Update web-platform-tests to revision 4333a1d2f109795547fc5e22ebfc8481fa649de7

tests/wpt/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html

@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<title>Embedded Enforcement: Subsumption Algorithm - 'unsafe-hashed-attributes' keyword.</title>
+<title>Embedded Enforcement: Subsumption Algorithm - 'unsafe-hashes' keyword.</title>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
   <script src="support/testharness-helper.sub.js"></script>
@@ -9,36 +9,36 @@
 <body>
   <script>
     var tests = [
-      { "name": "'unsafe-hashed-attributes' is properly subsumed.", 
-        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-eval' 'strict-dynamic' 'unsafe-hashed-attributes'", 
-        "returned_csp_1": "style-src http://example1.com/foo/bar.html 'unsafe-hashed-attributes'",
+      { "name": "'unsafe-hashes' is properly subsumed.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-eval' 'strict-dynamic' 'unsafe-hashes'",
+        "returned_csp_1": "style-src http://example1.com/foo/bar.html 'unsafe-hashes'",
         "expected": IframeLoad.EXPECT_LOAD },
-      { "name": "No other keyword has the same effect as 'unsafe-hashed-attributes'.", 
-        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'", 
+      { "name": "No other keyword has the same effect as 'unsafe-hashes'.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashes'",
         "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline'",
         "expected": IframeLoad.EXPECT_BLOCK },
-      { "name": "Other expressions have to be subsumed.", 
-        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'", 
-        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashed-attributes'",
+      { "name": "Other expressions have to be subsumed.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashes'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashes'",
         "expected": IframeLoad.EXPECT_BLOCK },
-      { "name": "Effective policy is properly found.", 
-        "required_csp": "style-src http://example1.com/foo/ 'self'  'unsafe-hashed-attributes'", 
-        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashed-attributes'",
-        "returned_csp_2": "style-src http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'",
+      { "name": "Effective policy is properly found.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'  'unsafe-hashes'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashes'",
+        "returned_csp_2": "style-src http://example1.com/foo/ 'self' 'unsafe-hashes'",
         "expected": IframeLoad.EXPECT_LOAD },
-      { "name": "Required csp must allow 'unsafe-hashed-attributes'.", 
-        "required_csp": "style-src http://example1.com/foo/ 'self'", 
-        "returned_csp_1": "style-src http://example1.com/foo/ 'self'  'unsafe-hashed-attributes'",
+      { "name": "Required csp must allow 'unsafe-hashes'.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'self'  'unsafe-hashes'",
         "expected": IframeLoad.EXPECT_BLOCK },
-      { "name": "Effective policy is properly found where 'unsafe-hashed-attributes' is not subsumed.", 
-        "required_csp": "style-src http://example1.com/foo/ 'self'", 
-        "returned_csp_1": "style-src 'unsafe-eval' 'unsafe-hashed-attributes'",
-        "returned_csp_2": "style-src 'unsafe-hashed-attributes' 'unsafe-inline'",
+      { "name": "Effective policy is properly found where 'unsafe-hashes' is not subsumed.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "style-src 'unsafe-eval' 'unsafe-hashes'",
+        "returned_csp_2": "style-src 'unsafe-hashes' 'unsafe-inline'",
         "expected": IframeLoad.EXPECT_BLOCK },
-      { "name": "Effective policy is properly found where 'unsafe-hashed-attributes' is not part of it.", 
-        "required_csp": "style-src http://example1.com/foo/ 'self'", 
+      { "name": "Effective policy is properly found where 'unsafe-hashes' is not part of it.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
         "returned_csp_1": "style-src 'unsafe-eval' 'self'",
-        "returned_csp_2": "style-src 'unsafe-hashed-attributes' 'self'",
+        "returned_csp_2": "style-src 'unsafe-hashes' 'self'",
         "expected": IframeLoad.EXPECT_LOAD },
     ];
     tests.forEach(test => {

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html

@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';">
+    <!--
+    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=' ==> 'javascript:t1.done();'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <a href='javascript:t1.done();' id='test'>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is allowed to run");
+
+        window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
+
+        document.getElementById('test').click();
+    </script>
+</body>
+
+</html>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html

@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';">
+    <!--
+    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=' ==> 'javascript:t1.done();'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <a target="_blank" href='javascript:t1.done();' id='test'>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is allowed to run");
+
+        window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
+
+        document.getElementById('test').click();
+    </script>
+</body>
+
+</html>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html

@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is allowed to run");
+
+        window.onmessage = t1.step_func_done(function(e) {
+          assert_equals(e.data, "pass");
+        });
+
+        window.open('support/child_window_location_navigate.sub.html' + 
+              '?csp=' + encodeURI("script-src 'unsafe-hashes' 'nonce-abc' 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y='") +
+              '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')"));
+    </script>
+</body>
+
+</html>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html

@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=';">
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is allowed to run");
+
+        window.onmessage = t1.step_func_done(function(e) {
+          assert_equals(e.data, "pass");
+        });
+
+        window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
+
+        window.open("javascript:opener.postMessage('pass', '*')");
+    </script>
+</body>
+
+</html>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html

@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
+    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=';">
+    <!--
+    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL");
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'script-src');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+
+        document.getElementById('test').click();
+    </script>
+</body>
+
+</html>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html

