Implement script and style attr/elem CSP directives

The functionality is behind the
ContentSecurityPolicyExperimentalFeaturesEnabled flag

I2IS: Coming Soon

Spec:
https://w3c.github.io/webappsec-csp/#directive-script-src-elem
https://w3c.github.io/webappsec-csp/#directive-script-src-attr
https://w3c.github.io/webappsec-csp/#directive-style-src-elem
https://w3c.github.io/webappsec-csp/#directive-style-src-attr

Change-Id: Ic1638cac15c7ec488fcc7a4c9f6261b97502090a
Reviewed-on: https://chromium-review.googlesource.com/1181050
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#588534}

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/blob/blob-urls-do-not-match-self.sub.html

@@ -7,7 +7,7 @@
     <title>blob-urls-do-not-match-self</title>
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["violated-directive=script-src"]'></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem"]'></script>
     <script src='../support/alertAssert.sub.js?alerts=[]'></script>
 </head>
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/default-src/default-src-inline-blocked.sub.html

@@ -12,7 +12,7 @@
     <title>default-src-inline-blocked</title>
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["violated-directive=script-src","violated-directive=script-src"]'></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem","violated-directive=script-src-elem"]'></script>
     <script src='../support/alertAssert.sub.js?alerts=[]'></script>
 </head>
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html

@@ -7,7 +7,7 @@
     <title>filesystem-urls-do-not-match-self</title>
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["violated-directive=script-src"]'></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem"]'></script>
     <script src="../support/alertAssert.sub.js?alerts=[]"></script>
 </head>
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/generic/generic-0_1-script-src.html

@@ -18,7 +18,7 @@
       var t_spv = async_test("Should fire violation events for every failed violation");
 
       window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-          assert_equals(e.violatedDirective, "script-src");
+          assert_equals(e.violatedDirective, "script-src-elem");
       }));
     </script>
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/generic/generic-0_10_1.sub.html

@@ -9,7 +9,7 @@
     <script>
       var t_spv = async_test("Should fire violation events for every failed violation");
       window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-          assert_equals(e.violatedDirective, "script-src");
+          assert_equals(e.violatedDirective, "script-src-elem");
       }));
 
       var head = document.getElementsByTagName('head')[0];

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/generic/generic-0_2_2.sub.html

@@ -9,7 +9,7 @@
     <script>
       var t_spv = async_test("Should fire violation events for every failed violation");
       window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-          assert_equals(e.violatedDirective, "script-src");
+          assert_equals(e.violatedDirective, "script-src-elem");
       }));
 
       var head = document.getElementsByTagName('head')[0];

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/generic/generic-0_2_3.html

@@ -9,7 +9,7 @@
     <script>
       var t_spv = async_test("Should fire violation events for every failed violation");
       window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-          assert_equals(e.violatedDirective, "script-src");
+          assert_equals(e.violatedDirective, "script-src-elem");
       }));
 
       var head = document.getElementsByTagName('head')[0];

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/generic/generic-0_8_1.sub.html

@@ -9,7 +9,7 @@
     <script>
       var t_spv = async_test("Should fire violation events for every failed violation");
       window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-          assert_equals(e.violatedDirective, "script-src");
+          assert_equals(e.violatedDirective, "script-src-elem");
       }));
 
       var head = document.getElementsByTagName('head')[0];

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/meta/combine-header-and-meta-policies.sub.html

@@ -7,7 +7,7 @@
     <title>combine-header-and-meta-policies</title>
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE", "violated-directive=img-src", "violated-directive=style-src"]'></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE", "violated-directive=img-src", "violated-directive=style-src-elem"]'></script>
     <script src="../support/alertAssert.sub.js?alerts=[]"></script>
     <!-- enforcing multiple policies:
 Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigation/to-javascript-url-script-src.html

@@ -13,7 +13,7 @@
       if (e.target != element)
         return;
       assert_equals(e.blockedURI, "inline");
-      assert_equals(e.effectiveDirective, "script-src");
+      assert_equals(e.effectiveDirective, "script-src-elem");
       assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fail' doesn't appear in the child document.");
       element.remove();
       test.done();

