From 59ddf3c3f7b034bb29994b11a3f7dca0d05e7bd7 Mon Sep 17 00:00:00 2001
From: "Hill, Brad" <bhill@paypal-inc.com>
Date: Thu, 23 May 2013 14:42:03 +0200
Subject: [PATCH] WebAppSec CSP tests

---
 csp/CSP_1_1.php                               |  66 ++++++++++++++++
 csp/CSP_1_10.php                              |  64 ++++++++++++++++
 csp/CSP_1_10_1.php                            |  56 ++++++++++++++
 csp/CSP_1_2.php                               |  66 ++++++++++++++++
 csp/CSP_1_2_1.php                             |  72 ++++++++++++++++++
 csp/CSP_1_2_4.php                             |  46 +++++++++++
 csp/CSP_1_2_4_inner.php                       |  58 ++++++++++++++
 csp/CSP_1_3.php                               |  63 +++++++++++++++
 csp/CSP_1_4.php                               |  68 +++++++++++++++++
 csp/CSP_1_4_1.php                             |  72 ++++++++++++++++++
 csp/CSP_1_4_2.php                             |  71 +++++++++++++++++
 csp/CSP_1_5.php                               |  66 ++++++++++++++++
 csp/CSP_1_6.php                               |  67 ++++++++++++++++
 csp/CSP_1_7.php                               |  49 ++++++++++++
 csp/CSP_ExampleTest.php                       |  66 ++++++++++++++++
 csp/MANIFEST                                  |  15 ++++
 csp/support/.checkReportFieldHtml.php.swp     | Bin 0 -> 12288 bytes
 .../addInlineTestsWithDOMManipulation.js      |  22 ++++++
 csp/support/checkReportFieldHtml.php          |  22 ++++++
 csp/support/checkReportFieldJs.php            |  63 +++++++++++++++
 csp/support/clearCookies.html                 |  12 +++
 csp/support/evalSuccess.php                   |   7 ++
 csp/support/fail.php                          |   7 ++
 csp/support/loadRetargeted.php                |  37 +++++++++
 csp/support/setReportAsCookie.php             |  12 +++
 csp/support/success.php                       |   7 ++
 csp/support/test.xsl.php                      |  18 +++++
 csp/support/verifyNoReportHtml.php            |  22 ++++++
 csp/support/verifyNoReportJs.php              |  60 +++++++++++++++
 29 files changed, 1254 insertions(+)
 create mode 100755 csp/CSP_1_1.php
 create mode 100755 csp/CSP_1_10.php
 create mode 100755 csp/CSP_1_10_1.php
 create mode 100755 csp/CSP_1_2.php
 create mode 100755 csp/CSP_1_2_1.php
 create mode 100755 csp/CSP_1_2_4.php
 create mode 100755 csp/CSP_1_2_4_inner.php
 create mode 100755 csp/CSP_1_3.php
 create mode 100755 csp/CSP_1_4.php
 create mode 100755 csp/CSP_1_4_1.php
 create mode 100755 csp/CSP_1_4_2.php
 create mode 100755 csp/CSP_1_5.php
 create mode 100755 csp/CSP_1_6.php
 create mode 100755 csp/CSP_1_7.php
 create mode 100755 csp/CSP_ExampleTest.php
 create mode 100644 csp/MANIFEST
 create mode 100644 csp/support/.checkReportFieldHtml.php.swp
 create mode 100644 csp/support/addInlineTestsWithDOMManipulation.js
 create mode 100644 csp/support/checkReportFieldHtml.php
 create mode 100644 csp/support/checkReportFieldJs.php
 create mode 100644 csp/support/clearCookies.html
 create mode 100755 csp/support/evalSuccess.php
 create mode 100755 csp/support/fail.php
 create mode 100755 csp/support/loadRetargeted.php
 create mode 100644 csp/support/setReportAsCookie.php
 create mode 100755 csp/support/success.php
 create mode 100644 csp/support/test.xsl.php
 create mode 100644 csp/support/verifyNoReportHtml.php
 create mode 100644 csp/support/verifyNoReportJs.php

diff --git a/csp/CSP_1_1.php b/csp/CSP_1_1.php
new file mode 100755
index 00000000000000..c791386f686ea0
--- /dev/null
+++ b/csp/CSP_1_1.php
@@ -0,0 +1,66 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "default-src 'self'";
+$title = "Inline script should not run with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+	</head>
+	<body onLoad="test(function() {assert_false(true, 'Unsafe inline onLoad() event handler ran.')});">
