IsolatedWorldCSP: Remove IsolatedWorldCSP blink runtime feature.

Remove the IsolatedWorldCSP blink runtime feature and have the isolated
world CSP always enforced. The current behavior when the
IsolatedWorldCSP feature is disabled, is to just bypass the main world
CSP for clients which set the isolated world CSP.

For the most part, there shouldn't be any behavior change. Currently
there are 3 blink clients which set an isolated world CSP:

- Mv2 extensions specify an empty CSP, so there shouldn't be any
behavior change for them. The empty CSP should behave the same as the
main world CSP being bypassed.

- The translate component does set a non-empty CSP. To preserve the same
behavior we change it's CSP to an empty one.

- Mv3 extensions specify a non-empty CSP and this CSP will now be
enforced in isolated worlds, which is what we want.

BUG=896041

Change-Id: I9c5bf6cff5dda6f5ee9090a873c9fcbc42eab317
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2439540
Auto-Submit: Karan Bhatia <karandeepb@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Yuki Shiino <yukishiino@chromium.org>
Commit-Queue: Karan Bhatia <karandeepb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#815474}

components/translate/content/renderer/isolated_world_util.cc

@@ -23,7 +23,10 @@ void EnsureIsolatedWorldInitialized(int world_id) {
   }
 
   last_used_world_id = world_id;
-  constexpr char kContentSecurityPolicy[] = "script-src 'self' 'unsafe-eval'";
+
+  // Set an empty CSP so that the main world's CSP is not used in the isolated
+  // world.
+  constexpr char kContentSecurityPolicy[] = "";
 
   blink::WebIsolatedWorldInfo info;
   info.security_origin =

third_party/blink/public/platform/web_isolated_world_info.h

@@ -25,13 +25,8 @@ struct WebIsolatedWorldInfo {
   WebSecurityOrigin security_origin;
 
   // Associates a content security policy with an isolated world. This policy
-  // should be used when evaluating script in the isolated world, and should
-  // also replace a protected resource's CSP when evaluating resources
-  // injected into the DOM.
+  // should be used when evaluating script in the isolated world.
   //
-  // TODO(crbug.com/896041): Setting this simply bypasses the protected
-  // resource's CSP. It doesn't yet restrict the isolated world to the provided
-  // policy.
   // Note: If this is null, the content security policy for the isolated world
   // is cleared. Else if this is specified, |security_origin| must also be
   // specified.

third_party/blink/renderer/bindings/core/v8/isolated_world_csp.cc

@@ -26,6 +26,8 @@ namespace blink {
 
 namespace {
 
+enum class CSPType { kEmpty, kNonEmpty };
+
 class IsolatedWorldCSPDelegate final
     : public GarbageCollected<IsolatedWorldCSPDelegate>,
       public ContentSecurityPolicyDelegate {
@@ -34,11 +36,11 @@ class IsolatedWorldCSPDelegate final
   IsolatedWorldCSPDelegate(LocalDOMWindow& window,
                            scoped_refptr<SecurityOrigin> security_origin,
                            int32_t world_id,
-                           bool apply_policy)
+                           CSPType type)
       : window_(&window),
         security_origin_(std::move(security_origin)),
         world_id_(world_id),
-        apply_policy_(apply_policy) {
+        csp_type_(type) {
     DCHECK(security_origin_);
   }
 
@@ -79,14 +81,16 @@ class IsolatedWorldCSPDelegate final
   String GetDocumentReferrer() override { return g_empty_string; }
   void DispatchViolationEvent(const SecurityPolicyViolationEventInit&,
                               Element*) override {
-    DCHECK(apply_policy_);
+    // Sanity check that an empty CSP doesn't lead to a violation.
+    DCHECK(csp_type_ == CSPType::kNonEmpty);
   }
   void PostViolationReport(const SecurityPolicyViolationEventInit&,
                            const String& stringified_report,
                            bool is_frame_ancestors_violation,
                            const Vector<String>& report_endpoints,
                            bool use_reporting_api) override {
-    DCHECK(apply_policy_);
+    // Sanity check that an empty CSP doesn't lead to a violation.
+    DCHECK(csp_type_ == CSPType::kNonEmpty);
   }
 
   void Count(WebFeature feature) override {
@@ -122,10 +126,7 @@ class IsolatedWorldCSPDelegate final
   const Member<LocalDOMWindow> window_;
   const scoped_refptr<SecurityOrigin> security_origin_;
   const int32_t world_id_;
-
-  // Whether the 'IsolatedWorldCSP' feature is enabled, and we are applying the
-  // CSP provided by the isolated world.
-  const bool apply_policy_;
+  const CSPType csp_type_;
 };
 
 }  // namespace
@@ -177,20 +178,16 @@ ContentSecurityPolicy* IsolatedWorldCSP::CreateIsolatedWorldCSP(
   const String& policy = it->value.policy;
   scoped_refptr<SecurityOrigin> self_origin = it->value.self_origin;
 
-  const bool apply_policy = RuntimeEnabledFeatures::IsolatedWorldCSPEnabled();
-
   auto* csp = MakeGarbageCollected<ContentSecurityPolicy>();
 
