>-    <p>Tests that blocking form redirect works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.</p>
</del><ins>+    <p>
+    Tests that blocking form redirect works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.
+
+    Update: Since we no longer support X-WebKit-CSP the form should be submitted.
+    </p>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11modulescriptnonceblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-blocked-expected.txt (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-blocked-expected.txt     2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-blocked-expected.txt        2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,6 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-Only the first two of these scripts should execute even though there are parse errors in the policy.
</del><ins>+Only the first two of these scripts should execute even though there are parse errors in the policy. Update: Since we no longer support X-WebKit-CSP all the scripts should run.
</ins><span class="cx"> 
</span><span class="cx"> 
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11modulescriptnonceblockedhtml"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-blocked.html (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-blocked.html     2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-blocked.html        2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -7,8 +7,8 @@
</span><span class="cx">     ['yes', 'script-src 127.0.0.1:8000', 'resources/script.js', 'nonce'],
</span><span class="cx">     ['yes', 'script-src 127.0.0.1:8000 \'nonce-nonce\'', 'resources/script.js', 'nonce'],
</span><span class="cx">     ['yes', 'script-src 127.0.0.1:8000 \'nonce-base64has+and/characters\'', 'resources/script.js', 'base64has+and/characters'],
</span><del>-    ['no', 'script-src \'nonce-nonce\'', 'resources/script.js', 'notnonce'],
-    ['no', 'script-src \'nonce-notnonce\'', 'resources/script.js', 'nonce'],
</del><ins>+    ['yes', 'script-src \'nonce-nonce\'', 'resources/script.js', 'notnonce'],
+    ['yes', 'script-src \'nonce-notnonce\'', 'resources/script.js', 'nonce'],
</ins><span class="cx"> ];
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span><span class="lines">@@ -15,4 +15,6 @@
</span><span class="cx"> <body onload="testExperimentalPolicy()">
</span><span class="cx">   <p>
</span><span class="cx">     Only the first two of these scripts should execute even though there are parse errors in the policy.
</span><ins>+
+    Update: Since we no longer support X-WebKit-CSP all the scripts should run.
</ins><span class="cx">   </p>
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11modulescriptnonceinvalidnonceexpectedtxt"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-invalidnonce-expected.txt (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-invalidnonce-expected.txt        2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-invalidnonce-expected.txt   2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,26 +1,4 @@
</span><del>-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''n'. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce'. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-''. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '''. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '''. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'spaces''. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-{}''. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-/\''. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-None of these scripts should execute, as all the nonces are invalid.
</del><ins>+None of these scripts should execute, as all the nonces are invalid. Update: Since we no longer support X-WebKit-CSP all the scripts should run.
</ins><span class="cx"> 
</span><span class="cx"> 
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11modulescriptnonceinvalidnoncehtml"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-invalidnonce.html (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-invalidnonce.html        2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-invalidnonce.html   2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -4,16 +4,16 @@
</span><span class="cx"> <script src='../resources/multiple-iframe-module-test.js'></script>
</span><span class="cx"> <script>
</span><span class="cx"> var tests = [
</span><del>-    ['no', 'script-src \'n', 'resources/script.js', ''],
-    ['no', 'script-src \'nonce', 'resources/script.js', ''],
-    ['no', 'script-src \'nonce-\'', 'resources/script.js', ''],
-    ['no', 'script-src \'nonce-', 'resources/script.js', ''],
-    ['no', 'script-src nonce-abcd', 'resources/script.js', ''],
-    ['no', 'script-src \'nonce- \'', 'resources/script.js', ''],
-    ['no', 'script-src \'nonce-     \'', 'resources/script.js', ''],
-    ['no', 'script-src \'nonce- nonces have no spaces\'', 'resources/script.js', ''],
-    ['no', 'script-src \'nonce-{}\'', 'resources/script.js', '{}'],
-    ['no', 'script-src \'nonce-/\\\'', 'resources/script.js', '/\\'],
</del><ins>+    ['yes', 'script-src \'n', 'resources/script.js', ''],
+    ['yes', 'script-src \'nonce', 'resources/script.js', ''],
+    ['yes', 'script-src \'nonce-\'', 'resources/script.js', ''],
+    ['yes', 'script-src \'nonce-', 'resources/script.js', ''],
+    ['yes', 'script-src nonce-abcd', 'resources/script.js', ''],
+    ['yes', 'script-src \'nonce- \'', 'resources/script.js', ''],
+    ['yes', 'script-src \'nonce-     \'', 'resources/script.js', ''],
+    ['yes', 'script-src \'nonce- nonces have no spaces\'', 'resources/script.js', ''],
+    ['yes', 'script-src \'nonce-{}\'', 'resources/script.js', '{}'],
+    ['yes', 'script-src \'nonce-/\\\'', 'resources/script.js', '/\\'],
</ins><span class="cx"> ];
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span><span class="lines">@@ -20,4 +20,6 @@
</span><span class="cx"> <body onload="testExperimentalPolicy()">
</span><span class="cx">     <p>
</span><span class="cx">         None of these scripts should execute, as all the nonces are invalid.
