Ahem.ttf |
|
12480 |
browser.toml |
|
942 |
browser_manifest-src-override-default-src.js |
Description of the tests:
Tests check that default-src can be overridden by manifest-src.
|
3805 |
browser_pdfjs_not_subject_to_csp.js |
|
1632 |
browser_test_bookmarklets.js |
Test Description:
1 - Load a Page with CSP script-src: none
2 - Create a bookmarklet with javascript:window.open('about:blank')
3 - Select and enter the bookmarklet
A new tab with about:blank should be opened
|
2316 |
browser_test_uir_optional_clicks.js |
|
918 |
browser_test_web_manifest.js |
Description of the tests:
These tests check for conformance to the CSP spec as they relate to Web Manifests.
In particular, the tests check that default-src and manifest-src directives are
are respected by the ManifestObtainer.
|
7769 |
browser_test_web_manifest_mixed_content.js |
Description of the test:
Check that mixed content blocker works prevents fetches of
mixed content manifests.
|
1555 |
dummy.pdf |
|
150611 |
File |
|
0 |
file_allow_https_schemes.html |
Bug 826805 - CSP: Allow http and https for scheme-less sources |
481 |
file_base_uri_server.sjs |
|
1599 |
file_blob_data_schemes.html |
Bug 1086999 - Wildcard should not match blob:, data: |
1434 |
file_blob_top_nav_block_modals.html |
|
546 |
|
|
47 |
file_blob_uri_blocks_modals.html |
|
1029 |
|
|
47 |
file_block_all_mcb.sjs |
|
2435 |
file_block_all_mixed_content_frame_navigation1.html |
Bug 1122236 - CSP: Implement block-all-mixed-content |
592 |
file_block_all_mixed_content_frame_navigation2.html |
Bug 1122236 - CSP: Implement block-all-mixed-content |
330 |
file_blocked_uri_in_violation_event_after_redirects.html |
Bug 1542194 - Check blockedURI in violation reports after redirects |
1319 |
file_blocked_uri_in_violation_event_after_redirects.sjs |
|
1502 |
file_blocked_uri_redirect_frame_src.html |
Bug 1687342 - Check blocked-uri in csp-reports after frame redirect |
338 |
|
|
98 |
file_blocked_uri_redirect_frame_src_server.sjs |
|
485 |
file_bug663567.xsl |
|
773 |
file_bug663567_allows.xml |
Empire Burlesque |
673 |
|
|
44 |
file_bug663567_blocks.xml |
Empire Burlesque |
673 |
|
|
51 |
file_bug802872.html |
Bug 802872 |
344 |
|
|
44 |
file_bug802872.js |
The policy for this test is:
Content-Security-Policy: default-src 'self'
|
1340 |
file_bug802872.sjs |
|
257 |
file_bug836922_npolicies.html |
|
394 |
|
|
353 |
file_bug836922_npolicies_ro_violation.sjs |
|
1609 |
file_bug836922_npolicies_violation.sjs |
|
1675 |
file_bug885433_allows.html |
|
1299 |
|
|
41 |
file_bug885433_blocks.html |
|
1262 |
|
|
45 |
file_bug886164.html |
|
561 |
|
|
44 |
file_bug886164_2.html |
|
434 |
|
|
44 |
file_bug886164_3.html |
|
398 |
|
|
44 |
file_bug886164_4.html |
|
398 |
|
|
44 |
file_bug886164_5.html |
|
1139 |
|
|
61 |
file_bug886164_6.html |
|
1392 |
|
|
61 |
file_bug888172.html |
|
932 |
file_bug888172.sjs |
|
1546 |
file_bug909029_none.html |
|
644 |
|
|
75 |
file_bug909029_star.html |
|
595 |
|
|
69 |
file_bug910139.sjs |
|
1615 |
file_bug910139.xml |
Empire Burlesque |
645 |
file_bug910139.xsl |
|
747 |
file_bug941404.html |
|
790 |
file_bug941404_xhr.html |
|
72 |
|
|
74 |
file_bug1229639.html |
|
195 |
|
|
114 |
file_bug1312272.html |
marquee inline script tests for Bug 1312272 |
408 |
|
|
67 |
file_bug1312272.js |
|
242 |
file_bug1452037.html |
|
265 |
file_bug1505412.sjs |
|
1376 |
file_bug1505412_frame.html |
Bug 1505412 CSP-RO reports violations in inline-scripts with nonce |
363 |
|
|
104 |
file_bug1505412_reporter.sjs |
|
501 |
file_bug1738418_child.html |
|
203 |
file_bug1738418_parent.html |
