Name Description Size
Ahem.ttf 0
browser.toml 942
browser_manifest-src-override-default-src.js Description of the tests: Tests check that default-src can be overridden by manifest-src. 3805
browser_pdfjs_not_subject_to_csp.js 1361
browser_test_bookmarklets.js Test Description: 1 - Load a Page with CSP script-src: none 2 - Create a bookmarklet with javascript:window.open('about:blank') 3 - Select and enter the bookmarklet A new tab with about:blank should be opened 2316
browser_test_uir_optional_clicks.js 918
browser_test_web_manifest.js Description of the tests: These tests check for conformance to the CSP spec as they relate to Web Manifests. In particular, the tests check that default-src and manifest-src directives are are respected by the ManifestObtainer. 7769
browser_test_web_manifest_mixed_content.js Description of the test: Check that mixed content blocker works prevents fetches of mixed content manifests. 1555
dummy.pdf 0
File 0
file_allow_https_schemes.html Bug 826805 - CSP: Allow http and https for scheme-less sources 481
file_base_uri_server.sjs 1599
file_blob_data_schemes.html Bug 1086999 - Wildcard should not match blob:, data: 1434
file_blob_top_nav_block_modals.html 546
file_blob_top_nav_block_modals.html^headers^ 47
file_blob_uri_blocks_modals.html 1029
file_blob_uri_blocks_modals.html^headers^ 47
file_block_all_mcb.sjs 2435
file_block_all_mixed_content_frame_navigation1.html Bug 1122236 - CSP: Implement block-all-mixed-content 592
file_block_all_mixed_content_frame_navigation2.html Bug 1122236 - CSP: Implement block-all-mixed-content 330
file_blocked_uri_in_violation_event_after_redirects.html Bug 1542194 - Check blockedURI in violation reports after redirects 1319
file_blocked_uri_in_violation_event_after_redirects.sjs 1502
file_blocked_uri_redirect_frame_src.html Bug 1687342 - Check blocked-uri in csp-reports after frame redirect 338
file_blocked_uri_redirect_frame_src.html^headers^ 98
file_blocked_uri_redirect_frame_src_server.sjs 485
file_bug663567.xsl 0
file_bug663567_allows.xml Empire Burlesque 673
file_bug663567_allows.xml^headers^ 44
file_bug663567_blocks.xml Empire Burlesque 673
file_bug663567_blocks.xml^headers^ 51
file_bug802872.html Bug 802872 344
file_bug802872.html^headers^ 44
file_bug802872.js The policy for this test is: Content-Security-Policy: default-src 'self' 1340
file_bug802872.sjs 257
file_bug836922_npolicies.html 394
file_bug836922_npolicies.html^headers^ 353
file_bug836922_npolicies_ro_violation.sjs 1609
file_bug836922_npolicies_violation.sjs 1675
file_bug885433_allows.html 1299
file_bug885433_allows.html^headers^ 41
file_bug885433_blocks.html 1262
file_bug885433_blocks.html^headers^ 45
file_bug886164.html 561
file_bug886164.html^headers^ 44
file_bug886164_2.html 434
file_bug886164_2.html^headers^ 44
file_bug886164_3.html 398
file_bug886164_3.html^headers^ 44
file_bug886164_4.html 398
file_bug886164_4.html^headers^ 44
file_bug886164_5.html 1139
file_bug886164_5.html^headers^ 61
file_bug886164_6.html 1392
file_bug886164_6.html^headers^ 61
file_bug888172.html 932
file_bug888172.sjs 1546
file_bug909029_none.html 644
file_bug909029_none.html^headers^ 75
file_bug909029_star.html 595
file_bug909029_star.html^headers^ 69
file_bug910139.sjs 1615
file_bug910139.xml Empire Burlesque 645
file_bug910139.xsl 747
file_bug941404.html 790
file_bug941404_xhr.html 72
file_bug941404_xhr.html^headers^ 74
file_bug1229639.html 195
file_bug1229639.html^headers^ 114
