Bug 1468173 [wpt PR 11457] - Completed 'unsafe-hashes' per spec, a=testonly

Automatic update from web-platform-testsCompleted 'unsafe-hashes' per spec

'unsafe-hashed-attributes' renamed to 'unsafe-hashes'
'unsafe-hashes' matches style attributes correctly now
'unsafe-hashes' works for javascript: URLs
'unsafe-hashes' tests added and ammended

spec (approved and to be submitted at the same time as this CR):
https://github.com/w3c/webappsec-csp/pull/311

I2I: https://groups.google.com/a/chromium.org/d/msg/blink-dev/4dohVXDfEI4/tO6rhuv4AwAJ

Bug: 771922
Change-Id: I018cc0f73d492cb4057ff4c41d9be4df8438036c
Reviewed-on: https://chromium-review.googlesource.com/1095217
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#569593}

--

wpt-commits: fb04aed6ac840bd35178406583af6da6759c3566
wpt-pr: 11457

testing/web-platform/meta/MANIFEST.json

@@ -216848,6 +216848,11 @@
      {}
     ]
    ],
+   "content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html": [
+    [
+     {}
+    ]
+   ],
    "cookie-store/META.yml": [
     [
      {}
@@ -313448,9 +313453,9 @@
      {}
     ]
    ],
-   "content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashed_attributes.html": [
+   "content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html": [
     [
-     "/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashed_attributes.html",
+     "/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html",
      {}
     ]
    ],
@@ -315332,21 +315337,111 @@
      {}
     ]
    ],
-   "content-security-policy/unsafe-hashed-attributes/script_event_handlers_allowed.html": [
+   "content-security-policy/unsafe-hashes/javascript_src_allowed-href.html": [
     [
-     "/content-security-policy/unsafe-hashed-attributes/script_event_handlers_allowed.html",
+     "/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html",
      {}
     ]
    ],
-   "content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_matching_hash_no_unsafe_inline_attribute.html": [
+   "content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html": [
     [
-     "/content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_matching_hash_no_unsafe_inline_attribute.html",
+     "/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html",
      {}
     ]
    ],
-   "content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_not_matching_hash.html": [
+   "content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html": [
     [
-     "/content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_not_matching_hash.html",
+     "/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html",
+     {}
+    ]
+   ],
+   "content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html": [
+    [
+     "/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html",
+     {}
+    ]
+   ],
+   "content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html": [
+    [
+     "/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html",
+     {}
+    ]
+   ],
+   "content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html": [
+    [
+     "/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html",
+     {}
+    ]
+   ],
+   "content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html": [
+    [
+     "/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html",
+     {}
+    ]
+   ],
+   "content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html": [
+    [
+     "/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html",
+     {}
+    ]
+   ],
+   "content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html": [
+    [
+     "/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html",
+     {}
+    ]
+   ],
+   "content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html": [
+    [
+     "/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html",
+     {}
+    ]
+   ],
+   "content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html": [
+    [
+     "/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html",
+     {}
+    ]
+   ],
+   "content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html": [
+    [
+     "/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html",
+     {}
+    ]
+   ],
+   "content-security-policy/unsafe-hashes/script_event_handlers_allowed.html": [
+    [
+     "/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html",
+     {}
+    ]
+   ],
+   "content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html": [
+    [
+     "/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html",
+     {}
+    ]
+   ],
+   "content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html": [
+    [
+     "/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html",
+     {}
+    ]
+   ],
+   "content-security-policy/unsafe-hashes/style_attribute_allowed.html": [
+    [
+     "/content-security-policy/unsafe-hashes/style_attribute_allowed.html",