|
204 |
|
|
48 |
file_bug1764343.html |
Bug 1764343 - CSP inheritance for same-origin iframes |
316 |
file_bug1777572.html |
|
1388 |
file_child-src_iframe.html |
Bug 1045891 |
1973 |
file_child-src_inner_frame.html |
Bug 1045891 |
534 |
file_child-src_service_worker.html |
Bug 1045891 |
965 |
file_child-src_service_worker.js |
|
67 |
file_child-src_shared_worker-redirect.html |
Bug 1045891 |
1314 |
file_child-src_shared_worker.html |
Bug 1045891 |
988 |
file_child-src_shared_worker.js |
|
161 |
file_child-src_shared_worker_data.html |
Bug 1045891 |
1138 |
file_child-src_worker-redirect.html |
Bug 1045891 |
1362 |
file_child-src_worker.html |
Bug 1045891 |
1010 |
file_child-src_worker.js |
|
55 |
file_child-src_worker_data.html |
Bug 1045891 |
1004 |
file_connect-src-fetch.html |
Bug 1139667 - Test mapping of fetch() to connect-src |
428 |
file_connect-src.html |
Bug 1031530 - Test mapping of XMLHttpRequest to connect-src |
553 |
file_CSP.css |
Moved this CSS from an inline stylesheet to an external file when we added
inline-style blocking in bug 763879.
This test may hang if the load for this .css file is blocked due to a
malfunction of CSP, but should pass if the style_good test passes.
|
701 |
file_CSP.sjs |
|
628 |
file_csp_error_messages.html |
|
598 |
file_csp_frame_ancestors_about_blank.html |
Helper file for Bug 1668071 - CSP frame-ancestors in about:blank |
180 |
|
|
119 |
file_csp_meta_uir.html |
Hello World |
332 |
file_data-uri_blocked.html |
Test for Bug 587377 |
23998 |
|
|
92 |
file_data_csp_inheritance.html |
Bug 1381761 - Treating 'data:' documents as unique, opaque origins should still inherit the CSP |
807 |
file_data_csp_merge.html |
Bug 1386183 - Meta CSP on data: URI iframe should be merged with toplevel CSP |
920 |
file_data_doc_ignore_meta_csp.html |
Bug 1382869: data document should ignore meta csp |
646 |
file_doccomment_meta.html |
Bug 663570 - Test doc.write(meta csp) |
843 |
file_docwrite_meta.css |
|
45 |
file_docwrite_meta.html |
Bug 663570 - Test doc.write(meta csp) |
833 |
file_docwrite_meta.js |
|
165 |
file_dual_header_testserver.sjs |
Custom sjs file serving a test page using *two* CSP policies.
See Bug 1036399 - Multiple CSP policies should be combined towards an intersection
|
1459 |
file_dummy_pixel.png |
|
70 |
file_empty_directive.html |
Bug 587377 - CSP keywords "'self'" and "'none'" are easy to confuse with host names "self" and "none" |
337 |
|
|
27 |
file_evalscript_main.html |
CSP eval script tests |
200 |
|
|
68 |
file_evalscript_main.js |
eslint-disable no-eval |
6926 |
file_evalscript_main_allowed.html |
CSP eval script tests |
208 |
|
|
102 |
file_evalscript_main_allowed.js |
eslint-disable no-eval |
4624 |
file_fontloader.sjs |
|
1467 |
file_fontloader.woff |
|
11140 |
file_form-action.html |
Bug 529697 - Test mapping of form submission to form-action |
374 |
file_form_action_server.sjs |
|
930 |
file_frame_ancestors_ro.html |
|
41 |
|
|
103 |
file_frame_src.js |
|
402 |
file_frame_src_child_governs.html |
|
256 |
file_frame_src_frame_governs.html |
|
274 |
file_frame_src_inner.html |
|
43 |
file_frameancestors.sjs |
|
2419 |
file_frameancestors_main.html |
CSP frame ancestors tests |
1293 |
file_frameancestors_main.js |
.... two-level framing |
3673 |
file_frameancestors_userpass.html |
CSP frame ancestors tests |
406 |
file_frameancestors_userpass_frame_a.html |
Nested frame |
380 |
file_frameancestors_userpass_frame_b.html |
Nested frame |
376 |
file_frameancestors_userpass_frame_c.html |
Nested frame |
100 |
|
|
106 |