file_bug1312272.html marquee inline script tests for Bug 1312272 408
file_bug1312272.html^headers^ 67
file_bug1312272.js 242
file_bug1452037.html 265
file_bug1505412.sjs 1376
file_bug1505412_frame.html Bug 1505412 CSP-RO reports violations in inline-scripts with nonce 363
file_bug1505412_frame.html^headers^ 104
file_bug1505412_reporter.sjs 501
file_bug1738418_child.html 203
file_bug1738418_parent.html 204
file_bug1738418_parent.html^headers^ 48
file_bug1764343.html Bug 1764343 - CSP inheritance for same-origin iframes 316
file_bug1777572.html 1388
file_child-src_iframe.html Bug 1045891 1973
file_child-src_inner_frame.html Bug 1045891 534
file_child-src_service_worker.html Bug 1045891 965
file_child-src_service_worker.js 67
file_child-src_shared_worker-redirect.html Bug 1045891 1314
file_child-src_shared_worker.html Bug 1045891 988
file_child-src_shared_worker.js 161
file_child-src_shared_worker_data.html Bug 1045891 1138
file_child-src_worker-redirect.html Bug 1045891 1362
file_child-src_worker.html Bug 1045891 1010
file_child-src_worker.js 55
file_child-src_worker_data.html Bug 1045891 1004
file_connect-src-fetch.html Bug 1139667 - Test mapping of fetch() to connect-src 428
file_connect-src.html Bug 1031530 - Test mapping of XMLHttpRequest to connect-src 553
file_CSP.css Moved this CSS from an inline stylesheet to an external file when we added inline-style blocking in bug 763879. This test may hang if the load for this .css file is blocked due to a malfunction of CSP, but should pass if the style_good test passes. 701
file_CSP.sjs 628
file_csp_error_messages.html 598
file_csp_frame_ancestors_about_blank.html Helper file for Bug 1668071 - CSP frame-ancestors in about:blank 180
file_csp_frame_ancestors_about_blank.html^headers^ 119
file_csp_meta_uir.html Hello World 332
file_data-uri_blocked.html Test for Bug 587377 23998
file_data-uri_blocked.html^headers^ 92
file_data_csp_inheritance.html Bug 1381761 - Treating 'data:' documents as unique, opaque origins should still inherit the CSP 807
file_data_csp_merge.html Bug 1386183 - Meta CSP on data: URI iframe should be merged with toplevel CSP 920
file_data_doc_ignore_meta_csp.html Bug 1382869: data document should ignore meta csp 646
file_doccomment_meta.html Bug 663570 - Test doc.write(meta csp) 843
file_docwrite_meta.css 45
file_docwrite_meta.html Bug 663570 - Test doc.write(meta csp) 833
file_docwrite_meta.js 165
file_dual_header_testserver.sjs Custom sjs file serving a test page using *two* CSP policies. See Bug 1036399 - Multiple CSP policies should be combined towards an intersection 1459
file_dummy_pixel.png 0
file_empty_directive.html Bug 587377 - CSP keywords "'self'" and "'none'" are easy to confuse with host names "self" and "none" 337
file_empty_directive.html^headers^ 27
file_evalscript_main.html CSP eval script tests 200
file_evalscript_main.html^headers^ 68
file_evalscript_main.js eslint-disable no-eval 6926
file_evalscript_main_allowed.html CSP eval script tests 208
file_evalscript_main_allowed.html^headers^ 102
file_evalscript_main_allowed.js eslint-disable no-eval 4624
file_fontloader.sjs 1467
file_fontloader.woff 0
file_form-action.html Bug 529697 - Test mapping of form submission to form-action 374
file_form_action_server.sjs 930
file_frame_ancestors_ro.html 41
file_frame_ancestors_ro.html^headers^ 103
file_frame_src.js 402
file_frame_src_child_governs.html 256
file_frame_src_frame_governs.html 274
file_frame_src_inner.html 43
file_frameancestors.sjs 2419