+     {}
+    ]
+   ],
+   "content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html": [
+    [
+     "/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html",
+     {}
+    ]
+   ],
+   "content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html": [
+    [
+     "/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html",
      {}
     ]
    ],
@@ -437667,8 +437762,8 @@
    "8d1a3cb1754e08585851553defc828f424e3f402",
    "testharness"
   ],
-  "content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashed_attributes.html": [
-   "f6888b5ea15ed20082ff9b2d323af0a495b9fe56",
+  "content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html": [
+   "221c608dd2ac6af81550ca6211c20a90e9f45dad",
    "testharness"
   ],
   "content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html": [
@@ -439679,18 +439774,82 @@
    "2676e375c60899dbd2281b49e01e82e1b3d9451e",
    "testharness"
   ],
-  "content-security-policy/unsafe-hashed-attributes/script_event_handlers_allowed.html": [
-   "3dac897440d3bcca283c606c51d23a9d37c66a62",
+  "content-security-policy/unsafe-hashes/javascript_src_allowed-href.html": [
+   "2bd3fb3fae8a5bc7a25d17670b47327b8584a88c",
    "testharness"
   ],
-  "content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_matching_hash_no_unsafe_inline_attribute.html": [
-   "2864ff4485ab5fee87000898cba6c9d786586684",
+  "content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html": [
+   "349baa33e86ccd020758817ef25503f6b5dddaa1",
    "testharness"
   ],
-  "content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_not_matching_hash.html": [
-   "d4f78683e9e76a341134c34be726d435d113b71b",
+  "content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html": [
+   "979110bfd5000798d635d3ccdd44acfcdcec8e0d",
    "testharness"
   ],
+  "content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html": [
+   "1f6ce394551c57a521ce8df202cce59d8b27b0a0",
+   "testharness"
+  ],
+  "content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html": [
+   "8ebd1793dfc9ef510e0c78e19e02719e2a30f526",
+   "testharness"
+  ],
+  "content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html": [
+   "a8a9080c1a1f7c26c1b30e9d43e13f53f4576360",
+   "testharness"
+  ],
+  "content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html": [
+   "4ac5fac6f6c58c8c172ed02594d73f631799cf7a",
+   "testharness"
+  ],
+  "content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html": [
+   "f62182571c99ce20bdb7ff7c94592355a6b41743",
+   "testharness"
+  ],
+  "content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html": [
+   "5cefbd1b0017f318ea83b77e4766b0ed4b4295dd",
+   "testharness"
+  ],
+  "content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html": [
+   "4c12e6e13a95ad4fd6222d93427a48257f3a0b77",
+   "testharness"
+  ],
+  "content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html": [
+   "401d00812bcb6aee37f5779f2794ecbb6792a7dc",
+   "testharness"
+  ],
+  "content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html": [
+   "20348d6da0ecdb7f5295bc704191cd217dd726b6",
+   "testharness"
+  ],
+  "content-security-policy/unsafe-hashes/script_event_handlers_allowed.html": [
+   "e8e57afe913c38d603d1e7256412b33a1b333004",
+   "testharness"
+  ],
+  "content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html": [
+   "9e80d3eb04bb86ea53eb8cce065490550fd19e79",
+   "testharness"
+  ],
+  "content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html": [
+   "76831255a317844b60de42cb137ddbef52aa81b9",
+   "testharness"
+  ],
+  "content-security-policy/unsafe-hashes/style_attribute_allowed.html": [
+   "02676f3fe19f2da59f166f2a7be071a4071615c6",
+   "testharness"
+  ],
+  "content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html": [
+   "759d2d1ba03562cce5a4c24327e0cd63fe297cd5",
+   "testharness"
+  ],
+  "content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html": [
+   "6cc4455b0d5afa4c23ee5e8eb0c33969149fd36c",
+   "testharness"
+  ],
+  "content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html": [
+   "02990045a9427bfb19b439bb0691d0a5ed56453a",
+   "support"
+  ],
   "content-security-policy/worker-src/dedicated-child.sub.html": [
    "fb394b266d3c21a44d7f0edfbbcc5d5ff31e8b6f",
    "testharness"
@@ -588560,11 +588719,11 @@
    "testharness"
   ],
   "html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic.html": [
-   "d49f673f10045316bf897ded5d0cd24ab3933a5b",
+   "fd4a01519ff3b522b95b5b5f81a2c9f5f6672e49",
    "testharness"
   ],
   "html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module.html": [
-   "2566b1d80cd2617c62667c300fe9568a640fe1a5",
+   "0ee0b781ac22fc0382f51ac4aae6087536dd42d4",
    "testharness"
   ],
   "html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-of-promise-result.html": [

testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html

@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<title>Embedded Enforcement: Subsumption Algorithm - 'unsafe-hashed-attributes' keyword.</title>
+<title>Embedded Enforcement: Subsumption Algorithm - 'unsafe-hashes' keyword.</title>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
   <script src="support/testharness-helper.sub.js"></script>
@@ -9,36 +9,36 @@
 <body>
   <script>
     var tests = [
-      { "name": "'unsafe-hashed-attributes' is properly subsumed.", 
-        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-eval' 'strict-dynamic' 'unsafe-hashed-attributes'", 
-        "returned_csp_1": "style-src http://example1.com/foo/bar.html 'unsafe-hashed-attributes'",
+      { "name": "'unsafe-hashes' is properly subsumed.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-eval' 'strict-dynamic' 'unsafe-hashes'",
+        "returned_csp_1": "style-src http://example1.com/foo/bar.html 'unsafe-hashes'",
         "expected": IframeLoad.EXPECT_LOAD },
-      { "name": "No other keyword has the same effect as 'unsafe-hashed-attributes'.", 
-        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'", 
+      { "name": "No other keyword has the same effect as 'unsafe-hashes'.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashes'",
         "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline'",
         "expected": IframeLoad.EXPECT_BLOCK },
-      { "name": "Other expressions have to be subsumed.", 
-        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'", 
-        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashed-attributes'",
+      { "name": "Other expressions have to be subsumed.",
+        "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashes'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashes'",
         "expected": IframeLoad.EXPECT_BLOCK },
-      { "name": "Effective policy is properly found.", 
-        "required_csp": "style-src http://example1.com/foo/ 'self'  'unsafe-hashed-attributes'", 
-        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashed-attributes'",
-        "returned_csp_2": "style-src http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'",
+      { "name": "Effective policy is properly found.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'  'unsafe-hashes'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashes'",
+        "returned_csp_2": "style-src http://example1.com/foo/ 'self' 'unsafe-hashes'",
         "expected": IframeLoad.EXPECT_LOAD },
-      { "name": "Required csp must allow 'unsafe-hashed-attributes'.", 
-        "required_csp": "style-src http://example1.com/foo/ 'self'", 
-        "returned_csp_1": "style-src http://example1.com/foo/ 'self'  'unsafe-hashed-attributes'",
+      { "name": "Required csp must allow 'unsafe-hashes'.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "style-src http://example1.com/foo/ 'self'  'unsafe-hashes'",
         "expected": IframeLoad.EXPECT_BLOCK },
-      { "name": "Effective policy is properly found where 'unsafe-hashed-attributes' is not subsumed.", 
-        "required_csp": "style-src http://example1.com/foo/ 'self'", 
-        "returned_csp_1": "style-src 'unsafe-eval' 'unsafe-hashed-attributes'",
-        "returned_csp_2": "style-src 'unsafe-hashed-attributes' 'unsafe-inline'",
+      { "name": "Effective policy is properly found where 'unsafe-hashes' is not subsumed.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
+        "returned_csp_1": "style-src 'unsafe-eval' 'unsafe-hashes'",
+        "returned_csp_2": "style-src 'unsafe-hashes' 'unsafe-inline'",
         "expected": IframeLoad.EXPECT_BLOCK },
-      { "name": "Effective policy is properly found where 'unsafe-hashed-attributes' is not part of it.", 
-        "required_csp": "style-src http://example1.com/foo/ 'self'", 
+      { "name": "Effective policy is properly found where 'unsafe-hashes' is not part of it.",
+        "required_csp": "style-src http://example1.com/foo/ 'self'",
         "returned_csp_1": "style-src 'unsafe-eval' 'self'",
-        "returned_csp_2": "style-src 'unsafe-hashed-attributes' 'self'",
+        "returned_csp_2": "style-src 'unsafe-hashes' 'self'",
         "expected": IframeLoad.EXPECT_LOAD },
     ];
     tests.forEach(test => {

testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html

@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';">
+    <!--
+    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=' ==> 'javascript:t1.done();'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <a href='javascript:t1.done();' id='test'>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is allowed to run");
+
+        window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
+
+        document.getElementById('test').click();
+    </script>
+</body>
+
+</html>

testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html

@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';">
+    <!--
+    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=' ==> 'javascript:t1.done();'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <a target="_blank" href='javascript:t1.done();' id='test'>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is allowed to run");
+
+        window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
+
+        document.getElementById('test').click();
+    </script>
+</body>
+
+</html>

testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html

@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is allowed to run");
+
+        window.onmessage = t1.step_func_done(function(e) {
+          assert_equals(e.data, "pass");
+        });
+
+        window.open('support/child_window_location_navigate.sub.html' + 
+              '?csp=' + encodeURI("script-src 'unsafe-hashes' 'nonce-abc' 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y='") +
+              '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')"));
+    </script>
+</body>
+
+</html>

testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html

@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=';">
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is allowed to run");
+
+        window.onmessage = t1.step_func_done(function(e) {
+          assert_equals(e.data, "pass");
+        });
+
+        window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
+
+        window.open("javascript:opener.postMessage('pass', '*')");
+    </script>
+</body>
+
+</html>

testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html

@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
+    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=';">
+    <!--
+    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL");
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'script-src');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+
+        document.getElementById('test').click();
+    </script>
+</body>
+
+</html>

testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html

@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';">
+    <!--
+    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL");
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+             assert_equals(e.violatedDirective, 'script-src');
+             assert_equals(e.blockedURI, 'inline');
+        }));
+
+        document.getElementById('test').click();
+    </script>
+</body>
+
+</html>

testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html

@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.onmessage = t1.step_func_done(function(e) {
+          assert_equals(e.data, "fail");
+        });
+
+        window.open('support/child_window_location_navigate.sub.html' + 
+              '?csp=' + encodeURI("script-src 'nonce-abc' 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y='") +
+              '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')"));
+    </script>
+</body>
+
+</html>

testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html

@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=';">
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.onmessage = t1.unreached_func("Should have not received any message");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'script-src');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+
+        window.open("javascript:opener.postMessage('pass', '*')");
+    </script>
+</body>
+
+</html>

testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html

@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';">
+    <!--
+    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL");
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'script-src');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+
+        document.getElementById('test').click();
+    </script>
+</body>
+
+</html>

testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html

@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
+    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=';">
+    <!--
+    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL");
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <a target="_blank" href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+             assert_equals(e.violatedDirective, 'script-src');
+             assert_equals(e.blockedURI, 'inline');
+        }));
+
+        document.getElementById('test').click();
+    </script>
+</body>
+
+</html>

testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html

@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.onmessage = t1.step_func_done(function(e) {
+          assert_equals(e.data, "fail");
+        });
+
+        window.open('support/child_window_location_navigate.sub.html' + 
+              '?csp=' + encodeURI("script-src 'unsafe-hashes' 'nonce-abc' 'sha256-VjH6k67F4kobUnNDOBE85QiJ9cuZMiYT6desKXvezVg='") +
+              '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')"));
+    </script>
+</body>
+
+</html>

testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html

@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-VjH6k67F4kobUnNDOBE85QiJ9cuZMiYT6desKXvezVg=';">
+    <!--
+    'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')'
+    -->
+    <script src='/resources/testharness.js' nonce='abc'></script>
+    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script nonce='abc'>
+        var t1 = async_test("Test that the javascript: src is not allowed to run");
+
+        window.onmessage = t1.unreached_func("Should have not received any message");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'script-src');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+
+        window.open("javascript:opener.postMessage('pass', '*')");
+    </script>
+</body>
+
+</html>

testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html

@@ -2,8 +2,8 @@
 <html>
 
 <head>
-    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashed-attributes' 'nonce-abc' 'sha256-wmuLCpoj8EMqfQlPnt5NIMgKkCK62CxAkAiewI0zZps='; img-src *;">
-    <title>Event handlers should be allowed if a matching hash and 'unsafe-hashed-attributes' are present</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' 'sha256-wmuLCpoj8EMqfQlPnt5NIMgKkCK62CxAkAiewI0zZps='; img-src *;">
+    <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title>
     <script src='/resources/testharness.js' nonce='abc'></script>
     <script src='/resources/testharnessreport.js' nonce='abc'></script>
 </head>

testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html

@@ -3,7 +3,7 @@
 
 <head>
     <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'sha256-Cb9N8BP42Neca22vQ9VaXlPU8oPF8HPxZHxRVcnLZJ4='; img-src *;">
-    <title>Event handlers should not be allowed if a matching hash is present without 'unsafe-hashed-attributes'</title>
+    <title>Event handlers should not be allowed if a matching hash is present without 'unsafe-hashes'</title>
     <script src='/resources/testharness.js' nonce='abc'></script>
     <script src='/resources/testharnessreport.js' nonce='abc'></script>
     

testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html

@@ -2,7 +2,7 @@
 <html>
 
 <head>
-    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashed-attributes' 'nonce-abc' 'sha256-thisdoesnotmatch'; img-src *;">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' 'sha256-thisdoesnotmatch'; img-src *;">
     <title>Event handlers should be not allowed if a matching hash is not present</title>
     <script src='/resources/testharness.js' nonce='abc'></script>
     <script src='/resources/testharnessreport.js' nonce='abc'></script>

testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html

@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="img-src *;
+                      style-src 'unsafe-hashes' 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=';">
+    <!--
+      'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green'
+      -->
+    <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script>
+        var t1 = async_test("Test that the inline style attribute is loaded");
+
+        function check_for_style() {
+          assert_equals("green", document.getElementById('test').style.background);
+          t1.done();
+        }
+
+        window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
+    </script>
+    <img src='../support/pass.png' id='test' style='background: green'
+         onload='check_for_style()'>
+</body>
+
+</html>

testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html

@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="img-src *;
+                      style-src 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=';">
+    <!--
+      'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green'
+      -->
+    <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script>
+        var t1 = async_test("Test that the inline style attribute is blocked");
+        
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'style-src');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+
+    </script>
+    <img src='../support/pass.png' id='test' style='background: green'>
+</body>
+
+</html>

testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html

@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="img-src *;
+                      style-src 'unsafe-hashes' 'sha256-UI8QfroYhb0WX073XBuM+RTPntpjZfkyFLsMw5vQfd0=';">
+    <!--
+      'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green'
+      -->
+    <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body>
+    <div id='log'></div>
+    <script>
+        var t1 = async_test("Test that the inline style attribute is blocked");
+
+        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'style-src');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+
+    </script>
+    <img src='../support/pass.png' id='test' style='background: green'>
+</body>
+
+</html>

testing/web-platform/tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html

@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}">
+</head>
+
+<body>
+  <script nonce='abc'>
+    window.addEventListener('securitypolicyviolation', function(e) {
+      opener.postMessage('fail', '*');
+    });
+
+    window.location.href = "{{GET[url]}}";
+  </script>
+</body>
+
+</html>

testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic.html

@@ -3,7 +3,7 @@
 <title>import() inside compiled strings uses the appropriate nonce inside a classic script</title>
 <link rel="author" title="Domenic Denicola" href="mailto:d@domenic.me">
 