file_frameancestors_userpass_frame_d.html |
Nested frame |
100 |
|
|
124 |
file_hash_source.html |
|
4224 |
|
|
832 |
file_iframe_parent_location_js.html |
Test setting parent location to javascript: |
179 |
file_iframe_sandbox_document_write.html |
|
640 |
file_iframe_sandbox_srcdoc.html |
Bug 1073952 - CSP should restrict scripts in srcdoc iframe even if sandboxed |
324 |
|
|
40 |
file_iframe_srcdoc.sjs |
|
2115 |
file_ignore_unsafe_inline.html |
Bug 1004703 - ignore 'unsafe-inline' if nonce- or hash-source specified |
701 |
file_ignore_unsafe_inline_multiple_policies_server.sjs |
|
1936 |
file_ignore_xfo.html |
Bug 1024557: Ignore x-frame-options if CSP with frame-ancestors exists |
229 |
|
|
110 |
file_image_document_pixel.png |
|
70 |
|
|
89 |
file_image_nonce.html |
Bug 1355801: Nonce should not apply to images |
1444 |
|
|
70 |
file_independent_iframe_csp.html |
Bug 1419222 - iFrame CSP should not affect parent document CSP |
1503 |
file_inlinescript.html |
CSP inline script tests |
482 |
file_inlinestyle_main.html |
CSP inline script tests |
3132 |
|
|
104 |
file_inlinestyle_main_allowed.html |
CSP inline script tests |
3427 |
|
|
139 |
file_invalid_source_expression.html |
Bug 1086612 - CSP: Let source expression be the empty set in case no valid source can be parsed |
420 |
file_leading_wildcard.html |
Bug 1032303 - CSP - Keep FULL STOP when matching *.foo.com to disallow loads from foo.com |
461 |
file_link_rel_preload.html |
Bug 1599791 - Test link rel=preload |
713 |
file_main.html |
|
2671 |
|
|
85 |
file_main.js |
|
718 |
file_meta_element.html |
Bug 663570 - Implement Content Security Policy via meta tag |
920 |
file_meta_header_dual.sjs |
load image without any CSP |
3111 |
file_meta_whitespace_skipping.html |
Bug 1261634 - Update whitespace skipping for meta csp |
1004 |
file_multi_policy_injection_bypass.html |
|
612 |
|
|
59 |
file_multi_policy_injection_bypass_2.html |
|
616 |
|
|
65 |
file_multipart_testserver.sjs |
|
4594 |
file_no_log_ignore_xfo.html |
Bug 1722252: "Content-Security-Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive." warning message even when no "x-frame-options" header present |
357 |
|
|
88 |
file_nonce_redirector.sjs |
|
783 |
file_nonce_redirects.html |
Bug 1469150:Scripts with valid nonce get blocked if URL redirects |
724 |
file_nonce_snapshot.sjs |
|
1502 |
file_nonce_source.html |
|
4265 |
|
|
166 |
file_null_baseuri.html |
Bug 1121857 - document.baseURI should not get blocked if baseURI is null |
796 |
file_object_inherit.html |
Bug 1457100: Test OBJECT inherits CSP if needed |
640 |
file_parent_location_js.html |
Test setting parent location to javascript: |
543 |
file_path_matching.html |
Bug 808292 - Implement path-level host-source matching to CSP |
287 |
file_path_matching.js |
|
58 |
file_path_matching_incl_query.html |
Bug 1147026 - CSP should ignore query string when checking a resource load |
304 |
file_path_matching_redirect.html |
Bug 808292 - Implement path-level host-source matching to CSP |
294 |
file_path_matching_redirect_server.sjs |
|
459 |
file_pdfjs_not_subject_to_csp.html |
|
646 |
file_ping.html |
Bug 1100181 - CSP: Enforce connect-src when submitting pings |
519 |
file_policyuri_regression_from_multipolicy.html |
|
207 |
|
|
127 |
file_policyuri_regression_from_multipolicy_policy |
|
20 |
file_punycode_host_src.js |
|
76 |
file_punycode_host_src.sjs |
|
1533 |
file_redirect_content.sjs |
|
1587 |
file_redirect_report.sjs |
|
660 |
file_redirect_worker.sjs |
|
965 |
file_redirects_main.html |
CSP redirect tests |
1226 |
file_redirects_page.sjs |