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+	<script src="support/success.php"></script>
+
+	<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+	<script>
+		test(function() {assert_false(true, "Unsafe inline script ran.")});
+	</script>
+
+        <!-- This iframe will execute a test on the report contents.  It will pull a field out of
+        the report, specified by reportField, and compare it's value to to reportValue.  It will
+	also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+	<iframe width="100%" height="300" 
+	  src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+	>
+	</iframe>
+
+	</body>
+</html>
diff --git a/csp/CSP_1_10.php b/csp/CSP_1_10.php
new file mode 100755
index 00000000000000..39e7700ee309fe
--- /dev/null
+++ b/csp/CSP_1_10.php
@@ -0,0 +1,64 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "default-src 'self'";
+$title = "data: as script src should not run with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+	</head>
+	<body>
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+	<script src="support/success.php"></script>
+
+	<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+	<script src="data:text/javascript;charset=utf-8;base64,KGZ1bmN0aW9uICgpDQp7DQoJdGVzdChmdW5jdGlvbigpIHthc3NlcnRfdHJ1ZShmYWxzZSl9LCAiU2NyaXB0IHNob3VsZCBub3QgZXhlY3V0ZSBmcm9tIGRhdGE6IHVyaSIpOw0KfSkoKQ=="></script>
+
+        <!-- This iframe will execute a test on the report contents.  It will pull a field out of
+        the report, specified by reportField, and compare it's value to to reportValue.  It will
+	also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+	<iframe width="100%" height="300" 
+	  src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+	>
+	</iframe>
+
+	</body>
+</html>
diff --git a/csp/CSP_1_10_1.php b/csp/CSP_1_10_1.php
new file mode 100755
index 00000000000000..6047f50f4d19ed
--- /dev/null
+++ b/csp/CSP_1_10_1.php
@@ -0,0 +1,56 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "default-src 'self' data:";
+$title = "data: as script src should run with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=rand();
+$report_string = "";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+	</head>
+	<body>
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+	<script src="support/success.php"></script>
+
+	<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+	<script src="data:text/javascript;charset=utf-8;base64,KGZ1bmN0aW9uICgpDQp7DQoJdGVzdChmdW5jdGlvbigpIHthc3NlcnRfdHJ1ZSh0cnVlKX0sICJTY3JpcHQgc2hvdWxkIGV4ZWN1dGUgZnJvbSBkYXRhOiB1cmkiKTsNCn0pKCk="></script>
+
+	</body>
+</html>
diff --git a/csp/CSP_1_2.php b/csp/CSP_1_2.php
new file mode 100755
index 00000000000000..73725f66c19952
--- /dev/null
+++ b/csp/CSP_1_2.php
@@ -0,0 +1,66 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "default-src *";
+$title = "Inline script should not run with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+	</head>
+	<body onLoad="test(function() {assert_false(true, 'Unsafe inline onLoad() event handler ran.')});">
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+	<script src="support/success.php"></script>
+
+	<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+	<script>
+		test(function() {assert_false(true, "Unsafe inline script ran.")});
+	</script>
+
+        <!-- This iframe will execute a test on the report contents.  It will pull a field out of
+        the report, specified by reportField, and compare it's value to to reportValue.  It will
+	also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+	<iframe width="100%" height="300" 
+	  src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+	>
+	</iframe>
+
+	</body>
+</html>
diff --git a/csp/CSP_1_2_1.php b/csp/CSP_1_2_1.php
new file mode 100755
index 00000000000000..e2745c01e4f383
--- /dev/null
+++ b/csp/CSP_1_2_1.php