file_frameancestors_main.html CSP frame ancestors tests 1293
file_frameancestors_main.js .... two-level framing 3673
file_frameancestors_userpass.html CSP frame ancestors tests 406
file_frameancestors_userpass_frame_a.html Nested frame 380
file_frameancestors_userpass_frame_b.html Nested frame 376
file_frameancestors_userpass_frame_c.html Nested frame 100
file_frameancestors_userpass_frame_c.html^headers^ 106
file_frameancestors_userpass_frame_d.html Nested frame 100
file_frameancestors_userpass_frame_d.html^headers^ 124
file_hash_source.html 4224
file_hash_source.html^headers^ 832
file_iframe_parent_location_js.html Test setting parent location to javascript: 179
file_iframe_sandbox_document_write.html 640
file_iframe_sandbox_srcdoc.html Bug 1073952 - CSP should restrict scripts in srcdoc iframe even if sandboxed 324
file_iframe_sandbox_srcdoc.html^headers^ 40
file_iframe_srcdoc.sjs 2115
file_ignore_unsafe_inline.html Bug 1004703 - ignore 'unsafe-inline' if nonce- or hash-source specified 701
file_ignore_unsafe_inline_multiple_policies_server.sjs 1936
file_ignore_xfo.html Bug 1024557: Ignore x-frame-options if CSP with frame-ancestors exists 229
file_ignore_xfo.html^headers^ 110
file_image_document_pixel.png 0
file_image_document_pixel.png^headers^ 89
file_image_nonce.html Bug 1355801: Nonce should not apply to images 1444
file_image_nonce.html^headers^ 70
file_independent_iframe_csp.html Bug 1419222 - iFrame CSP should not affect parent document CSP 1503
file_inlinescript.html CSP inline script tests 482
file_inlinestyle_main.html CSP inline script tests 3132
file_inlinestyle_main.html^headers^ 104
file_inlinestyle_main_allowed.html CSP inline script tests 3427
file_inlinestyle_main_allowed.html^headers^ 139
file_invalid_source_expression.html Bug 1086612 - CSP: Let source expression be the empty set in case no valid source can be parsed 420
file_leading_wildcard.html Bug 1032303 - CSP - Keep FULL STOP when matching *.foo.com to disallow loads from foo.com 461
file_link_rel_preload.html Bug 1599791 - Test link rel=preload 713
file_main.html 2671
file_main.html^headers^ 85
file_main.js 718
file_meta_element.html Bug 663570 - Implement Content Security Policy via meta tag 920
file_meta_header_dual.sjs load image without any CSP 3111
file_meta_whitespace_skipping.html Bug 1261634 - Update whitespace skipping for meta csp 1004
file_multi_policy_injection_bypass.html 612
file_multi_policy_injection_bypass.html^headers^ 59
file_multi_policy_injection_bypass_2.html 616
file_multi_policy_injection_bypass_2.html^headers^ 65
file_multipart_testserver.sjs 4594
file_no_log_ignore_xfo.html Bug 1722252: "Content-Security-Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive." warning message even when no "x-frame-options" header present 357
file_no_log_ignore_xfo.html^headers^ 88
file_nonce_redirector.sjs 783
file_nonce_redirects.html Bug 1469150:Scripts with valid nonce get blocked if URL redirects 724
file_nonce_snapshot.sjs 1502
file_nonce_source.html 4265
file_nonce_source.html^headers^ 166
file_null_baseuri.html Bug 1121857 - document.baseURI should not get blocked if baseURI is null 796
file_object_inherit.html Bug 1457100: Test OBJECT inherits CSP if needed 640
file_parent_location_js.html Test setting parent location to javascript: 543
file_path_matching.html Bug 808292 - Implement path-level host-source matching to CSP 287
file_path_matching.js 58
file_path_matching_incl_query.html Bug 1147026 - CSP should ignore query string when checking a resource load 304