|
4166 |
file_redirects_resource.sjs |
|
5598 |
file_report.html |
Bug 1033424 - Test csp-report properties |
296 |
file_report_chromescript.js |
eslint-env mozilla/chrome-script |
2068 |
file_report_font_cache-1.html |
|
710 |
file_report_font_cache-2.html |
|
732 |
|
|
84 |
file_report_for_import.css |
|
108 |
file_report_for_import.html |
Bug 1048048 - Test sending csp-report when using import in css |
298 |
file_report_for_import_server.sjs |
|
1601 |
file_report_uri_missing_in_report_only_header.html |
|
0 |
|
|
57 |
file_ro_ignore_xfo.html |
Bug 1024557: Ignore x-frame-options if CSP with frame-ancestors exists |
231 |
|
|
122 |
file_sandbox_1.html |
|
571 |
file_sandbox_2.html |
|
551 |
file_sandbox_3.html |
|
496 |
file_sandbox_4.html |
|
464 |
file_sandbox_5.html |
|
1145 |
file_sandbox_6.html |
|
1441 |
file_sandbox_7.html |
|
557 |
file_sandbox_8.html |
|
539 |
file_sandbox_9.html |
|
482 |
file_sandbox_10.html |
|
466 |
file_sandbox_11.html |
|
1138 |
file_sandbox_12.html |
|
1601 |
file_sandbox_13.html |
|
1138 |
file_sandbox_allow_scripts.html |
Bug 1396320: Fix CSP sandbox regression for allow-scripts |
276 |
|
|
48 |
file_sandbox_fail.js |
|
188 |
file_sandbox_pass.js |
|
183 |
file_scheme_relative_sources.js |
|
58 |
file_scheme_relative_sources.sjs |
Custom *.sjs specifically for the needs of
Bug 921493 - CSP: test allowlisting of scheme-relative sources
|
1319 |
file_script_template.html |
|
379 |
file_script_template.js |
|
19 |
file_self_none_as_hostname_confusion.html |
Bug 587377 - CSP keywords "'self'" and "'none'" are easy to confuse with host names "self" and "none" |
337 |
|
|
50 |
file_sendbeacon.html |
Bug 1234813 - sendBeacon should not throw if blocked by Content Policy |
545 |
file_service_worker.html |
Bug 1208559 - ServiceWorker registration not governed by CSP |
509 |
file_service_worker.js |
|
38 |
file_spawn_service_worker.js |
|
14 |
file_spawn_shared_worker.js |
|
179 |
file_spawn_worker.js |
|
36 |
file_strict_dynamic.js |
|
58 |
file_strict_dynamic_default_src.html |
Bug 1299483 - CSP: Implement 'strict-dynamic' |
552 |
file_strict_dynamic_default_src.js |
|
58 |
file_strict_dynamic_js_url.html |
Bug 1316826 - 'strict-dynamic' blocking DOM event handlers |
350 |
file_strict_dynamic_non_parser_inserted.html |
Bug 1299483 - CSP: Implement 'strict-dynamic' |
437 |
file_strict_dynamic_non_parser_inserted_inline.html |
Bug 1299483 - CSP: Implement 'strict-dynamic' |
379 |
file_strict_dynamic_parser_inserted_doc_write.html |
Bug 1299483 - CSP: Implement 'strict-dynamic' |
367 |
file_strict_dynamic_parser_inserted_doc_write_correct_nonce.html |
Bug 1299483 - CSP: Implement 'strict-dynamic' |
399 |
file_strict_dynamic_script_events.html |
Bug 1316826 - 'strict-dynamic' blocking DOM event handlers |
302 |
file_strict_dynamic_script_events_marquee.html |
Bug 1316826 - 'strict-dynamic' blocking DOM event handlers |
274 |
file_strict_dynamic_script_extern.html |
Bug 1299483 - CSP: Implement 'strict-dynamic' |
262 |
file_strict_dynamic_script_inline.html |
Bug 1299483 - CSP: Implement 'strict-dynamic' |
249 |
file_strict_dynamic_unsafe_eval.html |
Bug 1299483 - CSP: Implement 'strict-dynamic' |
296 |
file_subframe_run_js_if_allowed.html |
|
410 |
|
|
67 |
file_svg_inline_style_base.html |
|
158 |
file_svg_inline_style_csp.html |
|
231 |
file_svg_inline_style_server.sjs |
|
1146 |
file_svg_srcset_inline_style_base.html |
|
161 |
file_svg_srcset_inline_style_csp.html |
|
234 |
file_test_browser_bookmarklets.html |
Document |
285 |
|
|
67 |
file_testserver.sjs |
|