   IsolatedWorldCSPDelegate* delegate =
       MakeGarbageCollected<IsolatedWorldCSPDelegate>(
-          window, std::move(self_origin), world_id, apply_policy);
+          window, std::move(self_origin), world_id,
+          policy.IsEmpty() ? CSPType::kEmpty : CSPType::kNonEmpty);
   csp->BindToDelegate(*delegate);
-
-  if (apply_policy) {
-    csp->AddPolicyFromHeaderValue(
-        policy, network::mojom::ContentSecurityPolicyType::kEnforce,
-        network::mojom::ContentSecurityPolicySource::kHTTP);
-  }
+  csp->AddPolicyFromHeaderValue(
+      policy, network::mojom::ContentSecurityPolicyType::kEnforce,
+      network::mojom::ContentSecurityPolicySource::kHTTP);
 
   return csp;
 }

third_party/blink/renderer/bindings/core/v8/isolated_world_csp.h

@@ -29,9 +29,6 @@ class CORE_EXPORT IsolatedWorldCSP {
   // world should be restricted based on the isolated world's CSP, not the
   // main world's.
   //
-  // TODO(crbug.com/896041): Right now, resource injection simply bypasses the
-  // main world's CSP. More work is necessary to allow the isolated world's
-  // policy to be applied correctly.
   // Note: If |policy| is null, the PolicyInfo for |world_id| is cleared. If
   // |policy| is specified, |self_origin| must not be null.
   void SetContentSecurityPolicy(int32_t world_id,

third_party/blink/renderer/core/execution_context/execution_context.h

@@ -174,11 +174,6 @@ class CORE_EXPORT ExecutionContext : public Supplementable<ExecutionContext>,
 
   // Returns the content security policy to be used based on the current
   // JavaScript world we are in.
-  // Note: As part of crbug.com/896041, existing usages of
-  // ContentSecurityPolicy::ShouldBypassMainWorld should eventually be replaced
-  // by GetContentSecurityPolicyForCurrentWorld. However this is under active
-  // development, hence new callers should still use
-  // ContentSecurityPolicy::ShouldBypassMainWorld for now.
   ContentSecurityPolicy* GetContentSecurityPolicyForCurrentWorld();
 
   // Returns the content security policy to be used for the given |world|.

third_party/blink/renderer/core/frame/csp/content_security_policy.h

@@ -436,10 +436,19 @@ class CORE_EXPORT ContentSecurityPolicy final
 
   // Whether the main world's CSP should be bypassed based on the current
   // javascript world we are in.
+  // Note: This is deprecated. New usages should not be added. Operations in an
+  // isolated world should use the isolated world CSP instead of bypassing the
+  // main world CSP. See
+  // ExecutionContext::GetContentSecurityPolicyForCurrentWorld.
+  // TODO(karandeepb): Rename to ShouldBypassMainWorldDeprecated.
   static bool ShouldBypassMainWorld(const ExecutionContext*);
 
   // Whether the main world's CSP should be bypassed for operations in the given
   // |world|.
+  // Note: This is deprecated. New usages should not be added. Operations in an
+  // isolated world should use the isolated world CSP instead of bypassing the
+  // main world CSP. See ExecutionContext::GetContentSecurityPolicyForWorld.
+  // TODO(karandeepb): Rename to ShouldBypassMainWorldDeprecated.
   static bool ShouldBypassMainWorld(const DOMWrapperWorld* world);
 
   static bool IsNonceableElement(const Element*);

third_party/blink/renderer/core/frame/local_dom_window_test.cc

@@ -168,20 +168,8 @@ TEST_F(LocalDOMWindowTest, EnforceSandboxFlags) {
       GetFrame().DomWindow()->GetSecurityOrigin()->IsPotentiallyTrustworthy());
 }
 
-// Test fixture parameterized on whether the "IsolatedWorldCSP" feature is
-// enabled.
-class IsolatedWorldCSPTest : public PageTestBase,
-                             public testing::WithParamInterface<bool>,
-                             private ScopedIsolatedWorldCSPForTest {
- public:
-  IsolatedWorldCSPTest() : ScopedIsolatedWorldCSPForTest(GetParam()) {}
-
- private:
-  DISALLOW_COPY_AND_ASSIGN(IsolatedWorldCSPTest);
-};
-
 // Tests ExecutionContext::GetContentSecurityPolicyForCurrentWorld().
-TEST_P(IsolatedWorldCSPTest, CSPForWorld) {
+TEST_F(PageTestBase, CSPForWorld) {
   using ::testing::ElementsAre;
 
   // Set a CSP for the main world.
@@ -239,28 +227,13 @@ TEST_P(IsolatedWorldCSPTest, CSPForWorld) {
   }
 
   {
-    bool is_isolated_world_csp_enabled = GetParam();
-    SCOPED_TRACE(base::StringPrintf(
-        "In isolated world with csp and 'IsolatedWorldCSP' %s",
-        is_isolated_world_csp_enabled ? "enabled" : "disabled"));
+    SCOPED_TRACE("In isolated world with csp.");
     ScriptState::Scope scope(isolated_world_with_csp_script_state);
-
-    if (!is_isolated_world_csp_enabled) {
-      // With 'IsolatedWorldCSP' feature disabled, we should just bypass the
-      // main world CSP by using an empty CSP.
-      EXPECT_TRUE(get_csp_headers().IsEmpty());
-    } else {
-      // With 'IsolatedWorldCSP' feature enabled, we use the isolated world's
-      // CSP if it specified one.
-      EXPECT_THAT(
-          get_csp_headers(),
-          ElementsAre(CSPHeaderAndType(
-              {kIsolatedWorldCSP, ContentSecurityPolicyType::kEnforce})));
-    }
+    // We use the isolated world's CSP if it specified one.
+    EXPECT_THAT(get_csp_headers(),
+                ElementsAre(CSPHeaderAndType(
+                    {kIsolatedWorldCSP, ContentSecurityPolicyType::kEnforce})));
   }
 }
 