@@ -0,0 +1,72 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "default-src *";
+//$policy_string = "default-src * 'unsafe-inline'";
+
+$title = "Inline script attached by DOM manipulation should not run with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+	</head>
+	<body onLoad="test(function() {assert_false(true, 'Unsafe inline onLoad() event handler ran.')});">
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+	<script src="support/success.php"></script>
+
+	<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+	<div id=attachHere></div>
+
+	<script id=emptyScript></script>
+
+	<div id=emptyDiv></div>
+
+	<script src="support/addInlineTestsWithDOMManipulation.js"></script>
+
+        <!-- This iframe will execute a test on the report contents.  It will pull a field out of
+        the report, specified by reportField, and compare it's value to to reportValue.  It will
+	also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+	<iframe width="100%" height="300" 
+	  src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+	>
+	</iframe>
+
+	</body>
+</html>
diff --git a/csp/CSP_1_2_4.php b/csp/CSP_1_2_4.php
new file mode 100755
index 00000000000000..166c31c4951317
--- /dev/null
+++ b/csp/CSP_1_2_4.php
@@ -0,0 +1,46 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "script-src http://www2.w3c-test.org";
+$title = "XSLT should not run with policy \"$policy_string\".";
+$reportID=rand();
+
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+	</head>
+	<body>
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+
+	<iframe width="100%" height="300"
+	  src="CSP_1_2_4_inner.php?reportID=<?php echo $reportID?>&prefixed=<?php echo $_GET['prefixed']?>">
+	</iframe>
+
+        <!-- This iframe will execute a test on the report contents.  It will pull a field out of
+        the report, specified by reportField, and compare it's value to to reportValue.  It will
+	also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+	<iframe width="100%" height="300" 
+	  src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+	>
+	</iframe>
+
+	</body>
+</html>
diff --git a/csp/CSP_1_2_4_inner.php b/csp/CSP_1_2_4_inner.php
new file mode 100755
index 00000000000000..f17713cc976684
--- /dev/null
+++ b/csp/CSP_1_2_4_inner.php
@@ -0,0 +1,58 @@
+<?php
+
+header("Content-Type: application/xml");
+
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "script-src http://www2.w3c-test.org";
+$title = "XSLT should not run with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=$_GET['reportID'];
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<?php echo <<< EOXMLD
+<?xml-stylesheet type="text/xsl" href="support/test.xsl.php"?>
+EOXMLD;
+?>
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<!--meta description='<?php echo $title ?>' /-->
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="http://www2.w3c-test.org/resources/testharness.js"></script>
+		<script src="http://www2.w3c-test.org/resources/testharnessreport.js"></script>
+	</head>
+	<body>
+		<div id="log"></div>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+	<script src="http://www2.w3c-test.org/webappsec/tests/csp/submitted/WG/support/fail.php"></script>
+
+	</body>
+</html>
diff --git a/csp/CSP_1_3.php b/csp/CSP_1_3.php
new file mode 100755
index 00000000000000..a31efc1ce14139
--- /dev/null
+++ b/csp/CSP_1_3.php
@@ -0,0 +1,63 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "script-src 'self' 'unsafe-inline'";
+$title = "Inline script should run with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+	</head>
+	<body onLoad="test(function() {assert_false(true, 'Unsafe inline onLoad() event handler ran.')});">
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+	<script src="support/success.php"></script>
+
+	<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+	<script>
+		test(function() {assert_true(true, "Unsafe inline script ran.")});
