| Spec Level |
Spec Feature |
Test URLs |
Chrome 51.0.2699.0 canary (64-bit) |
Firefox Nightly 48.0a1 (2016-04-04) |
Safari Technical Preview 9.9.1 |
| 1 |
Report-Only header |
TODO |
|
|
|
| 2 |
meta tag outside head |
http://w3c-test.org/content-security-policy/blink-contrib-2/meta-outside-head.sub.html
|
PASS |
PASS |
FAIL |
| 2 |
meta tag |
http://w3c-test.org/content-security-policy/meta-img-src.html |
PASS |
PASS |
PASS |
| 2 |
no report-uri in meta |
http://w3c-test.org/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html
|
FAIL |
PASS |
PASS |
| 2 |
no frame-ancestors in meta |
http://w3c-test.org/content-security-policy/frame-ancestors/multiple-frames-meta-ignored.sub.html |
PASS |
PASS |
PASS |
| 2 |
no sandbox in meta |
TODO |
|
|
|
| 2 |
meta and header policy combination |
http://w3c-test.org/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html
|
PASS |
PASS |
PASS |
| 2 |
modifications of meta after parsing |
http://w3c-test.org/content-security-policy/meta-img-src.html |
PASS |
PASS |
PASS |
| 1 |
enforce for HTML as top-level document |
(entire test suite) |
PASS |
PASS |
PASS |
| 1 |
delivered policy governs iframe in embedded context |
TODO |
|
|
|
| 2 |
parent policy governs iframe from srcdoc or guid |
http://w3c-test.org/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html
|
PASS |
PASS |
PASS |
| 2 |
enforce for SVG as top-level document |
http://w3c-test.org/content-security-policy/svg/scripted.svg |
PASS |
PASS |
PASS |
| 1 |
delivered policy governs SVG in embedded context |
http://w3c-test.org/content-security-policy/svg/svg-policy-with-resource.html |
PASS |
PASS |
PASS |
| 2 |
parent policy governs SVG created from guid |
http://w3c-test.org/content-security-policy/svg/svg-from-guid.html |
PASS |
PASS |
PASS |
| 1 |
including context policy governs inline SVG |
http://w3c-test.org/content-security-policy/svg/svg-inline.sub.html |
PASS |
PASS |
PASS |
| 2 |
including context policy governs SVG as resource document |
http://w3c-test.org/content-security-policy/svg/svg-policy-resource-doc-includes.html |
PASS |
PASS |
PASS |
| 2 |
parent policy governs Worker from guid |
http://w3c-test.org/content-security-policy/blink-contrib/worker-from-guid.sub.html |
PASS 1/2 (blocks but doesn't report) |
PASS |
PASS 1/2 (blocks but doesn't report) |
| 2 |
delivered policy governs Worker |
http://w3c-test.org/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/worker-eval-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/worker-script-src.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html
|
PASS |
PASS 12/18 |
PASS |
| 2 |
policy delivered with script governs SharedWorker |
http://w3c-test.org/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html
|
PASS |
FAIL, policy delivered with SharedWorker not enforced |
SharedWorker not implemented |
| 1 |
policy syntax |
http://w3c-test.org/content-security-policy/generic/generic-0_1-img-src.html
http://w3c-test.org/content-security-policy/generic/generic-0_1-script-src.html
http://w3c-test.org/content-security-policy/generic/generic-0_10.html
http://w3c-test.org/content-security-policy/generic/generic-0_10_1.sub.html
http://w3c-test.org/content-security-policy/generic/generic-0_2.html
http://w3c-test.org/content-security-policy/generic/generic-0_2_2.sub.html
http://w3c-test.org/content-security-policy/generic/generic-0_2_3.html
http://w3c-test.org/content-security-policy/generic/generic-0_8.html
http://w3c-test.org/content-security-policy/generic/generic-0_8_1.sub.html
http://w3c-test.org/content-security-policy/generic/generic-0_9.sub.html
|
PASS |
PASS |
PASS |
| 2 |
path matching |
http://w3c-test.org/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html
|
PASS |
PASS |
PASS |
| 2 |
GUID url schemes |
TODO: check comparison with *, 'self' for blob: and data: (chrome allows blob: for 'self'?)