-INSTANTIATE_TEST_SUITE_P(All,
-                         IsolatedWorldCSPTest,
-                         testing::Values(true, false));
 }  // namespace blink

third_party/blink/renderer/platform/runtime_enabled_features.json5

@@ -964,11 +964,6 @@
       name: "IsolatedCodeCache",
       status: "stable",
     },
-    {
-      // If enabled, CSP checks use the isolated world CSP when in an isolated
-      // world. See crbug.com/896041.
-      name: "IsolatedWorldCSP"
-    },
     {
       name: "KeyboardFocusableScrollers",
       status: "experimental",

third_party/blink/web_tests/http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt

@@ -17,7 +17,9 @@ ALERT: LOADED
 ALERT: Running test #1
 
 ALERT: Test in isolated world with restrictive CSP
-ALERT: LOADED
+CONSOLE ERROR: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png?0' because it violates the following Content Security Policy directive: "img-src 'self'".
+
+ALERT: BLOCKED
 ALERT: Running test #0
 
  This test ensures that img-src checks respect the isolated world CSP when the IsolatedWorldCSP feature is enabled and bypass the main world CSP checks otherwise.

third_party/blink/web_tests/http/tests/security/isolatedWorld/bypass-main-world-csp-font-src-expected.txt

 ALERT: With lax isolated world CSP
 ALERT: With strict isolated world CSP
+CONSOLE ERROR: Refused to load the font 'http://127.0.0.1:8000/resources/Ahem.ttf?num=2' because it violates the following Content Security Policy directive: "font-src 'none'".
+
 This test ensures that scripts run in isolated worlds marked with their own Content Security Policy aren't affected by the page's font-src directive.

third_party/blink/web_tests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-inline-script-expected.txt

@@ -17,18 +17,19 @@ CONSOLE MESSAGE: EXECUTED in isolated world.
 CONSOLE ERROR: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
 
 CONSOLE MESSAGE: Executed using document.write in isolated world. Is main world: true
-CONSOLE MESSAGE: line 90: Disallowing unsafe-inline for the isolated world.
-CONSOLE MESSAGE: line 91: internals.runtimeFlags.isolatedWorldCSPEnabled is false
-CONSOLE MESSAGE: EXECUTED in isolated world.
+CONSOLE MESSAGE: line 88: Disallowing unsafe-inline for the isolated world.
+CONSOLE ERROR: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-weyW8ZEkQAD8it2iIcRJESCAdVG/APiGxF6JYEqMvKo='), or a nonce ('nonce-...') is required to enable inline execution.
+
 CONSOLE ERROR: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
 
-CONSOLE MESSAGE: Executed using document.write in isolated world. Is main world: true
-CONSOLE MESSAGE: line 100: Using an empty CSP for the isolated world. This should pass.
+CONSOLE ERROR: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-pB86azbmdo0Ymgsz9MvuZe0osiEViwXGte4Z0AtHPXs='), or a nonce ('nonce-...') is required to enable inline execution.
+
+CONSOLE MESSAGE: line 94: Using an empty CSP for the isolated world. This should pass.
 CONSOLE MESSAGE: EXECUTED in isolated world.
 CONSOLE ERROR: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
 
 CONSOLE MESSAGE: Executed using document.write in isolated world. Is main world: true
-CONSOLE MESSAGE: line 106: Injecting into main world again: this should fail.
+CONSOLE MESSAGE: line 100: Injecting into main world again: this should fail.
 CONSOLE ERROR: line 18: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-09Et/dqtUwF1zPoVDKo5ZDj2NUXqkLUxcQfh9UtQQt0='), or a nonce ('nonce-...') is required to enable inline execution.
 
 CONSOLE ERROR: line 26: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

third_party/blink/web_tests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-inline-style-expected.txt

@@ -16,10 +16,13 @@ CONSOLE MESSAGE: line 93: Have a separate CSP for the isolated world. Use an emp
 CONSOLE MESSAGE: PASS: Style assignment in test 3 was not blocked by CSP.
 CONSOLE MESSAGE: PASS: Style attribute assignment in test 3 was not blocked by CSP.
 CONSOLE MESSAGE: line 99: Have a separate CSP for the isolated world. Disallow unsafe-inline.
-CONSOLE MESSAGE: line 103: internals.runtimeFlags.isolatedWorldCSPEnabled is false
-CONSOLE MESSAGE: PASS: Style assignment in test 2 was not blocked by CSP.
-CONSOLE MESSAGE: PASS: Style attribute assignment in test 2 was not blocked by CSP.
-CONSOLE MESSAGE: line 110: Injecting into main world again: this should fail.
+CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-0B38VDo0PSzEMTh/bG58xIoc1+UQzjQ8WF/8+v2xP9w='), or a nonce ('nonce-...') is required to enable inline execution.
+
+CONSOLE MESSAGE: PASS: Style assignment in test 2 was blocked by CSP.
+CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-ZBTj5RHLnrF+IxdRZM2RuLfjTJQXNSi7fLQHr09onfY='), or a nonce ('nonce-...') is required to enable inline execution.
+
+CONSOLE MESSAGE: PASS: Style attribute assignment in test 2 was blocked by CSP.
+CONSOLE MESSAGE: line 106: Injecting into main world again: this should fail.
 CONSOLE ERROR: line 20: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-bUBNmssmL79UBWplbQJyN9Hi2tRE9H345W5DVyjdUq4='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
 
 CONSOLE MESSAGE: line 31: PASS: Style assignment in test 1 was blocked by CSP.

third_party/blink/web_tests/http/tests/security/isolatedWorld/bypass-main-world-csp-javascript-urls-expected.txt