1950 |
file_uir_top_nav.html |
|
451 |
file_uir_top_nav_dummy.html |
|
291 |
file_upgrade_insecure.html |
Bug 1139297 - Implement CSP upgrade-insecure-requests directive |
3667 |
file_upgrade_insecure_cors.html |
Bug 1139297 - Implement CSP upgrade-insecure-requests directive |
1359 |
file_upgrade_insecure_cors_server.sjs |
|
2001 |
file_upgrade_insecure_docwrite_iframe.sjs |
|
1566 |
file_upgrade_insecure_loopback.html |
Bug 1447784 - Implement CSP upgrade-insecure-requests directive |
594 |
file_upgrade_insecure_loopback_form.html |
Bug 1661423 - don't apply upgrade-insecure-requests on form submissions to localhost |
362 |
file_upgrade_insecure_loopback_server.sjs |
|
806 |
file_upgrade_insecure_meta.html |
Bug 1139297 - Implement CSP upgrade-insecure-requests directive |
3483 |
file_upgrade_insecure_navigation.sjs |
|
2291 |
file_upgrade_insecure_navigation_redirect.sjs |
|
1383 |
file_upgrade_insecure_navigation_redirect_cross_origin.html |
|
281 |
file_upgrade_insecure_navigation_redirect_same_origin.html |
|
280 |
file_upgrade_insecure_report_only.html |
Bug 1832249 - Consider report-only flag when upgrading insecure requests |
1042 |
file_upgrade_insecure_report_only_server.sjs |
|
3869 |
file_upgrade_insecure_reporting.html |
Bug 1139297 - Implement CSP upgrade-insecure-requests directive |
654 |
file_upgrade_insecure_reporting_server.sjs |
|
2961 |
file_upgrade_insecure_server.sjs |
|
3408 |
file_upgrade_insecure_wsh.py |
|
103 |
file_web_manifest.html |
|
148 |
file_web_manifest.json |
|
21 |
|
|
47 |
file_web_manifest_https.html |
|
191 |
file_web_manifest_https.json |
|
21 |
file_web_manifest_mixed_content.html |
|
364 |
file_web_manifest_remote.html |
|
333 |
file_websocket_csp_upgrade.html |
Bug 1729897: Allow unsecure websocket from localhost page with CSP: upgrade-insecure |
714 |
file_websocket_explicit.html |
Bug 1345615: Allow websocket schemes when using 'self' in CSP |
1100 |
file_websocket_self.html |
Bug 1345615: Allow websocket schemes when using 'self' in CSP |
1087 |
file_websocket_self_wsh.py |
|
109 |
file_win_open_blocked.html |
|
70 |
file_windowwatcher_frameA.html |
|
529 |
file_windowwatcher_subframeB.html |
|
225 |
file_windowwatcher_subframeC.html |
|
154 |
file_windowwatcher_subframeD.html |
|
57 |
file_windowwatcher_win_open.html |
|
216 |
file_worker_src.js |
|
1558 |
file_worker_src_child_governs.html |
|
260 |
file_worker_src_script_governs.html |
|
249 |
file_worker_src_worker_governs.html |
|
279 |
file_xslt_inherits_csp.xml |
|
154 |
|
|
67 |
file_xslt_inherits_csp.xsl |
|
819 |
main_csp_worker.html |
Bug 1475849: Test CSP worker inheritance |
13783 |
|
|
66 |
mochitest.toml |
|
19360 |
referrerdirective.sjs |
|
1029 |
test_301_redirect.html |
Test for Bug 650386 |
2356 |
test_302_redirect.html |
Test for Bug 650386 |
2356 |
test_303_redirect.html |
Test for Bug 650386 |
2356 |
test_307_redirect.html |
Test for Bug 650386 |
2357 |
test_allow_https_schemes.html |
Bug 826805 - Allow http and https for scheme-less sources |
2370 |
test_base-uri.html |
Bug 1045897 - Test CSP base-uri directive |
3769 |
test_blob_data_schemes.html |
Bug 1086999 - Wildcard should not match blob:, data: |
2386 |
test_blob_uri_blocks_modals.html |
Bug 1432170 - Block alert box and new window open as per the sandbox
allow-scripts CSP |
2206 |
test_block_all_mixed_content.html |
Bug 1122236 - CSP: Implement block-all-mixed-content |
2808 |
test_block_all_mixed_content_frame_navigation.html |
Bug 1122236 - CSP: Implement block-all-mixed-content |
1410 |
test_blocked_uri_in_reports.html |