file_path_matching_redirect.html Bug 808292 - Implement path-level host-source matching to CSP 294
file_path_matching_redirect_server.sjs 459
file_pdfjs_not_subject_to_csp.html 646
file_ping.html Bug 1100181 - CSP: Enforce connect-src when submitting pings 519
file_policyuri_regression_from_multipolicy.html 207
file_policyuri_regression_from_multipolicy.html^headers^ 127
file_policyuri_regression_from_multipolicy_policy 20
file_punycode_host_src.js 76
file_punycode_host_src.sjs 1533
file_redirect_content.sjs 1587
file_redirect_report.sjs 660
file_redirect_worker.sjs 965
file_redirects_main.html CSP redirect tests 1226
file_redirects_page.sjs 4166
file_redirects_resource.sjs 5598
file_report.html Bug 1033424 - Test csp-report properties 296
file_report_chromescript.js eslint-env mozilla/chrome-script 2068
file_report_font_cache-1.html 710
file_report_font_cache-2.html 732
file_report_font_cache-2.html^headers^ 84
file_report_for_import.css 108
file_report_for_import.html Bug 1048048 - Test sending csp-report when using import in css 298
file_report_for_import_server.sjs 1601
file_report_uri_missing_in_report_only_header.html 0
file_report_uri_missing_in_report_only_header.html^headers^ 57
file_ro_ignore_xfo.html Bug 1024557: Ignore x-frame-options if CSP with frame-ancestors exists 231
file_ro_ignore_xfo.html^headers^ 122
file_sandbox_1.html 571
file_sandbox_2.html 551
file_sandbox_3.html 496
file_sandbox_4.html 464
file_sandbox_5.html 1145
file_sandbox_6.html 1441
file_sandbox_7.html 557
file_sandbox_8.html 539
file_sandbox_9.html 482
file_sandbox_10.html 466
file_sandbox_11.html 1138
file_sandbox_12.html 1601
file_sandbox_13.html 1138
file_sandbox_allow_scripts.html Bug 1396320: Fix CSP sandbox regression for allow-scripts 276
file_sandbox_allow_scripts.html^headers^ 48
file_sandbox_fail.js 188
file_sandbox_pass.js 183
file_scheme_relative_sources.js 58
file_scheme_relative_sources.sjs Custom *.sjs specifically for the needs of Bug 921493 - CSP: test allowlisting of scheme-relative sources 1319
file_script_template.html 379
file_script_template.js 19
file_self_none_as_hostname_confusion.html Bug 587377 - CSP keywords "'self'" and "'none'" are easy to confuse with host names "self" and "none" 337
file_self_none_as_hostname_confusion.html^headers^ 50
file_sendbeacon.html Bug 1234813 - sendBeacon should not throw if blocked by Content Policy 545
file_service_worker.html Bug 1208559 - ServiceWorker registration not governed by CSP 509
file_service_worker.js 38
file_spawn_service_worker.js 14
file_spawn_shared_worker.js 179
file_spawn_worker.js 36
file_strict_dynamic.js 58
file_strict_dynamic_default_src.html Bug 1299483 - CSP: Implement 'strict-dynamic' 552
file_strict_dynamic_default_src.js 58
file_strict_dynamic_js_url.html Bug 1316826 - 'strict-dynamic' blocking DOM event handlers 350
file_strict_dynamic_non_parser_inserted.html Bug 1299483 - CSP: Implement 'strict-dynamic' 437
file_strict_dynamic_non_parser_inserted_inline.html Bug 1299483 - CSP: Implement 'strict-dynamic' 379
file_strict_dynamic_parser_inserted_doc_write.html Bug 1299483 - CSP: Implement 'strict-dynamic' 367
file_strict_dynamic_parser_inserted_doc_write_correct_nonce.html Bug 1299483 - CSP: Implement 'strict-dynamic' 399
file_strict_dynamic_script_events.html Bug 1316826 - 'strict-dynamic' blocking DOM event handlers 302
file_strict_dynamic_script_events_marquee.html Bug 1316826 - 'strict-dynamic' blocking DOM event handlers 274