http://w3c-test.org/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html
/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html
|
PASS |
PASS (N/A for filesystem:) |
PASS (N/A for filesystem:) |
| 2 |
GUID url schemes: worker from blob: doesn't match 'self' or * |
http://w3c-test.org/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html
|
PASS |
PASS |
PASS |
| 1 |
redirects |
http://w3c-test.org/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html
|
PASS 4/5, FAIL for beacon and connect-src |
PASS 4/5, FAIL for form-action |
PASS 3/5, FAIL for form-action, beacon not implemented |
| 2 |
nonces |
http://w3c-test.org/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html
|
PASS |
PASS 6/7, nonce w/whitespace fails |
PASS |
| 2 |
hashes |
http://w3c-test.org/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html
|
PASS |
TODO: investigate testsuite here |
PASS |
| 2 |
media types |
http://w3c-test.org/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html
|
PASS |
FAIL: unknown directive 'plugin-types' |
PASS 5/6 (missed onerror handler) |
| 1 |
Reporting - violated directive |
(every test) |
PASS |
PASS |
PASS |
| 1 |
Reporting - blocked-uri |
TODO |
|
|
|
| 1 |
Reporting - document-uri |
TODO |
|
|
|
| 2 |
Reporting - effective-directive |
TODO |
|
|
|
| 1 |
Reporting - original-policy |
TODO |
|
|
|
| 1 |
Reporting - referrer |
TODO |
|
|
|
| 2 |
Reporting - status-code |
TODO |
|
|
|
| 2 |
Reporting - source-file |
TODO |
|
|
|
| 2 |
Reporting - line-number |
TODO |
|
|
|
| 2 |
Reporting - column-number |
TODO |
|
|
|
| 2 |
Script Interfaces - SecurityPolicyViolationEvent |
http://w3c-test.org/content-security-policy/reporting/securitypolicyviolation-idl.html |
PASS 24/29 |
not implemented |
PASS 24/29 |
| 2 |
Script Interfaces - SecurityPolicyViolationEventInit |
http://w3c-test.org/content-security-policy/reporting/securitypolicyviolation-idl.html |
PASS 24/29 |
not implemented |
PASS 24/29 |
| 2 |
base-uri |
http://w3c-test.org/content-security-policy/blink-contrib-2/base-uri-allow.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/base-uri-deny.sub.html
|
PASS |
PASS |
PASS |
|
| 2 |
child-src |
http://w3c-test.org/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html
http://w3c-test.org/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html
http://w3c-test.org/content-security-policy/child-src/child-src-allowed.sub.html
http://w3c-test.org/content-security-policy/child-src/child-src-blocked.sub.html
http://w3c-test.org/content-security-policy/child-src/child-src-confliciting-frame-src.sub.html
http://w3c-test.org/content-security-policy/child-src/child-src-worker-allowed.sub.html
http://w3c-test.org/content-security-policy/child-src/child-src-worker-blocked.sub.html
http://w3c-test.org/content-security-policy/child-src/child-src-cross-origin-load.sub.html
|
PASS |
PASS but iframe doesn't fire onload when blocking |
PASS but iframe doesn't fire onload when blocking |
| 1 |
connect-src |
http://w3c-test.org/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html
|
PASS 14/15, FAIL Beacon redirect |
PASS 13/15, FAIL worker/sharedWorker allowed |
PASS 10/15, sharedWorker & beacon features not implemented |
| 1 |
default-src |
http://w3c-test.org/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html
http://w3c-test.org/content-security-policy/generic/generic-0_1-img-src.html
http://w3c-test.org/content-security-policy/generic/generic-0_1-script-src.html
|
PASS |
PASS |
PASS |
| 1 |
font-src |
http://w3c-test.org/content-security-policy/font-src/font-blacklisted.htmlhttp://w3c-test.org/content-security-policy/font-src/font-whitelisted.html |
PASS |
PASS |
PASS |
| 2 |
form-action |
http://w3c-test.org/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html
|
PASS |
PASS, doesn't block across redirects for POST |
PASS, doesn't block across redirects |
| 2 |
frame-ancestors |
http://w3c-test.org/content-security-policy/frame-ancestors/deep-allows-none.sub.html
http://w3c-test.org/content-security-policy/frame-ancestors/multiple-frames-one-blocked.sub.html
http://w3c-test.org/content-security-policy/frame-ancestors/multiple-frames-self-allowed.sub.html