+	</script>
+
+	<iframe width="100%" height="300" 
+	  src="support/verifyNoReportHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+	>
+	</iframe>
+
+	</body>
+</html>
diff --git a/csp/CSP_1_4.php b/csp/CSP_1_4.php
new file mode 100755
index 00000000000000..6302ddb929f35f
--- /dev/null
+++ b/csp/CSP_1_4.php
@@ -0,0 +1,68 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "script-src 'self' 'unsafe-inline'";
+$title = "eval should not execute with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+	</head>
+	<body onLoad="test(function() {assert_false(true, 'Unsafe inline onLoad() event handler ran.')});">
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+
+	<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+	<script>
+		test(function() {assert_true(true, "Unsafe inline script ran.")});
+	</script>
+	<script>
+		eval('test(function() {assert_false(true, "Unsafe eval ran.")})');
+	</script>
+
+        <!-- This iframe will execute a test on the report contents.  It will pull a field out of
+        the report, specified by reportField, and compare it's value to to reportValue.  It will
+	also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+	<iframe width="100%" height="300" 
+	  src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+	>
+	</iframe>
+
+	</body>
+</html>
diff --git a/csp/CSP_1_4_1.php b/csp/CSP_1_4_1.php
new file mode 100755
index 00000000000000..aca9892482d0a6
--- /dev/null
+++ b/csp/CSP_1_4_1.php
@@ -0,0 +1,72 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "script-src 'self' 'unsafe-inline'";
+$title = "setInterval, setTimeout with non-callable args should not execute with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+	</head>
+
+	<body onLoad="test(function() {assert_false(true, 'Unsafe inline onLoad() event handler ran.')});">
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+
+	<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+	<script>
+		test(function() {assert_true(true, "Unsafe inline script ran.")});
+	</script>
+	<script>
+		window.setTimeout('test(function() {assert_false(true, "Unsafe eval ran in setTimeout().")})', 0);
+	</script>
+	<script>
+		window.setInterval('test(function() {assert_false(true, "Unsafe eval ran in setInterval().")})', 0);
+	</script>
+
+        <!-- This iframe will execute a test on the report contents.  It will pull a field out of
+        the report, specified by reportField, and compare it's value to to reportValue.  It will
+	also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+	<iframe width="100%" height="300" 
+	  src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+	>
+	</iframe>
+
+	</body>
+</html>
diff --git a/csp/CSP_1_4_2.php b/csp/CSP_1_4_2.php
new file mode 100755
index 00000000000000..2e054e6061bc81
--- /dev/null
+++ b/csp/CSP_1_4_2.php
@@ -0,0 +1,71 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "script-src 'self' 'unsafe-inline'";
+$title = "Function() constructor should not execute with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+	</head>
+
+
+	<body onLoad="test(function() {assert_false(true, 'Unsafe inline onLoad() event handler ran.')});">
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+
+	<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+	<script>
+		test(function() {assert_true(true, "Unsafe inline script ran.")});
+	</script>
+	<script>
+		var funq = new Function('test(function() {assert_false(true, "Unsafe eval ran in Function() constructor.")})');
+		funq();
+	</script>
+
+        <!-- This iframe will execute a test on the report contents.  It will pull a field out of
+        the report, specified by reportField, and compare it's value to to reportValue.  It will
+	also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+	<iframe width="100%" height="300" 
+	  src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+	>