@@ -7,6 +7,7 @@ ALERT: Isolated world with permissive CSP
 ALERT: iframe javascript: src running
 ALERT: Running test #3
 ALERT: Isolated world with strict CSP
-ALERT: iframe javascript: src running
+CONSOLE ERROR: Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
+
 ALERT: Running test #4
 This test verifies the behavior of navigations to javascript urls in isolated worlds and its interaction with the isolated world CSP.

third_party/blink/web_tests/http/tests/security/isolatedWorld/isolated-world-eval-csp-expected.txt

@@ -5,8 +5,9 @@ CONSOLE MESSAGE: line 13: PASS: eval blocked as expected.
 CONSOLE MESSAGE: line 44: Testing isolated world with no csp. Eval should be allowed.
 CONSOLE MESSAGE: PASS: eval allowed as expected.
 CONSOLE MESSAGE: line 55: Testing isolated world with strict csp.
-CONSOLE MESSAGE: line 58: internals.runtimeFlags.isolatedWorldCSPEnabled is false
-CONSOLE MESSAGE: PASS: eval allowed as expected.
-CONSOLE MESSAGE: line 68: Testing isolated world with permissive csp.
+CONSOLE MESSAGE: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'none'".
+
+CONSOLE MESSAGE: PASS: eval blocked as expected.
+CONSOLE MESSAGE: line 64: Testing isolated world with permissive csp.
 CONSOLE MESSAGE: PASS: eval allowed as expected.
 This tests the handling of unsafe-eval CSP checks and its interaction with the isolated world CSP.

third_party/blink/web_tests/http/tests/security/isolatedWorld/isolated-world-fetch-csp-expected.txt

@@ -13,9 +13,13 @@ CONSOLE MESSAGE: PASS: Request succeeded as expected.
 CONSOLE MESSAGE: line 71: Testing fetch redirect in isolated world with permissive csp.
 CONSOLE MESSAGE: PASS: Request succeeded as expected.
 CONSOLE MESSAGE: line 78: Testing isolated world with strict csp.
-CONSOLE MESSAGE: line 79: internals.runtimeFlags.isolatedWorldCSPEnabled is false
-CONSOLE MESSAGE: PASS: Request succeeded as expected.
-CONSOLE MESSAGE: line 91: Testing fetch redirect in isolated world with strict csp.
-CONSOLE MESSAGE: line 92: internals.runtimeFlags.isolatedWorldCSPEnabled is false
-CONSOLE MESSAGE: PASS: Request succeeded as expected.
+CONSOLE ERROR: Refused to connect to 'http://127.0.0.1:8000/security/isolatedWorld/resources/access_control_allow_origin.php' because it violates the following Content Security Policy directive: "connect-src 'self'".
+
+CONSOLE ERROR: Refused to connect to 'http://127.0.0.1:8000/security/isolatedWorld/resources/access_control_allow_origin.php' because it violates the document's Content Security Policy.
+CONSOLE MESSAGE: PASS: Request blocked by CSP as expected.
+CONSOLE MESSAGE: line 87: Testing fetch redirect in isolated world with strict csp.
+CONSOLE ERROR: Refused to connect to 'http://127.0.0.1:8000/resources/redirect.php?url=http://127.0.0.1:8000/security/isolatedWorld/resources/access_control_allow_origin.php&cors_allow_origin=*&delay=100' because it violates the following Content Security Policy directive: "connect-src 'self'".
+
+CONSOLE ERROR: Refused to connect to 'http://127.0.0.1:8000/resources/redirect.php?url=http://127.0.0.1:8000/security/isolatedWorld/resources/access_control_allow_origin.php&cors_allow_origin=*&delay=100' because it violates the document's Content Security Policy.
+CONSOLE MESSAGE: PASS: Request blocked by CSP as expected.
 This tests the interaction of the fetch API run in the isolated world with the isolated world CSP.

third_party/blink/web_tests/http/tests/security/isolatedWorld/isolated-world-location-csp-expected.txt

@@ -10,7 +10,7 @@ CONSOLE MESSAGE: line 63: Testing isolated world with permissive csp.
 ALERT: iframe javascript: src running
 CONSOLE MESSAGE: PASS: Javascript url worked as expected
 CONSOLE MESSAGE: line 70: Testing isolated world with strict csp.
-CONSOLE MESSAGE: line 71: internals.runtimeFlags.isolatedWorldCSPEnabled is false
-ALERT: iframe javascript: src running
-CONSOLE MESSAGE: PASS: Javascript url worked as expected
+CONSOLE ERROR: Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
+
+CONSOLE MESSAGE: PASS: Javascript url blocked as expected.
 This tests the isolated world CSP and its implications on changing the window location to Javascript urls.

third_party/blink/web_tests/http/tests/security/isolatedWorld/isolated-world-send-beacon-csp-expected.txt

@@ -7,5 +7,6 @@ CONSOLE ERROR: Refused to connect to 'http://localhost:8000/security/isolatedWor
 CONSOLE MESSAGE: line 26: Testing isolated world with permissive csp.
 PingLoader dispatched to 'http://localhost:8000/security/isolatedWorld/resources/empty.html'.
 CONSOLE MESSAGE: line 34: Testing isolated world with strict csp.
-PingLoader dispatched to 'http://localhost:8000/security/isolatedWorld/resources/empty.html'.
+CONSOLE ERROR: Refused to connect to 'http://localhost:8000/security/isolatedWorld/resources/empty.html' because it violates the following Content Security Policy directive: "connect-src 'self'".
+
 This tests the interaction of sendBeacon command run in the isolated world with the isolated world CSP.

third_party/blink/web_tests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-script.js