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked.html

+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-inline';
+    script-src 'nonce-abc';">
+    <script nonce='abc' src="/resources/testharness.js"></script>
+    <script nonce='abc' src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var t = async_test("Should not fire a security policy violation event");
+      window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event"));
+    </script>
+
+    <img src="../support/pass.png" onload="t.done()">
+</body>
+
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html

+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-attr 'none';
+    script-src 'unsafe-inline' 'self';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script>
+      var t = async_test("Should fire a security policy violation event");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, 'script-src-attr');
+        assert_equals(e.blockedURI, 'inline');
+      }));
+    </script>
+
+    <img src="../support/pass.png" onload="t.unreached_func('Should not have executed the inline handler')">
+</body>
+
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html

+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'self' 'unsafe-inline';
+    script-src-attr 'none';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script>
+      var t = async_test("Should fire a security policy violation for the attribute");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, 'script-src-attr');
+        assert_equals(e.blockedURI, 'inline');
+      }));
+
+      var t1 = async_test("Should execute the inline script block");
+    </script>
+
+    <script>
+      t1.done();
+    </script>
+
+    <img src="../support/pass.png" onload="t.unreached_func('should not have run this event handler')">
+</body>
+
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked.html

+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc' 'nonce-def';
+    script-src 'nonce-abc';">
+    <script nonce='abc' src="/resources/testharness.js"></script>
+    <script nonce='abc' src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var t = async_test("Should not fire a security policy violation event");
+      window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event"));
+    </script>
+
+    <script nonce='def'>
+      t.done();
+    </script>
+</body>
+
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html

+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc' 'self';
+    script-src-attr 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var t = async_test("Should fire a security policy violation for the attribute");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, 'script-src-elem');
+        assert_equals(e.blockedURI, 'inline');
+      }));
+
+      var t1 = async_test("Should execute the inline script attribute");
+    </script>
+
+    <script>
+      t.step_func(function() {
+        assert_unreached("Should not have executed the inline script block");
+      })
+    </script>
+
+    <img src="../support/pass.png" onload="t1.done()">
+</body>
+
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed.html

+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc';
+    script-src 'nonce-abc' 'nonce-def';">
+    <script nonce='abc' src="/resources/testharness.js"></script>
+    <script nonce='abc' src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var t = async_test("Should fire a spv event");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, 'script-src-elem');
+        assert_equals(e.blockedURI, 'inline');
+      }));
+
+    </script>
+
+    <script nonce='def'>
+      t.step_func(function() {
+        assert_unreached("Should not have executed the inline block");
+      });
+    </script>
+</body>
+
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src-attr-elem/strict-dynamic-elem-allowed-src-blocked.html

+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'strict-dynamic' 'nonce-abc';
+    script-src 'nonce-abc';">
+    <script nonce='abc' src="/resources/testharness.js"></script>
+    <script nonce='abc' src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var t = async_test("Should not fire a security policy violation event");
+      window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event"));
+
+      var s = document.createElement('script');
+      s.src = 'support/t_done.js';
+      document.head.appendChild(s);
+    </script>
+</body>
+
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src-attr-elem/strict-dynamic-elem-blocked-src-allowed.sub.html

+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'strict-dynamic' 'nonce-abc';
+    script-src-elem 'nonce-abc';">
+    <script nonce='abc' src="/resources/testharness.js"></script>
+    <script nonce='abc' src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var t = async_test("Should fire a security policy violation event");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, "script-src-elem");
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/script-src-attr-elem/support/t_fail.js");
+      }));
+
+      var s = document.createElement('script');
+      s.src = 'support/t_fail.js';
+      document.head.appendChild(s);
+    </script>
+</body>
+
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src-attr-elem/support/t_done.js

+t.done();

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src-attr-elem/support/t_fail.js

+t.step(function() {
+  assert_unreached("Should not loaded the script");
+});

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js

@@ -3,7 +3,7 @@
   var test_count = 2;
 
   window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-   assert_equals(e.violatedDirective, "script-src");
+   assert_equals(e.violatedDirective, "script-src-elem");
    if (--test_count <= 0) {
     t_spv.done();
    }

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/injected-inline-script-blocked.sub.html