+	</iframe>
+
+	</body>
+</html>
diff --git a/csp/CSP_1_5.php b/csp/CSP_1_5.php
new file mode 100755
index 00000000000000..9836b70f56c99d
--- /dev/null
+++ b/csp/CSP_1_5.php
@@ -0,0 +1,66 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "script-src 'self' 'unsafe-inline'";
+$title = "sourced eval should not execute with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+	</head>
+	<body onLoad="test(function() {assert_false(true, 'Unsafe inline onLoad() event handler ran.')});">
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+	<script src="support/evalSuccess.php"></script>
+
+	<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+	<script>
+		test(function() {assert_true(true, "Unsafe inline script ran.")});
+	</script>
+
+        <!-- This iframe will execute a test on the report contents.  It will pull a field out of
+        the report, specified by reportField, and compare it's value to to reportValue.  It will
+	also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+	<iframe width="100%" height="300" 
+	  src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+	>
+	</iframe>
+
+	</body>
+</html>
diff --git a/csp/CSP_1_6.php b/csp/CSP_1_6.php
new file mode 100755
index 00000000000000..a23de6128ce229
--- /dev/null
+++ b/csp/CSP_1_6.php
@@ -0,0 +1,67 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "script-src 'self' www.w3c-test.org";
+$title = "script from www2.w3c-test.org should not run with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+	</head>
+	<body>
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+	<script src="support/success.php"></script>
+
+	<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+
+	<div id="div1"></div>
+
+	<script src="support/loadRetargeted.php?attachTo=div1&type=script&relPath=support%2Ffail.php&hostname=www2.w3c-test.org"></script>
+
+        <!-- This iframe will execute a test on the report contents.  It will pull a field out of
+        the report, specified by reportField, and compare it's value to to reportValue.  It will
+	also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+	<iframe width="100%" height="300" 
+	  src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+	>
+	</iframe>
+
+	</body>
+</html>
diff --git a/csp/CSP_1_7.php b/csp/CSP_1_7.php
new file mode 100755
index 00000000000000..d6517cc83dfd4f
--- /dev/null
+++ b/csp/CSP_1_7.php
@@ -0,0 +1,49 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "script-src 'self'";
+$title = "javascript: uris should not run with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=rand();
+$report_string = "";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+	</head>
+	<body>
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+
+	<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+	<a href="javascript:alert('failed');"><h3>Click here. If you see a popup, the test has failed.</h3></a>
+
+	</body>
+</html>
diff --git a/csp/CSP_ExampleTest.php b/csp/CSP_ExampleTest.php
new file mode 100755
index 00000000000000..67b72ed01bba33
--- /dev/null
+++ b/csp/CSP_ExampleTest.php
@@ -0,0 +1,66 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "default-src *";
+$title = "Inline script should not run with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+	</head>
+	<body>
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+	<script src="support/success.php"></script>
+
+	<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+	<script>
+		test(function() {assert_false(true, "Unsafe inline script ran.")});
+	</script>
+
+        <!-- This iframe will execute a test on the report contents.  It will pull a field out of
+        the report, specified by reportField, and compare it's value to to reportValue.  It will
+	also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+	<iframe width="100%" height="300" 
+	  src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+	>