@@ -85,13 +85,7 @@ function test() {
         testInlineScript(true, 1);
         break;
       case 3:
-        // This case is dependent on whether the "IsolatedWorldCSP" feature is
-        // enabled.
         console.log('Disallowing unsafe-inline for the isolated world.');
-        console.log(
-            'internals.runtimeFlags.isolatedWorldCSPEnabled is ' +
-            internals.runtimeFlags.isolatedWorldCSPEnabled);
-
         testRunner.setIsolatedWorldInfo(
             1, 'chrome-extension://123', 'script-src \'none\'');
         testInlineScript(true, 1);

third_party/blink/web_tests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-style.js

@@ -100,11 +100,7 @@ function test() {
             'Have a separate CSP for the isolated world. Disallow unsafe-inline.');
         testRunner.setIsolatedWorldInfo(
             1, 'chrome-extension://123', 'style-src \'none\'');
-        console.log(
-            'internals.runtimeFlags.isolatedWorldCSPEnabled is ' +
-            internals.runtimeFlags.isolatedWorldCSPEnabled);
-        var allowUnsafeInline = !internals.runtimeFlags.isolatedWorldCSPEnabled;
-        testInlineStyleInIsolatedWorld(1, allowUnsafeInline, tests);
+        testInlineStyleInIsolatedWorld(1, false, tests);
         break;
       case 1:
         console.log("Injecting into main world again: this should fail.");

third_party/blink/web_tests/http/tests/security/isolatedWorld/resources/isolated-world-eval-csp.js

@@ -55,11 +55,7 @@ const tests = [
     console.log('Testing isolated world with strict csp.');
     testRunner.setIsolatedWorldInfo(
         isolatedWorldId, isolatedWorldSecurityOrigin, 'script-src \'none\'');
-    console.log(
-        'internals.runtimeFlags.isolatedWorldCSPEnabled is ' +
-        internals.runtimeFlags.isolatedWorldCSPEnabled);
-    const expectBlocked = internals.runtimeFlags.isolatedWorldCSPEnabled;
-    testEvalInIsolatedWorld(expectBlocked);
+    testEvalInIsolatedWorld(true);
 
     testRunner.setIsolatedWorldInfo(isolatedWorldId, null, null);
     isolatedWorldId++;

third_party/blink/web_tests/http/tests/security/isolatedWorld/resources/isolated-world-fetch-csp.js

@@ -76,26 +76,18 @@ const tests = [
   },
   function() {
     console.log('Testing isolated world with strict csp.');
-    console.log(
-        'internals.runtimeFlags.isolatedWorldCSPEnabled is ' +
-        internals.runtimeFlags.isolatedWorldCSPEnabled);
-    const expectBlocked = internals.runtimeFlags.isolatedWorldCSPEnabled;
     testRunner.setIsolatedWorldInfo(
         isolatedWorldId, isolatedWorldSecurityOrigin, 'connect-src \'self\'');
-    testFetchInIsolatedWorld(expectBlocked);
+    testFetchInIsolatedWorld(true);
 
     // Clear the isolated world data.
     testRunner.setIsolatedWorldInfo(1, null, null);
   },
   function() {
     console.log('Testing fetch redirect in isolated world with strict csp.');
-    console.log(
-        'internals.runtimeFlags.isolatedWorldCSPEnabled is ' +
-        internals.runtimeFlags.isolatedWorldCSPEnabled);
-    const expectBlocked = internals.runtimeFlags.isolatedWorldCSPEnabled;
     testRunner.setIsolatedWorldInfo(
         isolatedWorldId, isolatedWorldSecurityOrigin, 'connect-src \'self\'');
-    testFetchInIsolatedWorld(expectBlocked, true /* redirect */);
+    testFetchInIsolatedWorld(true, true /* redirect */);
   },
 ];
 

third_party/blink/web_tests/http/tests/security/isolatedWorld/resources/isolated-world-location-csp.js

@@ -68,13 +68,9 @@ const tests = [
   },
   function() {
     console.log('Testing isolated world with strict csp.');
-    console.log(
-        'internals.runtimeFlags.isolatedWorldCSPEnabled is ' +
-        internals.runtimeFlags.isolatedWorldCSPEnabled);
-    const expectBlocked = internals.runtimeFlags.isolatedWorldCSPEnabled;
     testRunner.setIsolatedWorldInfo(
         isolatedWorldId, isolatedWorldSecurityOrigin, 'script-src \'none\'');
-    testJavascriptUrlInIsolatedWorld(expectBlocked);
+    testJavascriptUrlInIsolatedWorld(true);
 
     // Clear the isolated world data.
     testRunner.setIsolatedWorldInfo(1, null, null);

third_party/blink/web_tests/http/tests/security/isolatedWorld/websocket/isolated-world-websocket-csp-expected.txt

@@ -9,6 +9,7 @@ CONSOLE MESSAGE: PASS: Request blocked by CSP as expected.
 CONSOLE MESSAGE: line 50: Testing isolated world with permissive csp.
 CONSOLE MESSAGE: PASS: Request succeeded as expected.
 CONSOLE MESSAGE: line 56: Testing isolated world with strict csp.
-CONSOLE MESSAGE: line 57: internals.runtimeFlags.isolatedWorldCSPEnabled is false
-CONSOLE MESSAGE: PASS: Request succeeded as expected.
+CONSOLE ERROR: Refused to connect to 'ws://127.0.0.1:8880/echo' because it violates the following Content Security Policy directive: "connect-src 'none'".
+
+CONSOLE MESSAGE: PASS: Request blocked by CSP as expected.
 This tests the interaction of websockets used in the isolated world with the isolated world CSP.

third_party/blink/web_tests/http/tests/security/isolatedWorld/websocket/isolated-world-websocket-csp.js