file_strict_dynamic_script_extern.html Bug 1299483 - CSP: Implement 'strict-dynamic' 262
file_strict_dynamic_script_inline.html Bug 1299483 - CSP: Implement 'strict-dynamic' 249
file_strict_dynamic_unsafe_eval.html Bug 1299483 - CSP: Implement 'strict-dynamic' 296
file_subframe_run_js_if_allowed.html 410
file_subframe_run_js_if_allowed.html^headers^ 67
file_svg_inline_style_base.html 158
file_svg_inline_style_csp.html 231
file_svg_inline_style_server.sjs 1146
file_svg_srcset_inline_style_base.html 161
file_svg_srcset_inline_style_csp.html 234
file_test_browser_bookmarklets.html Document 285
file_test_browser_bookmarklets.html^headers^ 67
file_testserver.sjs 1950
file_uir_top_nav.html 451
file_uir_top_nav_dummy.html 291
file_upgrade_insecure.html Bug 1139297 - Implement CSP upgrade-insecure-requests directive 3667
file_upgrade_insecure_cors.html Bug 1139297 - Implement CSP upgrade-insecure-requests directive 1359
file_upgrade_insecure_cors_server.sjs 2001
file_upgrade_insecure_docwrite_iframe.sjs 1566
file_upgrade_insecure_loopback.html Bug 1447784 - Implement CSP upgrade-insecure-requests directive 594
file_upgrade_insecure_loopback_form.html Bug 1661423 - don't apply upgrade-insecure-requests on form submissions to localhost 362
file_upgrade_insecure_loopback_server.sjs 806
file_upgrade_insecure_meta.html Bug 1139297 - Implement CSP upgrade-insecure-requests directive 3483
file_upgrade_insecure_navigation.sjs 2291
file_upgrade_insecure_navigation_redirect.sjs 1383
file_upgrade_insecure_navigation_redirect_cross_origin.html 281
file_upgrade_insecure_navigation_redirect_same_origin.html 280
file_upgrade_insecure_report_only.html Bug 1832249 - Consider report-only flag when upgrading insecure requests 1042
file_upgrade_insecure_report_only_server.sjs 3869
file_upgrade_insecure_reporting.html Bug 1139297 - Implement CSP upgrade-insecure-requests directive 654
file_upgrade_insecure_reporting_server.sjs 2961
file_upgrade_insecure_server.sjs 3408
file_upgrade_insecure_wsh.py 103
file_web_manifest.html 148
file_web_manifest.json 21
file_web_manifest.json^headers^ 47
file_web_manifest_https.html 191
file_web_manifest_https.json 21
file_web_manifest_mixed_content.html 364
file_web_manifest_remote.html 333
file_websocket_csp_upgrade.html Bug 1729897: Allow unsecure websocket from localhost page with CSP: upgrade-insecure 714
file_websocket_explicit.html Bug 1345615: Allow websocket schemes when using 'self' in CSP 1100
file_websocket_self.html Bug 1345615: Allow websocket schemes when using 'self' in CSP 1087
file_websocket_self_wsh.py 109
file_win_open_blocked.html 70
file_windowwatcher_frameA.html 529
file_windowwatcher_subframeB.html 225
file_windowwatcher_subframeC.html 154
file_windowwatcher_subframeD.html 57
file_windowwatcher_win_open.html 216
file_worker_src.js 1558
file_worker_src_child_governs.html 260
file_worker_src_script_governs.html 249
file_worker_src_worker_governs.html 279
file_xslt_inherits_csp.xml 154
file_xslt_inherits_csp.xml^headers^ 67
file_xslt_inherits_csp.xsl 819
main_csp_worker.html Bug 1475849: Test CSP worker inheritance 13783
main_csp_worker.html^headers^ 66
mochitest.toml 19286
referrerdirective.sjs 1029
test_301_redirect.html Test for Bug 650386 2356
test_302_redirect.html Test for Bug 650386 2356
test_303_redirect.html Test for Bug 650386 2356
test_307_redirect.html Test for Bug 650386 2357
test_allow_https_schemes.html Bug 826805 - Allow http and https for scheme-less sources 2370