+	</iframe>
+
+	</body>
+</html>
diff --git a/csp/MANIFEST b/csp/MANIFEST
new file mode 100644
index 00000000000000..5b3ade4f0cfb7b
--- /dev/null
+++ b/csp/MANIFEST
@@ -0,0 +1,15 @@
+support support/clearCookies.html
+CSP_1_1.php
+CSP_1_2.php
+CSP_1_2_1.php
+CSP_1_2_4.php
+CSP_1_3.php
+CSP_1_4.php
+CSP_1_4_1.php
+CSP_1_4_2.php
+CSP_1_5.php
+CSP_1_6.php
+CSP_1_10.php
+CSP_1_10_1.php
+manual CSP_1_7.php
+support support/clearCookies.html
diff --git a/csp/support/.checkReportFieldHtml.php.swp b/csp/support/.checkReportFieldHtml.php.swp
new file mode 100644
index 0000000000000000000000000000000000000000..f4f64660145121ef5b63f46d403ced2144ac9675
GIT binary patch
literal 12288
zcmeI2&2G~`5XZM54iyv-NSvnzwW*Y3(^SybILV<c{SXlWg-R8wkYjISgA=cI*GYTj
z1$Y3C+&~<;AklZ>0?z;l%GjZ8TBMc(;!w@Xf7$E#*xldc6i=(PzFLRbVwvH%%GkTz
z7Y{$by}-N)#`>b=N~wjH+D;h#e*XmPp^5ig#nG7`B<4nFqq(Og*Ga1r8Y6t(3c@HV
z;|nQcWw;jz@A)H<KHm#P<gb`cRFr`{%u7#1fC!vIATe8oxiL0Vo-W<A#^L(4$EO64
znFtU8B0vO)01+SpM1TkofwM-y$Pu=OhdPJ4fg1TOywM;6M1Tko0U|&IhyW2F0z`la
z5CI}U1kMNn*JteICC0v^((nK2e*oXEF!mMo1@#`)L(QRnTxRSOY8Ukp^#Sz;^&0gG
z)j;iyF*c3Lp#XIebsm-G|Cz2qg9s1-B0vO)01+SpM1Tko0V44K2{=5!R^lofby~5%
zgZEL#4|@>$l_+jk9gdSBBYF$h&%Cs!LTNxNuVNkVPF~Y#Z*om#{mQG06{m(%5MB^N
zq9W1tVqfHLJzZXEKAGHin%ta%T6JPD&3c^wA}sSe61nb1i5QMNvP@>3+{A?}Jlo(1
zf1D;TM%p~>(JuC9yh7TYU5r(mE1}~=c|vCm+kvaPLhHePi_i4GN_ae#Ga&8^%H)hM
zK3HgOG?rj6uT>dK9fZnR3vt(ot|>Hkq_Dw=ZIjj3n!0=7(ok-@<J!=T3!aNr8@4T^
zFA8ZA6-PG6Serst*h(o6Qi=VEm4_`i(qbs>u~5veO{_%zV4Xa45=^H=&y7OgHAfb{
z@1m(5`{7n7d>bq%Lc5bX<*da#_)v!pSg}J}TT^JVV7cBL-uKeB46!se)Z=a*%6DKb
iiC}tueill%?NSM^{Rqw*xC2B4>4w8@o3ZSd$$kO-X*?kS

literal 0
HcmV?d00001

diff --git a/csp/support/addInlineTestsWithDOMManipulation.js b/csp/support/addInlineTestsWithDOMManipulation.js
new file mode 100644
index 00000000000000..2650b347bc95ef
--- /dev/null
+++ b/csp/support/addInlineTestsWithDOMManipulation.js
@@ -0,0 +1,22 @@
+(function () 
+{ 
+ var attachPoint = document.getElementById('attachHere');
+
+ var inlineScript = document.createElement('script');
+ var scriptText = document.createTextNode('test(function() {assert_false(true, "Unsafe inline script ran - createTextNode.")});');
+
+ inlineScript.appendChild(scriptText);
+
+ attachPoint.appendChild(inlineScript);
+
+ document.getElementById('emptyScript').innerHTML = 'test(function() {assert_false(true, "Unsafe inline script ran - innerHTML.")});';
+
+ // Note, this doesn't execute in Chrome 27 even without CSP.
+ document.getElementById('emptyDiv').outerHTML = '<script id=outerHTMLScript>test(function() {assert_false(true, "Unsafe inline script ran - outerHTML.")});</script>';
+
+ 
+ document.write('<script>test(function() {assert_false(true, "Unsafe inline script ran - document.write")});</script>');
+ document.writeln('<script>test(function() {assert_false(true, "Unsafe inline script ran - document.writeln")});</script>');
+ 
+
+})();
diff --git a/csp/support/checkReportFieldHtml.php b/csp/support/checkReportFieldHtml.php
new file mode 100644
index 00000000000000..2eb4fe095d7150
--- /dev/null
+++ b/csp/support/checkReportFieldHtml.php
@@ -0,0 +1,22 @@
+<?php
+
+//Prevent Caching
+header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+header("Content-Type: text/html");
+
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<script src="http://www.w3c-test.org/resources/testharness.js"></script>
+		<script src="http://www.w3c-test.org/resources/testharnessreport.js"></script>
+		<script src="checkReportFieldJs.php?reportID=<?php echo urlencode($_GET['reportID']) ?>&reportField=<?php echo urlencode($_GET['reportField']) ?>&reportValue=<?php echo $_GET['reportValue'] ?>"></script>
+	</head>
+	<body>
+		<div id=log></div>
+	<body>
+</html>
diff --git a/csp/support/checkReportFieldJs.php b/csp/support/checkReportFieldJs.php
new file mode 100644
index 00000000000000..7500277a6693e9