@@ -54,13 +54,9 @@ const tests = [
   },
   function() {
     console.log('Testing isolated world with strict csp.');
-    console.log(
-        'internals.runtimeFlags.isolatedWorldCSPEnabled is ' +
-        internals.runtimeFlags.isolatedWorldCSPEnabled);
-    const expectBlocked = internals.runtimeFlags.isolatedWorldCSPEnabled;
     testRunner.setIsolatedWorldInfo(
         isolatedWorldId, isolatedWorldSecurityOrigin, 'connect-src \'none\'');
-    testWebSocketInIsolatedWorld(expectBlocked);
+    testWebSocketInIsolatedWorld(true);
 
     // Clear the isolated world data.
     testRunner.setIsolatedWorldInfo(1, null, null);

third_party/blink/web_tests/virtual/isolated_world_csp/http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt

-ALERT: Running test #4
-
-ALERT: Test in main world.
-CONSOLE ERROR: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png?4' because it violates the following Content Security Policy directive: "img-src 'none'".
-
-ALERT: BLOCKED
-ALERT: Running test #3
-
-ALERT: Test in isolated world without a CSP.
-CONSOLE ERROR: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png?3' because it violates the following Content Security Policy directive: "img-src 'none'".
-
-ALERT: BLOCKED
-ALERT: Running test #2
-
-ALERT: Test in isolated world with lax CSP
-ALERT: LOADED
-ALERT: Running test #1
-
-ALERT: Test in isolated world with restrictive CSP
-CONSOLE ERROR: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png?0' because it violates the following Content Security Policy directive: "img-src 'self'".
-
-ALERT: BLOCKED
-ALERT: Running test #0
-
- This test ensures that img-src checks respect the isolated world CSP when the IsolatedWorldCSP feature is enabled and bypass the main world CSP checks otherwise.

third_party/blink/web_tests/virtual/isolated_world_csp/http/tests/security/isolatedWorld/bypass-main-world-csp-font-src-expected.txt

-ALERT: With lax isolated world CSP
-ALERT: With strict isolated world CSP
-CONSOLE ERROR: Refused to load the font 'http://127.0.0.1:8000/resources/Ahem.ttf?num=2' because it violates the following Content Security Policy directive: "font-src 'none'".
-
-This test ensures that scripts run in isolated worlds marked with their own Content Security Policy aren't affected by the page's font-src directive.

third_party/blink/web_tests/virtual/isolated_world_csp/http/tests/security/isolatedWorld/bypass-main-world-csp-for-inline-script-expected.txt

-CONSOLE MESSAGE: line 67: Injecting in main world: this should fail.
-CONSOLE ERROR: line 18: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-09Et/dqtUwF1zPoVDKo5ZDj2NUXqkLUxcQfh9UtQQt0='), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE ERROR: line 26: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE ERROR: line 38: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-/zNPOvYKSO49DBmlcgq0Kw1mbrAMhEU0Olki2JQCDME='), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE MESSAGE: line 71: Injecting into isolated world without bypass: this should fail.
-CONSOLE ERROR: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-weyW8ZEkQAD8it2iIcRJESCAdVG/APiGxF6JYEqMvKo='), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE ERROR: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE ERROR: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-pB86azbmdo0Ymgsz9MvuZe0osiEViwXGte4Z0AtHPXs='), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE MESSAGE: line 81: Allowing unsafe-inline for the isolated world: this should pass!
-CONSOLE MESSAGE: EXECUTED in isolated world.
-CONSOLE ERROR: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE MESSAGE: Executed using document.write in isolated world. Is main world: true
-CONSOLE MESSAGE: line 90: Disallowing unsafe-inline for the isolated world.
-CONSOLE MESSAGE: line 91: internals.runtimeFlags.isolatedWorldCSPEnabled is true
-CONSOLE ERROR: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-weyW8ZEkQAD8it2iIcRJESCAdVG/APiGxF6JYEqMvKo='), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE ERROR: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE ERROR: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-pB86azbmdo0Ymgsz9MvuZe0osiEViwXGte4Z0AtHPXs='), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE MESSAGE: line 100: Using an empty CSP for the isolated world. This should pass.
-CONSOLE MESSAGE: EXECUTED in isolated world.
-CONSOLE ERROR: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE MESSAGE: Executed using document.write in isolated world. Is main world: true
-CONSOLE MESSAGE: line 106: Injecting into main world again: this should fail.
-CONSOLE ERROR: line 18: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-09Et/dqtUwF1zPoVDKo5ZDj2NUXqkLUxcQfh9UtQQt0='), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE ERROR: line 26: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE ERROR: line 38: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-/zNPOvYKSO49DBmlcgq0Kw1mbrAMhEU0Olki2JQCDME='), or a nonce ('nonce-...') is required to enable inline execution.
-
-This tests the behavior of inline scripts in isolated worlds and its interaction with the page and isolated world CSP.

third_party/blink/web_tests/virtual/isolated_world_csp/http/tests/security/isolatedWorld/bypass-main-world-csp-for-inline-style-expected.txt