</span><ins>+
+        Update: Since we no longer support X-WebKit-CSP all the scripts should run.
</ins><span class="cx">     </p>
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandallowedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt      2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt 2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,18 +1,3 @@
</span><span class="cx"> CONSOLE MESSAGE: The Content Security Policy 'script-src 'sha256-AJqUvsXuHfMNXALcBPVqeiKkFk8OLvn3U7ksHP/QQ90=' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
</span><del>-CONSOLE MESSAGE: line 13: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The Content Security Policy 'script-src 'sha256-AJqUvsXuHfMNXALcBPVqeiKkFk8OLvn3U7ksHP/QQ90=' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
-PASS did not execute script.
-
-
-
---------
-Frame: '<!--frame1-->'
---------
-CSP report received:
-CONTENT_TYPE: application/csp-report
-HTTP_HOST: 127.0.0.1:8000
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php
-REQUEST_METHOD: POST
-REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php
-=== POST DATA ===
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php","referrer":"","violated-directive":"script-src 'nonce-dump-as-text'","effective-directive":"script-src","original-policy":"script-src 'nonce-dump-as-text'; report-uri ../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php","blocked-uri":"","status-code":200}}
</del><ins>+CONSOLE MESSAGE: line 11: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+PASS did execute script.
</ins></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandallowedbyreportpolicyphp"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php       2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php  2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -6,17 +6,17 @@
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><span class="cx"> <script nonce="dump-as-text">
</span><del>-if (window.testRunner) {
</del><ins>+if (window.testRunner)
</ins><span class="cx">     testRunner.dumpAsText();
</span><del>-    testRunner.dumpChildFramesAsText();
-}
</del><span class="cx"> </script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>-<p id="result">PASS did not execute script.</p>
</del><ins>+<p id="result">FAIL did not execute script.</p>
</ins><span class="cx"> <script>
</span><del>-document.getElementById("result").textContent = "FAIL did execute script.";
</del><ins>+document.getElementById("result").textContent = "PASS did execute script.";
</ins><span class="cx"> </script>
</span><ins>+<!-- Call testRunner.dumpChildFramesAsText() and load
</ins><span class="cx"> <iframe src="../resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php"></iframe>
</span><ins>+once we fix reporting of nonce violations for report-only policies. See <https://bugs.webkit.org/show_bug.cgi?id=159830>. -->
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandallowedbyreportpolicy2expectedtxt"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2-expected.txt (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2-expected.txt     2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2-expected.txt        2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><span class="cx"> CONSOLE MESSAGE: The Content Security Policy 'script-src 'sha256-AJqUvsXuHfMNXALcBPVqeiKkFk8OLvn3U7ksHP/QQ90=' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
</span><del>-CONSOLE MESSAGE: line 12: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-PASS did not execute script.
</del><ins>+CONSOLE MESSAGE: line 12: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+PASS did execute script.
</ins></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandallowedbyreportpolicy2php"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2.php (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2.php      2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2.php 2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -11,9 +11,9 @@
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>-<p id="result">PASS did not execute script.</p>
</del><ins>+<p id="result">FAIL did not execute script.</p>
</ins><span class="cx"> <script>
</span><del>-document.getElementById("result").textContent = "FAIL did execute script.";
</del><ins>+document.getElementById("result").textContent = "PASS did execute script.";
</ins><span class="cx"> </script>
</span><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandblockedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt      2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,6 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: line 13: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</span><del>-CONSOLE MESSAGE: line 13: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-PASS did not execute script.