test_base-uri.html Bug 1045897 - Test CSP base-uri directive 3769
test_blob_data_schemes.html Bug 1086999 - Wildcard should not match blob:, data: 2386
test_blob_uri_blocks_modals.html Bug 1432170 - Block alert box and new window open as per the sandbox allow-scripts CSP 2206
test_block_all_mixed_content.html Bug 1122236 - CSP: Implement block-all-mixed-content 2808
test_block_all_mixed_content_frame_navigation.html Bug 1122236 - CSP: Implement block-all-mixed-content 1410
test_blocked_uri_in_reports.html Bug 1069762 - Check blocked-uri in csp-reports after redirect 2772
test_blocked_uri_in_violation_event_after_redirects.html Bug 1542194 - Check blockedURI in violation reports after redirects 1589
test_blocked_uri_redirect_frame_src.html Bug 1687342 - Check blocked-uri in csp-reports after frame redirect 1738
test_bug663567.html Test if XSLT stylesheet is subject to document's CSP 2430
test_bug802872.html Bug 802872 1576
test_bug836922_npolicies.html Test for Content Security Policy multiple policy support (regular and Report-Only mode) 8041
test_bug885433.html Test for Content Security Policy inline stylesheets stuff 2410
test_bug886164.html Bug 886164 - Enforce CSP in sandboxed iframe 5073
test_bug888172.html Bug 888172 - CSP 1.0 does not process 'unsafe-inline' or 'unsafe-eval' for default-src 3092
test_bug909029.html Bug 909029 - CSP source-lists ignore some source expressions like 'unsafe-inline' when * or 'none' are used (e.g., style-src, script-src) 4848
test_bug910139.html CSP should block XSLT as script, not as style 2279
test_bug941404.html Bug 941404 - Data documents should not set CSP 2964
test_bug1229639.html Bug 1229639 - Percent encoded CSP path matching. 1511
test_bug1242019.html Test for Bug 1242019 1476
test_bug1312272.html Test for bug 1312272 819
test_bug1388015.html Bug 1388015 - Test if Firefox respect Port in Wildcard Host 1697
test_bug1452037.html Test if "script-src: sha-... " Allowlists "javascript:" URIs 1229
test_bug1505412.html Bug 1505412 CSP-RO reports violations in inline-scripts with nonce 1779
test_bug1579094.html Test if Wildcard CSP supports ExternalProtocol 939
test_bug1738418.html Bug 1738418: CSP sandbox for embed/object frames 768
test_bug1764343.html Bug 1764343 - CSP inheritance for same-origin iframes 4020
test_bug1777572.html bug 1777572 1100
test_child-src_iframe.html Bug 1045891 3240
test_child-src_worker-redirect.html Bug 1045891 4729
test_child-src_worker.html Bug 1045891 5425
test_child-src_worker_data.html Bug 1045891 4569
test_connect-src.html Bug 1031530 and Bug 1139667 - Test mapping of XMLHttpRequest and fetch() to connect-src 4141
test_CSP.html Test for Content Security Policy Connections 4173
test_csp_error_messages.html Test some specialized CSP errors 2007
test_csp_frame_ancestors_about_blank.html Bug 1668071 - CSP frame-ancestors in about:blank 1961
test_csp_style_src_empty_hash.html Bug 1609122 - Empty Style Element with valid style-src hash 942
test_csp_worker_inheritance.html Test for Bug 1475849 510
test_data_csp_inheritance.html Bug 1381761 - Treating 'data:' documents as unique, opaque origins should still inherit the CSP 1150
test_data_csp_merge.html Bug 1386183 - Meta CSP on data: URI iframe should be merged with toplevel CSP 1203
test_data_doc_ignore_meta_csp.html Bug 1382869: data document should ignore meta csp 1271
test_docwrite_meta.html Bug 663570 - Implement Content Security Policy via meta tag 3297