-CONSOLE MESSAGE: line 74: Injecting in main world: this should fail.
-CONSOLE ERROR: line 20: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-9mofj90uV/hjdJ1EZ8ch4jBC+3bw4vt8GBxoMUosVmo='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
-
-CONSOLE MESSAGE: line 31: PASS: Style assignment in test 6 was blocked by CSP.
-CONSOLE MESSAGE: line 78: Injecting into isolated world without bypass: this should fail.
-CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-RMFtATOlfMpeC8MJSEmpniQZnGMRT24P+KNCE5zJg08='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
-
-CONSOLE MESSAGE: PASS: Style assignment in test 5 was blocked by CSP.
-CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-ZBTj5RHLnrF+IxdRZM2RuLfjTJQXNSi7fLQHr09onfY='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
-
-CONSOLE MESSAGE: PASS: Style attribute assignment in test 5 was blocked by CSP.
-CONSOLE MESSAGE: line 86: Have a separate CSP for the isolated world. Allow unsafe-inline. This should pass.
-CONSOLE MESSAGE: PASS: Style assignment in test 4 was not blocked by CSP.
-CONSOLE MESSAGE: PASS: Style attribute assignment in test 4 was not blocked by CSP.
-CONSOLE MESSAGE: line 93: Have a separate CSP for the isolated world. Use an empty CSP. This should pass.
-CONSOLE MESSAGE: PASS: Style assignment in test 3 was not blocked by CSP.
-CONSOLE MESSAGE: PASS: Style attribute assignment in test 3 was not blocked by CSP.
-CONSOLE MESSAGE: line 99: Have a separate CSP for the isolated world. Disallow unsafe-inline.
-CONSOLE MESSAGE: line 103: internals.runtimeFlags.isolatedWorldCSPEnabled is true
-CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-0B38VDo0PSzEMTh/bG58xIoc1+UQzjQ8WF/8+v2xP9w='), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE MESSAGE: PASS: Style assignment in test 2 was blocked by CSP.
-CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-ZBTj5RHLnrF+IxdRZM2RuLfjTJQXNSi7fLQHr09onfY='), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE MESSAGE: PASS: Style attribute assignment in test 2 was blocked by CSP.
-CONSOLE MESSAGE: line 110: Injecting into main world again: this should fail.
-CONSOLE ERROR: line 20: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-bUBNmssmL79UBWplbQJyN9Hi2tRE9H345W5DVyjdUq4='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
-
-CONSOLE MESSAGE: line 31: PASS: Style assignment in test 1 was blocked by CSP.
-This tests the behavior of inline CSS in isolated worlds and its interaction with the page and isolated world CSP.

third_party/blink/web_tests/virtual/isolated_world_csp/http/tests/security/isolatedWorld/bypass-main-world-csp-javascript-urls-expected.txt

-ALERT: Running test #1
-ALERT: Isolated world with no CSP
-CONSOLE ERROR: Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
-
-ALERT: Running test #2
-ALERT: Isolated world with permissive CSP
-ALERT: iframe javascript: src running
-ALERT: Running test #3
-ALERT: Isolated world with strict CSP
-CONSOLE ERROR: Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
-
-ALERT: Running test #4
-This test verifies the behavior of navigations to javascript urls in isolated worlds and its interaction with the isolated world CSP.

third_party/blink/web_tests/virtual/isolated_world_csp/http/tests/security/isolatedWorld/isolated-world-eval-csp-expected.txt

-CONSOLE MESSAGE: line 38: Testing main world. Eval should be blocked by main world CSP.
-CONSOLE MESSAGE: line 7: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
-
-CONSOLE MESSAGE: line 13: PASS: eval blocked as expected.
-CONSOLE MESSAGE: line 44: Testing isolated world with no csp. Eval should be allowed.
-CONSOLE MESSAGE: PASS: eval allowed as expected.
-CONSOLE MESSAGE: line 55: Testing isolated world with strict csp.
-CONSOLE MESSAGE: line 58: internals.runtimeFlags.isolatedWorldCSPEnabled is true
-CONSOLE MESSAGE: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'none'".
-
-CONSOLE MESSAGE: PASS: eval blocked as expected.
-CONSOLE MESSAGE: line 68: Testing isolated world with permissive csp.
-CONSOLE MESSAGE: PASS: eval allowed as expected.
-This tests the handling of unsafe-eval CSP checks and its interaction with the isolated world CSP.

third_party/blink/web_tests/virtual/isolated_world_csp/http/tests/security/isolatedWorld/isolated-world-fetch-csp-expected.txt

-CONSOLE MESSAGE: line 53: Testing main world. Request should be blocked by main world CSP.
-CONSOLE ERROR: line 10: Refused to connect to 'http://127.0.0.1:8000/security/isolatedWorld/resources/access_control_allow_origin.php' because it violates the following Content Security Policy directive: "connect-src 'none'".
-
-CONSOLE ERROR: line 10: Refused to connect to 'http://127.0.0.1:8000/security/isolatedWorld/resources/access_control_allow_origin.php' because it violates the document's Content Security Policy.
-CONSOLE MESSAGE: line 30: PASS: Request blocked by CSP as expected.
-CONSOLE MESSAGE: line 58: Testing isolated world with no csp. Request should be blocked by main world CSP.
-CONSOLE ERROR: Refused to connect to 'http://127.0.0.1:8000/security/isolatedWorld/resources/access_control_allow_origin.php' because it violates the following Content Security Policy directive: "connect-src 'none'".
-
-CONSOLE ERROR: Refused to connect to 'http://127.0.0.1:8000/security/isolatedWorld/resources/access_control_allow_origin.php' because it violates the document's Content Security Policy.
-CONSOLE MESSAGE: PASS: Request blocked by CSP as expected.
-CONSOLE MESSAGE: line 65: Testing isolated world with permissive csp.
-CONSOLE MESSAGE: PASS: Request succeeded as expected.
-CONSOLE MESSAGE: line 71: Testing fetch redirect in isolated world with permissive csp.
-CONSOLE MESSAGE: PASS: Request succeeded as expected.
-CONSOLE MESSAGE: line 78: Testing isolated world with strict csp.
-CONSOLE MESSAGE: line 79: internals.runtimeFlags.isolatedWorldCSPEnabled is true
-CONSOLE ERROR: Refused to connect to 'http://127.0.0.1:8000/security/isolatedWorld/resources/access_control_allow_origin.php' because it violates the following Content Security Policy directive: "connect-src 'self'".
-
-CONSOLE ERROR: Refused to connect to 'http://127.0.0.1:8000/security/isolatedWorld/resources/access_control_allow_origin.php' because it violates the document's Content Security Policy.
-CONSOLE MESSAGE: PASS: Request blocked by CSP as expected.
-CONSOLE MESSAGE: line 91: Testing fetch redirect in isolated world with strict csp.
-CONSOLE MESSAGE: line 92: internals.runtimeFlags.isolatedWorldCSPEnabled is true
-CONSOLE ERROR: Refused to connect to 'http://127.0.0.1:8000/resources/redirect.php?url=http://127.0.0.1:8000/security/isolatedWorld/resources/access_control_allow_origin.php&cors_allow_origin=*&delay=100' because it violates the following Content Security Policy directive: "connect-src 'self'".
-
-CONSOLE ERROR: Refused to connect to 'http://127.0.0.1:8000/resources/redirect.php?url=http://127.0.0.1:8000/security/isolatedWorld/resources/access_control_allow_origin.php&cors_allow_origin=*&delay=100' because it violates the document's Content Security Policy.
-CONSOLE MESSAGE: PASS: Request blocked by CSP as expected.
-This tests the interaction of the fetch API run in the isolated world with the isolated world CSP.