Bug 1069762 - Check blocked-uri in csp-reports after redirect |
2772 |
test_blocked_uri_in_violation_event_after_redirects.html |
Bug 1542194 - Check blockedURI in violation reports after redirects |
1589 |
test_blocked_uri_redirect_frame_src.html |
Bug 1687342 - Check blocked-uri in csp-reports after frame redirect |
1738 |
test_bug663567.html |
Test if XSLT stylesheet is subject to document's CSP |
2430 |
test_bug802872.html |
Bug 802872 |
1576 |
test_bug836922_npolicies.html |
Test for Content Security Policy multiple policy support (regular and Report-Only mode) |
8041 |
test_bug885433.html |
Test for Content Security Policy inline stylesheets stuff |
2410 |
test_bug886164.html |
Bug 886164 - Enforce CSP in sandboxed iframe |
5073 |
test_bug888172.html |
Bug 888172 - CSP 1.0 does not process 'unsafe-inline' or 'unsafe-eval' for default-src |
3092 |
test_bug909029.html |
Bug 909029 - CSP source-lists ignore some source expressions like 'unsafe-inline' when * or 'none' are used (e.g., style-src, script-src) |
4848 |
test_bug910139.html |
CSP should block XSLT as script, not as style |
2279 |
test_bug941404.html |
Bug 941404 - Data documents should not set CSP |
2964 |
test_bug1229639.html |
Bug 1229639 - Percent encoded CSP path matching. |
1511 |
test_bug1242019.html |
Test for Bug 1242019 |
1476 |
test_bug1312272.html |
Test for bug 1312272 |
819 |
test_bug1388015.html |
Bug 1388015 - Test if Firefox respect Port in Wildcard Host |
1697 |
test_bug1452037.html |
Test if "script-src: sha-... " Allowlists "javascript:" URIs |
1229 |
test_bug1505412.html |
Bug 1505412 CSP-RO reports violations in inline-scripts with nonce |
1779 |
test_bug1579094.html |
Test if Wildcard CSP supports ExternalProtocol |
939 |
test_bug1738418.html |
Bug 1738418: CSP sandbox for embed/object frames |
768 |
test_bug1764343.html |
Bug 1764343 - CSP inheritance for same-origin iframes |
4020 |
test_bug1777572.html |
bug 1777572 |
1100 |
test_child-src_iframe.html |
Bug 1045891 |
3240 |
test_child-src_worker-redirect.html |
Bug 1045891 |
4729 |
test_child-src_worker.html |
Bug 1045891 |
5425 |
test_child-src_worker_data.html |
Bug 1045891 |
4569 |
test_connect-src.html |
Bug 1031530 and Bug 1139667 - Test mapping of XMLHttpRequest and fetch() to connect-src |
4141 |
test_CSP.html |
Test for Content Security Policy Connections |
4173 |
test_csp_error_messages.html |
Test some specialized CSP errors |
2007 |
test_csp_frame_ancestors_about_blank.html |
Bug 1668071 - CSP frame-ancestors in about:blank |
1961 |
test_csp_style_src_empty_hash.html |
Bug 1609122 - Empty Style Element with valid style-src hash |
942 |
test_csp_worker_inheritance.html |
Test for Bug 1475849 |
510 |
test_data_csp_inheritance.html |
Bug 1381761 - Treating 'data:' documents as unique, opaque origins should still inherit the CSP |
1150 |
test_data_csp_merge.html |
Bug 1386183 - Meta CSP on data: URI iframe should be merged with toplevel CSP |
1203 |
test_data_doc_ignore_meta_csp.html |
Bug 1382869: data document should ignore meta csp |
1271 |
test_docwrite_meta.html |
Bug 663570 - Implement Content Security Policy via meta tag |
3297 |
test_dual_header.html |
Bug 1036399 - Multiple CSP policies should be combined towards an intersection |
2016 |
test_empty_directive.html |
Test for Bug 1439425 |
1230 |
test_evalscript.html |
Test for Content Security Policy "no eval" base restriction |
1822 |
test_evalscript_allowed_by_strict_dynamic.html |
Bug 1439330 - CSP: eval is not blocked if 'strict-dynamic' is enabled
|
927 |
test_evalscript_blocked_by_strict_dynamic.html |