</del><ins>+PASS did execute script.
</ins><span class="cx"> 
</span><span class="cx"> 
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandblockedbyreportpolicyphp"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php       2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php  2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -13,9 +13,9 @@
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>-<p id="result">PASS did not execute script.</p>
</del><ins>+<p id="result">FAIL did not execute script.</p>
</ins><span class="cx"> <script>
</span><del>-document.getElementById("result").textContent = "FAIL did execute script.";
</del><ins>+document.getElementById("result").textContent = "PASS did execute script.";
</ins><span class="cx"> </script>
</span><span class="cx"> <iframe src="../resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php"></iframe>
</span><span class="cx"> </body>
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandblockedbyreportpolicy2expectedtxt"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt     2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt        2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,6 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: line 14: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</span><del>-CONSOLE MESSAGE: line 14: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-PASS did not execute script.
</del><ins>+PASS did execute script.
</ins><span class="cx"> 
</span><span class="cx"> 
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandblockedbyreportpolicy2php"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php      2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php 2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -13,9 +13,9 @@
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>-<p id="result">PASS did not execute script.</p>
</del><ins>+<p id="result">FAIL did not execute script.</p>
</ins><span class="cx"> <script>
</span><del>-document.getElementById("result").textContent = "FAIL did execute script.";
</del><ins>+document.getElementById("result").textContent = "PASS did execute script.";
</ins><span class="cx"> </script>
</span><span class="cx"> <iframe src="../resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php"></iframe>
</span><span class="cx"> </body>
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandallowedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt     2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt        2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,19 +1,2 @@
</span><span class="cx"> CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-dummy' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
</span><del>-CONSOLE MESSAGE: line 13: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: line 13: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-dummy' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
-PASS did not execute script.
-
-
-
---------
-Frame: '<!--frame1-->'
---------
-CSP report received:
-CONTENT_TYPE: application/csp-report
-HTTP_HOST: 127.0.0.1:8000
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php
-REQUEST_METHOD: POST
-REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php
-=== POST DATA ===
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php","referrer":"","violated-directive":"script-src 'nonce-dump-as-text'","effective-directive":"script-src","original-policy":"script-src 'nonce-dump-as-text'; report-uri ../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php","blocked-uri":"","status-code":200}}
</del><ins>+PASS did execute script.
</ins></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandallowedbyreportpolicyphp"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php      2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php 2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -6,17 +6,17 @@
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><span class="cx"> <script nonce="dump-as-text">
</span><del>-if (window.testRunner) {
</del><ins>+if (window.testRunner)
</ins><span class="cx">     testRunner.dumpAsText();
</span><del>-    testRunner.dumpChildFramesAsText();
-}
</del><span class="cx"> </script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>-<p id="result">PASS did not execute script.</p>
</del><ins>+<p id="result">FAIL did not execute script.</p>
</ins><span class="cx"> <script nonce="dummy">
</span><del>-document.getElementById("result").textContent = "FAIL did execute script.";
</del><ins>+document.getElementById("result").textContent = "PASS did execute script.";
</ins><span class="cx"> </script>
</span><ins>+<!-- Call testRunner.dumpChildFramesAsText() and load
</ins><span class="cx"> <iframe src="../resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php"></iframe>
</span><ins>+once we fix reporting of nonce violations for report-only policies. See <https://bugs.webkit.org/show_bug.cgi?id=159830>. -->
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandallowedbyreportpolicy2expectedtxt"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2-expected.txt (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2-expected.txt    2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2-expected.txt       2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,4 +1,2 @@
</span><span class="cx"> CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-dummy' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
</span><del>-CONSOLE MESSAGE: line 12: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: line 12: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-PASS did not execute script.
</del><ins>+PASS did execute script.