test_dual_header.html Bug 1036399 - Multiple CSP policies should be combined towards an intersection 2016
test_empty_directive.html Test for Bug 1439425 1230
test_evalscript.html Test for Content Security Policy "no eval" base restriction 1822
test_evalscript_allowed_by_strict_dynamic.html Bug 1439330 - CSP: eval is not blocked if 'strict-dynamic' is enabled 927
test_evalscript_blocked_by_strict_dynamic.html Bug 1439330 - CSP: eval is not blocked if 'strict-dynamic' is enabled 899
test_fontloader.html Bug 1122236 - CSP: Implement block-all-mixed-content 3157
test_form-action.html Bug 529697 - Test mapping of form submission to form-action 3039
test_form_action_blocks_url.html Bug 1251043 - Test form-action blocks URL 2744
test_frame_ancestors_ro.html Test for frame-ancestors support in Content-Security-Policy-Report-Only 2277
test_frame_src.html Bug 1302667 - Test frame-src 2296
test_frameancestors.html Test for Content Security Policy Frame Ancestors directive 5796
test_frameancestors_userpass.html Test for Userpass in Frame Ancestors directive 4889
test_hash_source.html Test CSP 1.1 hash-source for inline scripts and styles 4602
test_iframe_sandbox.html Tests for Bug 671389 7840
test_iframe_sandbox_srcdoc.html Bug 1073952 - CSP should restrict scripts in srcdoc iframe even if sandboxed 1908
test_iframe_sandbox_top_1.html Tests for Bug 671389 2665
test_iframe_sandbox_top_1.html^headers^ 77
test_iframe_srcdoc.html Bug 1073952 - Test CSP enforcement within iframe srcdoc 4863
test_ignore_unsafe_inline.html Bug 1004703 - ignore 'unsafe-inline' if nonce- or hash-source specified 4339
test_ignore_xfo.html Bug 1024557: Ignore x-frame-options if CSP with frame-ancestors exists 4117
test_image_document.html Bug 1627235: Test CSP for images loaded as iframe 1003
test_image_nonce.html Bug 1139297 - Implement CSP upgrade-insecure-requests directive 1699
test_independent_iframe_csp.html Bug 1419222 - iFrame CSP should not affect parent document CSP 2803
test_inlinescript.html Test for Content Security Policy Frame Ancestors directive 3508
test_inlinestyle.html Test for Content Security Policy inline stylesheets stuff 5491
test_invalid_source_expression.html Bug 1086612 - CSP: Let source expression be the empty set in case no valid source can be parsed 1803
test_leading_wildcard.html Bug 1032303 - CSP - Keep FULL STOP when matching *.foo.com to disallow loads from foo.com 3315
test_link_rel_preload.html Bug 1599791 - Test link rel=preload 2401
test_meta_csp_self.html Bug 1387871 - CSP: Test 'self' within meta csp in data: URI iframe 2230
test_meta_element.html Bug 663570 - Implement Content Security Policy via <meta> tag 2901
test_meta_header_dual.html Bug 663570 - Implement Content Security Policy via meta tag 3989
test_meta_whitespace_skipping.html Bug 1261634 - Update whitespace skipping for meta csp 2656
test_multi_policy_injection_bypass.html Test for Bug 717511 3497
test_multipartchannel.html Bug 1416045/Bug 1223743 - CSP: Check baseChannel for CSP when loading multipart channel 2231
test_nonce_redirects.html Bug 1469150:Scripts with valid nonce get blocked if URL redirects 1174
test_nonce_snapshot.html Bug 1509738 - Snapshot nonce at load start time 1062
test_nonce_source.html Test CSP 1.1 nonce-source for scripts and styles 4431
test_null_baseuri.html Bug 1121857 - document.baseURI should not get blocked if baseURI is null 2159
test_object_inherit.html Bug 1457100: Test OBJECT inherits CSP if needed 831