--- /dev/null
+++ b/csp/support/checkReportFieldJs.php
@@ -0,0 +1,63 @@
+<?php
+
+//Prevent Caching
+header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+header("Content-Type: text/javascript");
+
+$cleanQuotedCookieId = json_encode($_GET['reportID']);
+$cleanReportField = json_encode($_GET['reportField']);
+$cleanReportValue = json_encode($_GET['reportValue']);
+
+?>
+
+(function () 
+{ 
+  function createCookie(name,value,days) {
+	if (days) {
+		var date = new Date();
+		date.setTime(date.getTime()+(days*24*60*60*1000));
+		var expires = "; expires="+date.toGMTString();
+	}
+	else var expires = "";
+	document.cookie = name+"="+value+expires+"; path=/";
+}
+
+ function readCookie(name) {
+	var nameEQ = name + "=";
+	var ca = document.cookie.split(';');
+	for(var i=0;i < ca.length;i++) {
+		var c = ca[i];
+		while (c.charAt(0)==' ') c = c.substring(1,c.length);
+		if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
+	undefined}
+	return null;
+}
+
+  function eraseCookie(name) {
+	createCookie(name,"",-1);
+}
+
+function reportdecode (str) {
+
+  if(str!= null){ str = str.replace(/"/g, '$'); }
+
+  return decodeURIComponent((str + '').replace(/\+/g, '%20'));
+}
+ test(function() {
+
+	var x = reportdecode(readCookie(<?php echo $cleanQuotedCookieId ?>));
+	eraseCookie(<?php echo $cleanQuotedCookieId ?>);
+
+        report = JSON.parse(x);	
+	
+	assert_false(report === null, "Report not sent.");
+	assert_equals(report['csp-report'][<?php echo $cleanReportField ?>],<?php echo $cleanReportValue ?>);
+
+}, "Verify report contents.");
+
+})();
+
diff --git a/csp/support/clearCookies.html b/csp/support/clearCookies.html
new file mode 100644
index 00000000000000..453efc0e55a717
--- /dev/null
+++ b/csp/support/clearCookies.html
@@ -0,0 +1,12 @@
+<html>
+<head>
+	<script>
+document.cookie = "";
+	</script>
+	<script src="/resources/testharness.js"></script>
+	<script src="/resources/testharnessreport.js"></script>
+	<script src="success.php"></script>
+</head>
+<body>
+</body>
+</html>
diff --git a/csp/support/evalSuccess.php b/csp/support/evalSuccess.php
new file mode 100755
index 00000000000000..bca9b4e8511831
--- /dev/null
+++ b/csp/support/evalSuccess.php
@@ -0,0 +1,7 @@
+<?php
+header("Content-type: text/javascript");
+?>
+(function ()
+{
+	eval('test(function() {assert_true(true)}, "Generic positive signal that test suite is working...");');
+})()
diff --git a/csp/support/fail.php b/csp/support/fail.php
new file mode 100755
index 00000000000000..3120504f6a8fcb
--- /dev/null
+++ b/csp/support/fail.php
@@ -0,0 +1,7 @@
+<?php
+header("Content-type: text/javascript");
+?>
+(function ()
+{
+	test(function() {assert_true(false)}, "Script should not execute from "+document.location);
+})()
diff --git a/csp/support/loadRetargeted.php b/csp/support/loadRetargeted.php
new file mode 100755
index 00000000000000..bc319078121708
--- /dev/null
+++ b/csp/support/loadRetargeted.php
@@ -0,0 +1,37 @@
+<?php
+header("Content-type: text/javascript");
+
+function isset_or_je(&$check, $alternate = NULL) 
+{ 
+    return (isset($check)) ? (empty($check) ? $alternate : json_encode($check)) : $alternate; 
+}
+
+?>
+(function ()
+{
+ var attachPoint = document.getElementById(<?php echo json_encode($_GET['attachTo']) ?>);
+
+ var newElem = document.createElement(<?php echo json_encode($_GET['type']) ?>);
+
+
+ var newSrc = "";
+
+ newSrc += <?php echo isset_or_je($_GET['protocol'], 'window.location.protocol') ?>;
+ newSrc += "//";
+ newSrc += <?php echo isset_or_je($_GET['hostname'], 'window.location.hostname') ?>;
+ newSrc += <?php echo isset_or_je($_GET['port'], 'window.location.port') ?>;
+
+ pathComponents = window.location.pathname.split('/');
+ for(var i = 0; i < pathComponents.length - 1; i++)
+ {
+   newSrc += pathComponents[i] + "/";
+ }
+
+ newSrc += "<?php echo $_GET['relPath'] ?>";