</ins></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandallowedbyreportpolicy2php"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2.php (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2.php     2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2.php        2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -11,9 +11,9 @@
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>-<p id="result">PASS did not execute script.</p>
</del><ins>+<p id="result">FAIL did not execute script.</p>
</ins><span class="cx"> <script nonce="dummy">
</span><del>-document.getElementById("result").textContent = "FAIL did execute script.";
</del><ins>+document.getElementById("result").textContent = "PASS did execute script.";
</ins><span class="cx"> </script>
</span><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandblockedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt     2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt        2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,17 +1 @@
</span><del>-CONSOLE MESSAGE: line 13: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: line 13: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-PASS did not execute script.
-
-
-
---------
-Frame: '<!--frame1-->'
---------
-CSP report received:
-CONTENT_TYPE: application/csp-report
-HTTP_HOST: 127.0.0.1:8000
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php
-REQUEST_METHOD: POST
-REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php
-=== POST DATA ===
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php","referrer":"","violated-directive":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'","effective-directive":"script-src","original-policy":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'; report-uri ../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php","blocked-uri":"","status-code":200}}
</del><ins>+PASS did execute script.
</ins></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandblockedbyreportpolicyphp"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php      2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php 2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -6,17 +6,17 @@
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><span class="cx"> <script nonce="dump-as-text">
</span><del>-if (window.testRunner) {
</del><ins>+if (window.testRunner)
</ins><span class="cx">     testRunner.dumpAsText();
</span><del>-    testRunner.dumpChildFramesAsText();
-}
</del><span class="cx"> </script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>-<p id="result">PASS did not execute script.</p>
</del><ins>+<p id="result">FAIL did not execute script.</p>
</ins><span class="cx"> <script nonce="dummy">
</span><del>-document.getElementById("result").textContent = "FAIL did execute script.";
</del><ins>+document.getElementById("result").textContent = "PASS did execute script.";
</ins><span class="cx"> </script>
</span><ins>+<!-- Call testRunner.dumpChildFramesAsText() and load
</ins><span class="cx"> <iframe src="../resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php"></iframe>
</span><ins>+once we fix reporting of nonce violations for report-only policies. See <https://bugs.webkit.org/show_bug.cgi?id=159830>. -->
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandblockedbyreportpolicy2expectedtxt"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt    2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt       2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,17 +1 @@
</span><del>-CONSOLE MESSAGE: line 14: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: line 14: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-PASS did not execute script.
-
-
-
---------
-Frame: '<!--frame1-->'
---------
-CSP report received:
-CONTENT_TYPE: application/csp-report
-HTTP_HOST: 127.0.0.1:8000
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
-REQUEST_METHOD: POST
-REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php
-=== POST DATA ===
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php","referrer":"","violated-directive":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'","effective-directive":"script-src","original-policy":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'; report-uri ../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php","blocked-uri":"","status-code":200}}
</del><ins>+PASS did execute script.
</ins></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandblockedbyreportpolicy2php"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php     2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php        2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -6,17 +6,17 @@
</span><span class="cx"> <head>
</span><span class="cx"> <meta http-equiv="X-WebKit-CSP" content="script-src 'nonce-dump-as-text'">
</span><span class="cx"> <script nonce="dump-as-text">
</span><del>-if (window.testRunner) {
</del><ins>+if (window.testRunner)
</ins><span class="cx">     testRunner.dumpAsText();
</span><del>-    testRunner.dumpChildFramesAsText();
-}
</del><span class="cx"> </script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>-<p id="result">PASS did not execute script.</p>
</del><ins>+<p id="result">FAIL did not execute script.</p>
</ins><span class="cx"> <script nonce="dummy">
</span><del>-document.getElementById("result").textContent = "FAIL did execute script.";
</del><ins>+document.getElementById("result").textContent = "PASS did execute script.";
</ins><span class="cx"> </script>
</span><ins>+<!-- Call testRunner.dumpChildFramesAsText() and load
</ins><span class="cx"> <iframe src="../resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php"></iframe>
</span><ins>+once we fix reporting of nonce violations for report-only policies. See <https://bugs.webkit.org/show_bug.cgi?id=159830>. -->
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt    2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt       2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,6 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-Only the first two of these scripts should execute even though there are parse errors in the policy.
</del><ins>+Only the first two of these scripts should execute even though there are parse errors in the policy. Update: Since we no longer support X-WebKit-CSP all the scripts should be executed.