test_parent_location_js.html Bug 1550414: Add CSP test for setting parent location to javascript: 1276
test_path_matching.html Bug 808292 - Implement path-level host-source matching to CSP 4467
test_path_matching_redirect.html Bug 808292 - Implement path-level host-source matching to CSP (redirects) 2966
test_ping.html Bug 1100181 - CSP: Enforce connect-src when submitting pings 2969
test_policyuri_regression_from_multipolicy.html Test for Bug 924708 967
test_punycode_host_src.html Bug 1224225 - CSP source matching should work for punycoded domain names 2187
test_redirects.html Tests for Content Security Policy during redirects 5566
test_report.html Test for Bug 548193 4145
test_report_font_cache.html 2047
test_report_for_import.html Test for Bug 548193 3970
test_report_uri_missing_in_report_only_header.html Test for Bug 847081 1779
test_sandbox.html Tests for bugs 886164 and 671389 7499
test_sandbox_allow_scripts.html Bug 1396320: Fix CSP sandbox regression for allow-scripts 953
test_scheme_relative_sources.html Bug 921493 - CSP: test allowlisting of scheme-relative sources 2221
test_script_template.html Bug 1548385 - CSP: Test script template 1696
test_security_policy_violation_event.html 579
test_self_none_as_hostname_confusion.html Test for Bug 587377 1752
test_sendbeacon.html Bug 1234813 - sendBeacon should not throw if blocked by Content Policy 1094
test_service_worker.html Bug 1208559 - ServiceWorker registration not governed by CSP 1801
test_strict_dynamic.html Bug 1299483 - CSP: Implement 'strict-dynamic' 4296
test_strict_dynamic_default_src.html Bug 1299483 - CSP: Implement 'strict-dynamic' 4732
test_strict_dynamic_parser_inserted.html Bug 1299483 - CSP: Implement 'strict-dynamic' 3002
test_subframe_run_js_if_allowed.html Test for Bug 702439 844
test_svg_inline_style.html Bug 1262842: Test CSP inline style within svg image 4269
test_uir_top_nav.html Bug 1391011: Test uir for toplevel navigations 1618
test_uir_windowwatcher.html Bug 1529893 - Test upgrade-insecure-requests for opening window through nsWindowWatcher 1002
test_upgrade_insecure.html Bug 1139297 - Implement CSP upgrade-insecure-requests directive 7279
test_upgrade_insecure_cors.html Bug 1139297 - Implement CSP upgrade-insecure-requests directive 3010
test_upgrade_insecure_docwrite_iframe.html Bug 1273430 - Test CSP upgrade-insecure-requests for doc.write(iframe) 1942
test_upgrade_insecure_loopback.html Bug 1447784 - Implement CSP upgrade-insecure-requests directive 2867
test_upgrade_insecure_navigation.html Bug 1271173 - Missing spec on Upgrade Insecure Requests(Navigational Upgrades) 3148
test_upgrade_insecure_navigation_redirect.html Bug 1422284 - Upgrade insecure requests should only apply to top-level same-origin redirects 2143
test_upgrade_insecure_report_only.html Bug 1832249 - Consider report-only flag when upgrading insecure requests 3445
test_upgrade_insecure_reporting.html Bug 1139297 - Implement CSP upgrade-insecure-requests directive 2292
test_websocket_localhost.html Bug 1729897: Allow unsecure websocket from localhost page with CSP: upgrade-insecure 1353
test_websocket_self.html Bug 1345615: Allow websocket schemes when using 'self' in CSP 1836
test_win_open_blocked.html 1816
test_worker_src.html Bug 1302667 - Test worker-src 3260
test_xslt_inherits_csp.html Bug 1597645: Make sure XSLT inherits the CSP r=ckerschb 1051
worker.sjs 2560
worker_helper.js Any copyright is dedicated to the Public Domain. http://creativecommons.org/publicdomain/zero/1.0/ 2266