@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';">
+    <!--
+    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL");
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+             assert_equals(e.violatedDirective, 'script-src');
+             assert_equals(e.blockedURI, 'inline');
+        }));
+
+        document.getElementById('test').click();
+    </script>
+</body>
+
+</html>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html

@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.onmessage = t1.step_func_done(function(e) {
+          assert_equals(e.data, "fail");
+        });
+
+        window.open('support/child_window_location_navigate.sub.html' + 
+              '?csp=' + encodeURI("script-src 'nonce-abc' 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y='") +
+              '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')"));
+    </script>
+</body>
+
+</html>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html

@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=';">
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.onmessage = t1.unreached_func("Should have not received any message");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'script-src');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+
+        window.open("javascript:opener.postMessage('pass', '*')");
+    </script>
+</body>
+
+</html>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html

@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';">
+    <!--
+    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL");
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'script-src');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+
+        document.getElementById('test').click();
+    </script>
+</body>
+
+</html>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html

@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
+    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=';">
+    <!--
+    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL");
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <a target="_blank" href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+             assert_equals(e.violatedDirective, 'script-src');
+             assert_equals(e.blockedURI, 'inline');
+        }));
+
+        document.getElementById('test').click();
+    </script>
+</body>
+
+</html>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html

@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.onmessage = t1.step_func_done(function(e) {
+          assert_equals(e.data, "fail");
+        });
+
+        window.open('support/child_window_location_navigate.sub.html' + 
+              '?csp=' + encodeURI("script-src 'unsafe-hashes' 'nonce-abc' 'sha256-VjH6k67F4kobUnNDOBE85QiJ9cuZMiYT6desKXvezVg='") +
+              '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')"));
+    </script>
+</body>
+
+</html>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html

@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-VjH6k67F4kobUnNDOBE85QiJ9cuZMiYT6desKXvezVg=';">
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.onmessage = t1.unreached_func("Should have not received any message");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'script-src');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+
+        window.open("javascript:opener.postMessage('pass', '*')");
+    </script>
+</body>
+
+</html>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html

@@ -2,8 +2,8 @@
 <html>
 
 <head>
-    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashed-attributes' 'nonce-abc' 'sha256-wmuLCpoj8EMqfQlPnt5NIMgKkCK62CxAkAiewI0zZps='; img-src *;">
-    <title>Event handlers should be allowed if a matching hash and 'unsafe-hashed-attributes' are present</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' 'sha256-wmuLCpoj8EMqfQlPnt5NIMgKkCK62CxAkAiewI0zZps='; img-src *;">
+    <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title>
     <script src='/resources/testharness.js' nonce='abc'></script>
     <script src='/resources/testharnessreport.js' nonce='abc'></script>
 </head>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html

@@ -3,7 +3,7 @@
 
 <head>
     <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'sha256-Cb9N8BP42Neca22vQ9VaXlPU8oPF8HPxZHxRVcnLZJ4='; img-src *;">
-    <title>Event handlers should not be allowed if a matching hash is present without 'unsafe-hashed-attributes'</title>
+    <title>Event handlers should not be allowed if a matching hash is present without 'unsafe-hashes'</title>
     <script src='/resources/testharness.js' nonce='abc'></script>
     <script src='/resources/testharnessreport.js' nonce='abc'></script>
     

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html

@@ -2,7 +2,7 @@
 <html>
 
 <head>
-    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashed-attributes' 'nonce-abc' 'sha256-thisdoesnotmatch'; img-src *;">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' 'sha256-thisdoesnotmatch'; img-src *;">
     <title>Event handlers should be not allowed if a matching hash is not present</title>
     <script src='/resources/testharness.js' nonce='abc'></script>
     <script src='/resources/testharnessreport.js' nonce='abc'></script>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html

@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="img-src *;
+                      style-src 'unsafe-hashes' 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=';">
+    <!--
+      'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green'
+      -->
+    <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script>
+        var t1 = async_test("Test that the inline style attribute is loaded");
+
+        function check_for_style() {
+          assert_equals("green", document.getElementById('test').style.background);
+          t1.done();
+        }
+
+        window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
+    </script>
+    <img src='../support/pass.png' id='test' style='background: green'
+         onload='check_for_style()'>
+</body>
+
+</html>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html

@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="img-src *;
+                      style-src 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=';">
+    <!--
+      'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green'
+      -->
+    <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script>
+        var t1 = async_test("Test that the inline style attribute is blocked");
+        
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'style-src');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+
+    </script>
+    <img src='../support/pass.png' id='test' style='background: green'>
+</body>
+
+</html>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html

@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="img-src *;
+                      style-src 'unsafe-hashes' 'sha256-UI8QfroYhb0WX073XBuM+RTPntpjZfkyFLsMw5vQfd0=';">
+    <!--
+      'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green'
+      -->
+    <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script>
+        var t1 = async_test("Test that the inline style attribute is blocked");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'style-src');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+
+    </script>
+    <img src='../support/pass.png' id='test' style='background: green'>
+</body>
+
+</html>

tests/wpt/web-platform-tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html

@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}">
+</head>
+
+<body>
+  <script nonce='abc'>
+    window.addEventListener('securitypolicyviolation', function(e) {
+      opener.postMessage('fail', '*');
+    });
+
+    window.location.href = "{{GET[url]}}";
+  </script>
+</body>
+
+</html>