</ins><span class="cx"> 
</span><span class="cx"> 
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedhtml"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html    2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html       2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -7,8 +7,8 @@
</span><span class="cx">     ['yes', 'script-src 127.0.0.1:8000', 'resources/script.js', 'nonce'],
</span><span class="cx">     ['yes', 'script-src 127.0.0.1:8000 \'nonce-nonce\'', 'resources/script.js', 'nonce'],
</span><span class="cx">     ['yes', 'script-src 127.0.0.1:8000 \'nonce-base64has+and/characters\'', 'resources/script.js', 'base64has+and/characters'],
</span><del>-    ['no', 'script-src \'nonce-nonce\'', 'resources/script.js', 'notnonce'],
-    ['no', 'script-src \'nonce-notnonce\'', 'resources/script.js', 'nonce'],
</del><ins>+    ['yes', 'script-src \'nonce-nonce\'', 'resources/script.js', 'notnonce'],
+    ['yes', 'script-src \'nonce-notnonce\'', 'resources/script.js', 'nonce'],
</ins><span class="cx"> ];
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span><span class="lines">@@ -15,4 +15,6 @@
</span><span class="cx"> <body onload="testExperimentalPolicy()">
</span><span class="cx">   <p>
</span><span class="cx">     Only the first two of these scripts should execute even though there are parse errors in the policy.
</span><ins>+
+    Update: Since we no longer support X-WebKit-CSP all the scripts should be executed.
</ins><span class="cx">   </p>
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceinvalidnonceexpectedtxt"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt       2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt  2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,26 +1,4 @@
</span><del>-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''n'. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce'. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-''. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '''. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '''. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'spaces''. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-{}''. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-/\''. It will be ignored.
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
-None of these scripts should execute, as all the nonces are invalid.
</del><ins>+None of these scripts should execute, as all the nonces are invalid. Update: Since we no longer support X-WebKit-CSP all the scripts should be executed.
</ins><span class="cx"> 
</span><span class="cx"> 
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari609branchLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceinvalidnoncehtml"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html       2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html  2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -4,16 +4,16 @@
</span><span class="cx"> <script src='../resources/multiple-iframe-test.js'></script>
</span><span class="cx"> <script>
</span><span class="cx"> var tests = [
</span><del>-    ['no', 'script-src \'n', 'resources/script.js', ''],
-    ['no', 'script-src \'nonce', 'resources/script.js', ''],
-    ['no', 'script-src \'nonce-\'', 'resources/script.js', ''],
-    ['no', 'script-src \'nonce-', 'resources/script.js', ''],
-    ['no', 'script-src nonce-abcd', 'resources/script.js', ''],
-    ['no', 'script-src \'nonce- \'', 'resources/script.js', ''],
-    ['no', 'script-src \'nonce-     \'', 'resources/script.js', ''],
-    ['no', 'script-src \'nonce- nonces have no spaces\'', 'resources/script.js', ''],
-    ['no', 'script-src \'nonce-{}\'', 'resources/script.js', '{}'],
-    ['no', 'script-src \'nonce-/\\\'', 'resources/script.js', '/\\'],
</del><ins>+    ['yes', 'script-src \'n', 'resources/script.js', ''],
+    ['yes', 'script-src \'nonce', 'resources/script.js', ''],
+    ['yes', 'script-src \'nonce-\'', 'resources/script.js', ''],
+    ['yes', 'script-src \'nonce-', 'resources/script.js', ''],
+    ['yes', 'script-src nonce-abcd', 'resources/script.js', ''],
+    ['yes', 'script-src \'nonce- \'', 'resources/script.js', ''],
+    ['yes', 'script-src \'nonce-     \'', 'resources/script.js', ''],
+    ['yes', 'script-src \'nonce- nonces have no spaces\'', 'resources/script.js', ''],
+    ['yes', 'script-src \'nonce-{}\'', 'resources/script.js', '{}'],
+    ['yes', 'script-src \'nonce-/\\\'', 'resources/script.js', '/\\'],
</ins><span class="cx"> ];
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span><span class="lines">@@ -20,4 +20,6 @@
</span><span class="cx"> <body onload="testExperimentalPolicy()">
</span><span class="cx">   <p>
</span><span class="cx">       None of these scripts should execute, as all the nonces are invalid.