+
+ newElem.src = newSrc;
+
+ attachPoint.appendChild(newElem);
+
+
+})()
diff --git a/csp/support/setReportAsCookie.php b/csp/support/setReportAsCookie.php
new file mode 100644
index 00000000000000..6b9cf119b4f90c
--- /dev/null
+++ b/csp/support/setReportAsCookie.php
@@ -0,0 +1,12 @@
+<?php
+error_reporting(~0); ini_set('display_errors',1);
+//Prevent Caching
+header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+header("Content-Type: text/javascript");
+
+header("Set-Cookie: " . $_GET['reportID'] . "=" . urlencode(file_get_contents('php://input')) . "; Path=/;");
+?>
diff --git a/csp/support/success.php b/csp/support/success.php
new file mode 100755
index 00000000000000..87c5ec99dd4a34
--- /dev/null
+++ b/csp/support/success.php
@@ -0,0 +1,7 @@
+<?php
+header("Content-type: text/javascript");
+?>
+(function ()
+{
+	test(function() {assert_true(true)}, "Generic positive signal that test suite is working...");
+})()
diff --git a/csp/support/test.xsl.php b/csp/support/test.xsl.php
new file mode 100644
index 00000000000000..ef1e2daa552361
--- /dev/null
+++ b/csp/support/test.xsl.php
@@ -0,0 +1,18 @@
+<?php
+header("Content-Type: application/xml");
+
+//Prevent Caching
+header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+?>
+<?php echo<<<EOXML
+<?xml version="1.0" encoding="utf-8"?>
+EOXML;
+?>
+
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:xhtml="http://www.w3.org/1999/xhtml" version="1.0" exclude-result-prefixes="xhtml">
+
+</xsl:stylesheet>
diff --git a/csp/support/verifyNoReportHtml.php b/csp/support/verifyNoReportHtml.php
new file mode 100644
index 00000000000000..6eb5dfa77d5def
--- /dev/null
+++ b/csp/support/verifyNoReportHtml.php
@@ -0,0 +1,22 @@
+<?php
+
+//Prevent Caching
+header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+header("Content-Type: text/html");
+
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<script src="http://www.w3c-test.org/resources/testharness.js"></script>
+		<script src="http://www.w3c-test.org/resources/testharnessreport.js"></script>
+		<script src="verifyNoReportJs.php?reportID=<?php echo urlencode($_GET['reportID']) ?>&reportField=<?php echo urlencode($_GET['reportField']) ?>&reportValue=<?php echo $_GET['reportValue'] ?>"></script>
+	</head>
+	<body>
+		<div id=log></div>
+	<body>
+</html>
diff --git a/csp/support/verifyNoReportJs.php b/csp/support/verifyNoReportJs.php
new file mode 100644
index 00000000000000..0305eda814e9fc
--- /dev/null
+++ b/csp/support/verifyNoReportJs.php
@@ -0,0 +1,60 @@
+<?php
+
+//Prevent Caching
+header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+header("Content-Type: text/javascript");
+
+$cleanQuotedCookieId = json_encode($_GET['reportID']);
+$cleanReportField = json_encode($_GET['reportField']);
+$cleanReportValue = json_encode($_GET['reportValue']);
+
+?>
+
+(function () 
+{ 
+
+ function readCookie(name) {
+	var nameEQ = name + "=";
+	var ca = document.cookie.split(';');
+	for(var i=0;i < ca.length;i++) {
+		var c = ca[i];
+		while (c.charAt(0)==' ') c = c.substring(1,c.length);
+		if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
+	undefined}
+	return null;
+}
+
+ function createCookie(name,value,days) {
+	if (days) {
+		var date = new Date();
+		date.setTime(date.getTime()+(days*24*60*60*1000));
+		var expires = "; expires="+date.toGMTString();
+	}
+	else var expires = "";
+	document.cookie = name+"="+value+expires+"; path=/";
+}
+
+  function eraseCookie(name) {
+	createCookie(name,"",-1);
+}
+
+function reportdecode (str) {
+
+  if(str!= null){ str = str.replace(/"/g, '$'); }
+
+  return decodeURIComponent((str + '').replace(/\+/g, '%20'));
+}
+ test(function() {
+
+	var x = reportdecode(readCookie(<?php echo $cleanQuotedCookieId ?>));
+	assert_equals(x, "null");
+	eraseCookie(<?php echo $cleanQuotedCookieId ?>);
+
+}, "Verified no report sent.");
+
+})();
+