http://w3c-test.org/content-security-policy/frame-ancestors/nested-traversing-allowed.sub.html
http://w3c-test.org/content-security-policy/frame-ancestors/nested-traversing-banned-top-is-self.sub.html
http://w3c-test.org/content-security-policy/frame-ancestors/nested-traversing-banned.sub.html
http://w3c-test.org/content-security-policy/frame-ancestors/single-frame-self-allowed.sub.html
|
PASS |
PASS |
PASS |
| 1 |
frame-src |
http://w3c-test.org/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/frame-src-about-blank-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/frame-src-about-blank-blocked.sub.html
|
PASS |
PASS but iframes do not fire onload when blocked |
PASS but iframes do not fire onload when blocked |
| 1 |
media-src |
http://w3c-test.org/content-security-policy/blink-contrib/media-src-track-block.sub.html
http://w3c-test.org/content-security-policy/media-src/media-src-7_1.html
http://w3c-test.org/content-security-policy/media-src/media-src-7_2.html
http://w3c-test.org/content-security-policy/media-src/media-src-7_3.html
http://w3c-test.org/content-security-policy/media-src/media-src-7_3_2.html
http://w3c-test.org/content-security-policy/media-src/media-src-7_1_2.html
http://w3c-test.org/content-security-policy/media-src/media-src-7_2_2.html
|
PASS |
PASS 4/7 (blocks, but missed reports / onerror handlers) |
PASS |
| 1 |
object-src |
http://w3c-test.org/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/object-src-applet-archive.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/object-src-applet-code.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/object-src-url-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/object-src-url-blocked.sub.html
http://w3c-test.org/content-security-policy/object-src/object-src-2_1.html
http://w3c-test.org/content-security-policy/object-src/object-src-2_2.html
|
PASS |
PASS 10/11, FAIL to block object with no url |
PASS |
| 2 |
plugin-types |
http://w3c-test.org/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html
|
PASS |
FAIL unknown directive |
PASS 7/8, no onerror fires when loading data with no type |
| 1 |
report-uri |
(every test)
http://w3c-test.org/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html
|
PASS 6/7, FAIL meta report-uri not blocked |
PASS |
PASS |
| 1 |
sandbox |
http://webappsec-test.info/~bhill2/sandbox/matrix.html (MANUAL TEST) |
PASS |
PASS |
PASS |
| 1 |
script-src |
http://w3c-test.org/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/worker-script-src.sub.html
http://w3c-test.org/content-security-policy/generic/generic-0_1-script-src.html
http://w3c-test.org/content-security-policy/script-src/script-src-1_1.html
http://w3c-test.org/content-security-policy/script-src/script-src-1_10.html
http://w3c-test.org/content-security-policy/script-src/script-src-1_10_1.html
http://w3c-test.org/content-security-policy/script-src/script-src-1_2.html
http://w3c-test.org/content-security-policy/script-src/script-src-1_2_1.html
http://w3c-test.org/content-security-policy/script-src/script-src-1_3.html
http://w3c-test.org/content-security-policy/script-src/script-src-1_4.html
http://w3c-test.org/content-security-policy/script-src/script-src-1_4_1.html
http://w3c-test.org/content-security-policy/script-src/script-src-1_4_2.html
|
PASS |
eval() and Function constructor do not throw EvalError |
eval() and Function constructor do not throw EvalError |
| 1 |
style-src |
http://w3c-test.org/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/inline-style-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/inline-style-blocked.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/style-allowed.sub.html
http://w3c-test.org/content-security-policy/blink-contrib/style-blocked.sub.html
http://w3c-test.org/content-security-policy/style-src/style-src-3_1.html
http://w3c-test.org/content-security-policy/style-src/style-src-3_2.html
http://w3c-test.org/content-security-policy/style-src/style-src-3_3.html
http://w3c-test.org/content-security-policy/style-src/style-src-3_4.html
|
PASS 13/14, FAIL cloning |
PASS |
PASS 13/14, FAIL cloning |