</span><ins>+
+      Update: Since we no longer support X-WebKit-CSP all the scripts should be executed.
</ins><span class="cx">   </p>
</span></span></pre></div>
<a id="branchessafari609branchSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/Source/WebCore/ChangeLog (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/Source/WebCore/ChangeLog      2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/Source/WebCore/ChangeLog 2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -1,5 +1,101 @@
</span><span class="cx"> 2020-04-10  Alan Coon  <alancoon@apple.com>
</span><span class="cx"> 
</span><ins>+        Cherry-pick r259829. rdar://problem/61596883
+
+    Remove legacy X-WebKit-CSP header support
+    https://bugs.webkit.org/show_bug.cgi?id=210256
+    Source/WebCore:
+    
+    <rdar://problem/60634363>
+    
+    Reviewed by Geoffrey Garen.
+    
+    Supporting this header is causes compatibly issues for some sites
+    and they appear to be misconfigured. Additionally, no other
+    browser has supported these headers in many years. This patch
+    removes all support for the legacy X-WebKit-CSP header.
+    
+    * dom/Document.cpp:
+    (WebCore::Document::processHttpEquiv):
+    * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+    (WebCore::ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList):
+    * page/csp/ContentSecurityPolicyResponseHeaders.cpp:
+    (WebCore::ContentSecurityPolicyResponseHeaders::ContentSecurityPolicyResponseHeaders):
+    * page/csp/ContentSecurityPolicyResponseHeaders.h:
+    * platform/network/HTTPHeaderNames.in:
+    * platform/network/ResourceResponseBase.cpp:
+    (WebCore::isSafeCrossOriginResponseHeader):
+    
+    LayoutTests:
+    
+    Reviewed by Geoffrey Garen.
+    
+    Fix tests so they ensure we don't respect legacy CSP headers anymore.
+    
+    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked.html:
+    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked.html:
+    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked.html:
+    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked.html:
+    * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-blocked-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-blocked.html:
+    * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-invalidnonce-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-invalidnonce.html:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy2.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt:
+    * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html:
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259829 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2020-04-09  Keith Miller  <keith_miller@apple.com>
+
+            Remove legacy X-WebKit-CSP header support
+            https://bugs.webkit.org/show_bug.cgi?id=210256
+            <rdar://problem/60634363>
+
+            Reviewed by Geoffrey Garen.
+
+            Supporting this header is causes compatibly issues for some sites
+            and they appear to be misconfigured. Additionally, no other
+            browser has supported these headers in many years. This patch
+            removes all support for the legacy X-WebKit-CSP header.
+
+            * dom/Document.cpp:
+            (WebCore::Document::processHttpEquiv):
+            * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+            (WebCore::ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList):
+            * page/csp/ContentSecurityPolicyResponseHeaders.cpp:
+            (WebCore::ContentSecurityPolicyResponseHeaders::ContentSecurityPolicyResponseHeaders):
+            * page/csp/ContentSecurityPolicyResponseHeaders.h:
+            * platform/network/HTTPHeaderNames.in:
+            * platform/network/ResourceResponseBase.cpp:
+            (WebCore::isSafeCrossOriginResponseHeader):
+
+2020-04-10  Alan Coon  <alancoon@apple.com>
+
</ins><span class="cx">         Cherry-pick r259798. rdar://problem/61596876
</span><span class="cx"> 
</span><span class="cx">     Use more WeakPtr in RenderTreeBuilder::FirstLetter
</span></span></pre></div>
<a id="branchessafari609branchSourceWebCoredomDocumentcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/Source/WebCore/dom/Document.cpp (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/Source/WebCore/dom/Document.cpp       2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/Source/WebCore/dom/Document.cpp  2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -3631,11 +3631,6 @@
</span><span class="cx">             contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::Enforce, ContentSecurityPolicy::PolicyFrom::HTTPEquivMeta, referrer(), httpStatusCode);
</span><span class="cx">         break;
</span><span class="cx"> 
</span><del>-    case HTTPHeaderName::XWebKitCSP:
-        if (isInDocumentHead)