Bug 1439330 - CSP: eval is not blocked if 'strict-dynamic' is enabled
|
899 |
test_fontloader.html |
Bug 1122236 - CSP: Implement block-all-mixed-content |
3157 |
test_form-action.html |
Bug 529697 - Test mapping of form submission to form-action |
3039 |
test_form_action_blocks_url.html |
Bug 1251043 - Test form-action blocks URL |
2744 |
test_frame_ancestors_ro.html |
Test for frame-ancestors support in Content-Security-Policy-Report-Only |
2277 |
test_frame_src.html |
Bug 1302667 - Test frame-src |
2296 |
test_frameancestors.html |
Test for Content Security Policy Frame Ancestors directive |
5796 |
test_frameancestors_userpass.html |
Test for Userpass in Frame Ancestors directive |
4889 |
test_hash_source.html |
Test CSP 1.1 hash-source for inline scripts and styles |
4602 |
test_iframe_sandbox.html |
Tests for Bug 671389 |
7840 |
test_iframe_sandbox_srcdoc.html |
Bug 1073952 - CSP should restrict scripts in srcdoc iframe even if sandboxed |
1908 |
test_iframe_sandbox_top_1.html |
Tests for Bug 671389 |
2665 |
|
|
77 |
test_iframe_srcdoc.html |
Bug 1073952 - Test CSP enforcement within iframe srcdoc |
4863 |
test_ignore_unsafe_inline.html |
Bug 1004703 - ignore 'unsafe-inline' if nonce- or hash-source specified |
4339 |
test_ignore_xfo.html |
Bug 1024557: Ignore x-frame-options if CSP with frame-ancestors exists |
4117 |
test_image_document.html |
Bug 1627235: Test CSP for images loaded as iframe |
1003 |
test_image_nonce.html |
Bug 1139297 - Implement CSP upgrade-insecure-requests directive |
1699 |
test_independent_iframe_csp.html |
Bug 1419222 - iFrame CSP should not affect parent document CSP |
2803 |
test_inlinescript.html |
Test for Content Security Policy Frame Ancestors directive |
3508 |
test_inlinestyle.html |
Test for Content Security Policy inline stylesheets stuff |
5491 |
test_invalid_source_expression.html |
Bug 1086612 - CSP: Let source expression be the empty set in case no valid source can be parsed |
1803 |
test_leading_wildcard.html |
Bug 1032303 - CSP - Keep FULL STOP when matching *.foo.com to disallow loads from foo.com |
3315 |
test_link_rel_preload.html |
Bug 1599791 - Test link rel=preload |
2401 |
test_meta_csp_self.html |
Bug 1387871 - CSP: Test 'self' within meta csp in data: URI iframe |
2230 |
test_meta_element.html |
Bug 663570 - Implement Content Security Policy via <meta> tag |
2901 |
test_meta_header_dual.html |
Bug 663570 - Implement Content Security Policy via meta tag |
3989 |
test_meta_whitespace_skipping.html |
Bug 1261634 - Update whitespace skipping for meta csp |
2656 |
test_multi_policy_injection_bypass.html |
Test for Bug 717511 |
3497 |
test_multipartchannel.html |
Bug 1416045/Bug 1223743 - CSP: Check baseChannel for CSP when loading multipart channel |
2231 |
test_nonce_redirects.html |
Bug 1469150:Scripts with valid nonce get blocked if URL redirects |
1174 |
test_nonce_snapshot.html |
Bug 1509738 - Snapshot nonce at load start time |
1062 |
test_nonce_source.html |
Test CSP 1.1 nonce-source for scripts and styles |
4431 |
test_null_baseuri.html |
Bug 1121857 - document.baseURI should not get blocked if baseURI is null |
2159 |
test_object_inherit.html |
Bug 1457100: Test OBJECT inherits CSP if needed |
831 |
test_parent_location_js.html |
Bug 1550414: Add CSP test for setting parent location to javascript: |
1276 |
test_path_matching.html |
Bug 808292 - Implement path-level host-source matching to CSP |
4467 |
test_path_matching_redirect.html |
Bug 808292 - Implement path-level host-source matching to CSP (redirects) |
2966 |
test_ping.html |