-<meta http-equiv="content-security-policy" content="script-src 'nonce-correct' 'unsafe-eval' 'unsafe-hashed-attributes' 'sha256-cAMzxBL19bKt4KwKGbxy/ZOFIIjH5AmRjlVbsD5pvNw=' 'sha256-3VjoJYNK/9HJMS8rrZHlqSZgUssDY+GPyc7AU8lNM3k='">
+<meta http-equiv="content-security-policy" content="script-src 'nonce-correct' 'unsafe-eval' 'unsafe-hashes' 'sha256-cAMzxBL19bKt4KwKGbxy/ZOFIIjH5AmRjlVbsD5pvNw=' 'sha256-3VjoJYNK/9HJMS8rrZHlqSZgUssDY+GPyc7AU8lNM3k='">
 
 <script nonce="correct" src="/resources/testharness.js"></script>
 <script nonce="correct" src="/resources/testharnessreport.js"></script>
@@ -74,7 +74,7 @@ promise_test(t => {
 
   const promise = createTestPromise(t);
 
-  // This only works because of the 'unsafe-hashed-attributes' and the hash in the CSP policy
+  // This only works because of the 'unsafe-hashes' and the hash in the CSP policy
   dummyDiv.setAttribute(
     "onclick",
     `import('../imports-a.js?label=reflected inline event handlers').then(window.continueTest, window.errorTest)`
@@ -91,7 +91,7 @@ promise_test(t => {
 
   const promise = createTestPromise(t);
 
-  // This only works because of the 'unsafe-hashed-attributes' and the hash in the CSP policy
+  // This only works because of the 'unsafe-hashes' and the hash in the CSP policy
   dummyDiv.setAttribute(
     "onclick",
     `import('../imports-a.js?label=inline event handlers triggered via UA code').then(window.continueTest, window.errorTest)`

testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module.html

@@ -3,7 +3,7 @@
 <title>import() inside compiled strings uses the appropriate nonce inside a module script</title>
 <link rel="author" title="Domenic Denicola" href="mailto:d@domenic.me">
 
-<meta http-equiv="content-security-policy" content="script-src 'nonce-correct' 'unsafe-eval' 'unsafe-hashed-attributes' 'sha256-cAMzxBL19bKt4KwKGbxy/ZOFIIjH5AmRjlVbsD5pvNw=' 'sha256-3VjoJYNK/9HJMS8rrZHlqSZgUssDY+GPyc7AU8lNM3k='">
+<meta http-equiv="content-security-policy" content="script-src 'nonce-correct' 'unsafe-eval' 'unsafe-hashes' 'sha256-cAMzxBL19bKt4KwKGbxy/ZOFIIjH5AmRjlVbsD5pvNw=' 'sha256-3VjoJYNK/9HJMS8rrZHlqSZgUssDY+GPyc7AU8lNM3k='">
 
 <script nonce="correct" src="/resources/testharness.js"></script>
 <script nonce="correct" src="/resources/testharnessreport.js"></script>
@@ -73,7 +73,7 @@ promise_test(t => {
 
   const promise = createTestPromise(t);
 
-  // This only works because of the 'unsafe-hashed-attributes' and the hash in the CSP policy
+  // This only works because of the 'unsafe-hashes' and the hash in the CSP policy
   dummyDiv.setAttribute(
     "onclick",
     `import('../imports-a.js?label=reflected inline event handlers').then(window.continueTest, window.errorTest)`
@@ -90,7 +90,7 @@ promise_test(t => {
 
   const promise = createTestPromise(t);
 
-  // This only works because of the 'unsafe-hashed-attributes' and the hash in the CSP policy
+  // This only works because of the 'unsafe-hashes' and the hash in the CSP policy
   dummyDiv.setAttribute(
     "onclick",
     `import('../imports-a.js?label=inline event handlers triggered via UA code').then(window.continueTest, window.errorTest)`