third_party/blink/web_tests/virtual/isolated_world_csp/http/tests/security/isolatedWorld/isolated-world-location-csp-expected.txt

-CONSOLE MESSAGE: line 50: Testing main world. Javascript url should be blocked by mainworld CSP.
-CONSOLE ERROR: line 33: Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE MESSAGE: line 17: PASS: Javascript url blocked as expected.
-CONSOLE MESSAGE: line 56: Testing isolated world with no csp. Javascript url should be blocked by main world CSP.
-CONSOLE ERROR: Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE MESSAGE: PASS: Javascript url blocked as expected.
-CONSOLE MESSAGE: line 63: Testing isolated world with permissive csp.
-ALERT: iframe javascript: src running
-CONSOLE MESSAGE: PASS: Javascript url worked as expected
-CONSOLE MESSAGE: line 70: Testing isolated world with strict csp.
-CONSOLE MESSAGE: line 71: internals.runtimeFlags.isolatedWorldCSPEnabled is true
-CONSOLE ERROR: Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
-
-CONSOLE MESSAGE: PASS: Javascript url blocked as expected.
-This tests the isolated world CSP and its implications on changing the window location to Javascript urls.

third_party/blink/web_tests/virtual/isolated_world_csp/http/tests/security/isolatedWorld/isolated-world-send-beacon-csp-expected.txt

-CONSOLE MESSAGE: line 13: Testing main world. Request should be blocked by main world CSP.
-CONSOLE ERROR: line 2: Refused to connect to 'http://localhost:8000/security/isolatedWorld/resources/empty.html' because it violates the following Content Security Policy directive: "connect-src 'none'".
-
-CONSOLE MESSAGE: line 18: Testing isolated world with no csp. Request should be blocked by main world CSP.
-CONSOLE ERROR: Refused to connect to 'http://localhost:8000/security/isolatedWorld/resources/empty.html' because it violates the following Content Security Policy directive: "connect-src 'none'".
-
-CONSOLE MESSAGE: line 26: Testing isolated world with permissive csp.
-PingLoader dispatched to 'http://localhost:8000/security/isolatedWorld/resources/empty.html'.
-CONSOLE MESSAGE: line 34: Testing isolated world with strict csp.
-CONSOLE ERROR: Refused to connect to 'http://localhost:8000/security/isolatedWorld/resources/empty.html' because it violates the following Content Security Policy directive: "connect-src 'self'".
-
-This tests the interaction of sendBeacon command run in the isolated world with the isolated world CSP.

third_party/blink/web_tests/virtual/isolated_world_csp/http/tests/security/isolatedWorld/websocket/isolated-world-websocket-csp-expected.txt

-CONSOLE MESSAGE: line 38: Testing main world. Request should be blocked by main world CSP.
-CONSOLE ERROR: line 2: Refused to connect to 'ws://127.0.0.1:8880/echo' because it violates the following Content Security Policy directive: "connect-src 'none'".
-
-CONSOLE MESSAGE: line 18: PASS: Request blocked by CSP as expected.
-CONSOLE MESSAGE: line 43: Testing isolated world with no csp. Request should be blocked by main world CSP.
-CONSOLE ERROR: Refused to connect to 'ws://127.0.0.1:8880/echo' because it violates the following Content Security Policy directive: "connect-src 'none'".
-
-CONSOLE MESSAGE: PASS: Request blocked by CSP as expected.
-CONSOLE MESSAGE: line 50: Testing isolated world with permissive csp.
-CONSOLE MESSAGE: PASS: Request succeeded as expected.
-CONSOLE MESSAGE: line 56: Testing isolated world with strict csp.
-CONSOLE MESSAGE: line 57: internals.runtimeFlags.isolatedWorldCSPEnabled is true
-CONSOLE ERROR: Refused to connect to 'ws://127.0.0.1:8880/echo' because it violates the following Content Security Policy directive: "connect-src 'none'".
-
-CONSOLE MESSAGE: PASS: Request blocked by CSP as expected.
-This tests the interaction of websockets used in the isolated world with the isolated world CSP.