Bug 1100181 - CSP: Enforce connect-src when submitting pings |
2969 |
test_policyuri_regression_from_multipolicy.html |
Test for Bug 924708 |
967 |
test_punycode_host_src.html |
Bug 1224225 - CSP source matching should work for punycoded domain names |
2187 |
test_redirects.html |
Tests for Content Security Policy during redirects |
5566 |
test_report.html |
Test for Bug 548193 |
4145 |
test_report_font_cache.html |
|
2047 |
test_report_for_import.html |
Test for Bug 548193 |
3970 |
test_report_uri_missing_in_report_only_header.html |
Test for Bug 847081 |
1789 |
test_reporting_api_disabled.html |
Bug 1922967 - Check `report-uri` is used when Reporting API is enabled regardless the existence of `report-to` |
2642 |
test_sandbox.html |
Tests for bugs 886164 and 671389 |
7499 |
test_sandbox_allow_scripts.html |
Bug 1396320: Fix CSP sandbox regression for allow-scripts |
953 |
test_scheme_relative_sources.html |
Bug 921493 - CSP: test allowlisting of scheme-relative sources |
2221 |
test_script_template.html |
Bug 1548385 - CSP: Test script template |
1696 |
test_security_policy_violation_event.html |
|
579 |
test_self_none_as_hostname_confusion.html |
Test for Bug 587377 |
1752 |
test_sendbeacon.html |
Bug 1234813 - sendBeacon should not throw if blocked by Content Policy |
1094 |
test_service_worker.html |
Bug 1208559 - ServiceWorker registration not governed by CSP |
1801 |
test_strict_dynamic.html |
Bug 1299483 - CSP: Implement 'strict-dynamic' |
4296 |
test_strict_dynamic_default_src.html |
Bug 1299483 - CSP: Implement 'strict-dynamic' |
4732 |
test_strict_dynamic_parser_inserted.html |
Bug 1299483 - CSP: Implement 'strict-dynamic' |
3002 |
test_subframe_run_js_if_allowed.html |
Test for Bug 702439 |
844 |
test_svg_inline_style.html |
Bug 1262842: Test CSP inline style within svg image |
4269 |
test_uir_top_nav.html |
Bug 1391011: Test uir for toplevel navigations |
1618 |
test_uir_windowwatcher.html |
Bug 1529893 - Test upgrade-insecure-requests for opening window through nsWindowWatcher |
1002 |
test_upgrade_insecure.html |
Bug 1139297 - Implement CSP upgrade-insecure-requests directive |
7279 |
test_upgrade_insecure_cors.html |
Bug 1139297 - Implement CSP upgrade-insecure-requests directive |
3010 |
test_upgrade_insecure_docwrite_iframe.html |
Bug 1273430 - Test CSP upgrade-insecure-requests for doc.write(iframe) |
1942 |
test_upgrade_insecure_loopback.html |
Bug 1447784 - Implement CSP upgrade-insecure-requests directive |
2867 |
test_upgrade_insecure_navigation.html |
Bug 1271173 - Missing spec on Upgrade Insecure Requests(Navigational Upgrades) |
3148 |
test_upgrade_insecure_navigation_redirect.html |
Bug 1422284 - Upgrade insecure requests should only apply to top-level same-origin redirects |
2143 |
test_upgrade_insecure_report_only.html |
Bug 1832249 - Consider report-only flag when upgrading insecure requests |
3445 |
test_upgrade_insecure_reporting.html |
Bug 1139297 - Implement CSP upgrade-insecure-requests directive |
2292 |
test_websocket_localhost.html |
Bug 1729897: Allow unsecure websocket from localhost page with CSP: upgrade-insecure |
1353 |
test_websocket_self.html |
Bug 1345615: Allow websocket schemes when using 'self' in CSP |
1836 |
test_win_open_blocked.html |
|
1816 |
test_worker_src.html |
Bug 1302667 - Test worker-src |
3260 |
test_xslt_inherits_csp.html |
Bug 1597645: Make sure XSLT inherits the CSP r=ckerschb |
1051 |
worker.sjs |
|
2560 |
worker_helper.js |
Any copyright is dedicated to the Public Domain.
http://creativecommons.org/publicdomain/zero/1.0/
|
2266 |