@@ -7,7 +7,7 @@
     <title>injected-inline-script-blocked</title>
     <script nonce='abc' src="/resources/testharness.js"></script>
     <script nonce='abc' src="/resources/testharnessreport.js"></script>
-    <script nonce='abc' src='../support/logTest.sub.js?logs=["violated-directive=script-src",]'></script>
+    <script nonce='abc' src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem",]'></script>
     <script nonce='abc' src='../support/alertAssert.sub.js?alerts=[]'></script>
 </head>
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/inlineTests.js

 var t1 = async_test("Inline script block");
 var t2 = async_test("Inline event handler");
 
-onload = function() {t1.done(); t2.done()}
+onload = function() {t1.done(); t2.done();};
 
-var t_spv = async_test("Should not fire policy violation events");
-var test_count = 2;
+var t_spv = async_test("Should fire policy violation events");
+var block_event_fired = false;
+var handler_event_fired = false;
 window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) {
-    assert_equals(e.violatedDirective, "script-src");
-    if (--test_count <= 0) {
+    if (e.violatedDirective == "script-src-elem") {
+      assert_false(block_event_fired);
+      block_event_fired = true;
+    } else if (e.violatedDirective == "script-src-attr") {
+      assert_false(handler_event_fired);
+      handler_event_fired = true;
+    } else {
+      assert_unreached("Unexpected directive broken");
+    }
+    if (block_event_fired && handler_event_fired) {
       t_spv.done();
     }
 }));

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/javascript-window-open-blocked.html

@@ -11,7 +11,7 @@
     var t = async_test("Check that a securitypolicyviolation event is fired");
     window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
       assert_equals(e.blockedURI, "inline");
-      assert_equals(e.violatedDirective, "script-src");
+      assert_equals(e.violatedDirective, "script-src-elem");
     }));
 
     window.open('javascript:test(function() { assert_unreached("FAIL")});', 'new');

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html

@@ -10,7 +10,7 @@
   <script nonce="abc">
     var t_spv = async_test("Should fire securitypolicyviolation event");
     window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-      assert_equals(e.violatedDirective, "script-src");
+      assert_equals(e.violatedDirective, "script-src-elem");
       assert_equals(e.disposition, "report");
     }));
     var externalRan = false;

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html

@@ -11,7 +11,7 @@
     var t = async_test("Test that script executes if allowed by proper hash values");
     var t_spv = async_test("Test that the securitypolicyviolation event is fired");
     document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-      assert_equals(e.violatedDirective, "script-src");
+      assert_equals(e.violatedDirective, "script-src-elem");
       assert_equals(e.disposition, "report");
       assert_equals(e.blockedURI, "inline");
     }));

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html

@@ -21,7 +21,7 @@
                 }
             }));
             window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
-                assert_equals(e.effectiveDirective, 'script-src');
+                assert_equals(e.effectiveDirective, 'script-src-elem');
             }));
         }, 'Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.');
     </script>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html

@@ -28,7 +28,7 @@
                 if (violation.blockedURI.split('?')[1] !== 'unNonced-appendChild') {
                     return;
                 }
-                assert_equals(violation.effectiveDirective, 'script-src');
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
                 t.done();
             }));
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html

@@ -44,7 +44,7 @@
                 if (violation.blockedURI.split('?')[1] !== 'nonWhitelisted-appendChild') {
                     return;
                 }
-                assert_equals(violation.effectiveDirective, 'script-src');
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
                 assert_equals(violation.originalPolicy, "script-src 'self' 'nonce-dummy'");
                 t.done();
             }));

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html

@@ -27,7 +27,7 @@
                 if (violation.blockedURI.split('?')[1] !== 'appendChild-reportOnly') {
                     return;
                 }
-                assert_equals(violation.effectiveDirective, 'script-src');
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
                 // Check that the violation comes from the Report-Only policy.
                 assert_equals(violation.originalPolicy, "script-src 'none'");
                 t.done();

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html

@@ -20,7 +20,7 @@
         async_test(function(t) {
             window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
                 assert_false(javascriptUriScriptRan);
-                assert_equals(e.effectiveDirective, 'script-src');
+                assert_equals(e.effectiveDirective, 'script-src-elem');
             }));
 
             document.getElementById('javascriptUri').click();