-            contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::PrefixedEnforce, ContentSecurityPolicy::PolicyFrom::HTTPEquivMeta, referrer(), httpStatusCode);
-        break;
-
</del><span class="cx">     default:
</span><span class="cx">         break;
</span><span class="cx">     }
</span></span></pre></div>
<a id="branchessafari609branchSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp        2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp   2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -117,8 +117,8 @@
</span><span class="cx"> ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList(ContentSecurityPolicy& policy, ContentSecurityPolicyHeaderType type)
</span><span class="cx">     : m_policy(policy)
</span><span class="cx">     , m_headerType(type)
</span><ins>+    , m_reportOnly(type == ContentSecurityPolicyHeaderType::Report)
</ins><span class="cx"> {
</span><del>-    m_reportOnly = (type == ContentSecurityPolicyHeaderType::Report || type == ContentSecurityPolicyHeaderType::PrefixedReport);
</del><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicyDirectiveList> ContentSecurityPolicyDirectiveList::create(ContentSecurityPolicy& policy, const String& header, ContentSecurityPolicyHeaderType type, ContentSecurityPolicy::PolicyFrom from)
</span></span></pre></div>
<a id="branchessafari609branchSourceWebCorepagecspContentSecurityPolicyResponseHeaderscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.cpp (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.cpp      2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.cpp 2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -41,14 +41,6 @@
</span><span class="cx">     if (!policyValue.isEmpty())
</span><span class="cx">         m_headers.append({ policyValue, ContentSecurityPolicyHeaderType::Report });
</span><span class="cx"> 
</span><del>-    policyValue = response.httpHeaderField(HTTPHeaderName::XWebKitCSP);
-    if (!policyValue.isEmpty())
-        m_headers.append({ policyValue, ContentSecurityPolicyHeaderType::PrefixedEnforce });
-
-    policyValue = response.httpHeaderField(HTTPHeaderName::XWebKitCSPReportOnly);
-    if (!policyValue.isEmpty())
-        m_headers.append({ policyValue, ContentSecurityPolicyHeaderType::PrefixedReport });
-
</del><span class="cx">     m_httpStatusCode = response.httpStatusCode();
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari609branchSourceWebCorepagecspContentSecurityPolicyResponseHeadersh"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h        2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h   2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -36,8 +36,6 @@
</span><span class="cx"> enum class ContentSecurityPolicyHeaderType {
</span><span class="cx">     Report,
</span><span class="cx">     Enforce,
</span><del>-    PrefixedReport,
-    PrefixedEnforce,
</del><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> class ContentSecurityPolicyResponseHeaders {
</span></span></pre></div>
<a id="branchessafari609branchSourceWebCoreplatformnetworkHTTPHeaderNamesin"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/Source/WebCore/platform/network/HTTPHeaderNames.in (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/Source/WebCore/platform/network/HTTPHeaderNames.in    2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/Source/WebCore/platform/network/HTTPHeaderNames.in       2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -102,8 +102,6 @@
</span><span class="cx"> X-DNS-Prefetch-Control
</span><span class="cx"> X-Frame-Options
</span><span class="cx"> X-SourceMap
</span><del>-X-WebKit-CSP
-X-WebKit-CSP-Report-Only
</del><span class="cx"> X-XSS-Protection
</span><span class="cx"> X-Temp-Tablet
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari609branchSourceWebCoreplatformnetworkResourceResponseBasecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-609-branch/Source/WebCore/platform/network/ResourceResponseBase.cpp (259901 => 259902)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-609-branch/Source/WebCore/platform/network/ResourceResponseBase.cpp      2020-04-10 21:23:19 UTC (rev 259901)
+++ branches/safari-609-branch/Source/WebCore/platform/network/ResourceResponseBase.cpp 2020-04-10 21:23:42 UTC (rev 259902)
</span><span class="lines">@@ -432,8 +432,6 @@
</span><span class="cx">         || name == HTTPHeaderName::XContentTypeOptions
</span><span class="cx">         || name == HTTPHeaderName::XDNSPrefetchControl
</span><span class="cx">         || name == HTTPHeaderName::XFrameOptions
</span><del>-        || name == HTTPHeaderName::XWebKitCSP
-        || name == HTTPHeaderName::XWebKitCSPReportOnly
</del><span class="cx">         || name == HTTPHeaderName::XXSSProtection;
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre>
</div>
</div>

</body>
</html>