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html

@@ -16,7 +16,7 @@
     <script nonce='dummy'>
         async_test(function(t) {
             window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
-                assert_equals(e.effectiveDirective, 'script-src');
+                assert_equals(e.effectiveDirective, 'script-src-elem');
             }));
         }, 'All the expected CSP violation reports have been fired.');
     </script>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html

@@ -24,7 +24,7 @@
                 if (violation.blockedURI.split('?')[1] !== 'documentWrite') {
                     return;
                 }
-                assert_equals(violation.effectiveDirective, 'script-src');
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
                 t.done();
             }));
 
@@ -43,7 +43,7 @@
                 if (violation.blockedURI.split('?')[1] !== 'documentWriteln') {
                     return;
                 }
-                assert_equals(violation.effectiveDirective, 'script-src');
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
                 t.done();
             }));
 
@@ -62,7 +62,7 @@
                 if (violation.blockedURI.split('?')[1] !== 'documentWrite-deferred') {
                     return;
                 }
-                assert_equals(violation.effectiveDirective, 'script-src');
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
                 t.done();
             }));
 
@@ -81,7 +81,7 @@
                 if (violation.blockedURI.split('?')[1] !== 'documentWriteln-deferred') {
                     return;
                 }
-                assert_equals(violation.effectiveDirective, 'script-src');
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
                 t.done();
             }));
 
@@ -100,7 +100,7 @@
                 if (violation.blockedURI.split('?')[1] !== 'documentWrite-async') {
                     return;
                 }
-                assert_equals(violation.effectiveDirective, 'script-src');
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
                 t.done();
             }));
 
@@ -119,7 +119,7 @@
                 if (violation.blockedURI.split('?')[1] !== 'documentWriteln-async') {
                     return;
                 }
-                assert_equals(violation.effectiveDirective, 'script-src');
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
                 t.done();
             }));
 
@@ -138,7 +138,7 @@
                 if (violation.blockedURI.split('?')[1] !== 'documentWrite-deferred-async') {
                     return;
                 }
-                assert_equals(violation.effectiveDirective, 'script-src');
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
                 t.done();
             }));
 
@@ -157,7 +157,7 @@
                 if (violation.blockedURI.split('?')[1] !== 'documentWriteln-deferred-async') {
                     return;
                 }
-                assert_equals(violation.effectiveDirective, 'script-src');
+                assert_equals(violation.effectiveDirective, 'script-src-elem');
                 t.done();
             }));
 
@@ -173,7 +173,7 @@
                     return;
                 }
                 assert_false(innerHTMLScriptRan);
-                assert_equals(violation.effectiveDirective, 'script-src');
+                assert_equals(violation.effectiveDirective, 'script-src-attr');
                 t.done();
             }));
 
@@ -191,7 +191,7 @@
                     return;
                 }
                 assert_false(insertAdjacentHTMLScriptRan);
-                assert_equals(violation.effectiveDirective, 'script-src');
+                assert_equals(violation.effectiveDirective, 'script-src-attr');
                 t.done();
             }));
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/scripthash-unicode-normalization.sub.html

@@ -20,7 +20,7 @@
     <script nonce="nonceynonce">
       var t_spv = async_test("Should fire securitypolicyviolation");
       window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) {
-          assert_equals(e.violatedDirective, "script-src");
+          assert_equals(e.violatedDirective, "script-src-elem");
       }));
 
       var matchingContent = 'Å';

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html

@@ -20,7 +20,7 @@
         });
 
         var t_alert = async_test('Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]');
-        var expected_alerts = ["PASS (1/3)", "PASS (2/3)", "PASS (3/3)", "violated-directive=script-src", "violated-directive=script-src"];
+        var expected_alerts = ["PASS (1/3)", "PASS (2/3)", "PASS (3/3)", "violated-directive=script-src-elem", "violated-directive=script-src-elem"];
 
         function alert_assert(msg) {
             t_alert.step(function() {

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html

@@ -7,7 +7,7 @@
     <title>scriptnonce-basic-blocked</title>
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/alertAssert.sub.js?alerts=["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src", "violated-directive=script-src", "violated-directive=script-src"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src-elem", "violated-directive=script-src-elem", "violated-directive=script-src-elem"]'></script>
     <script nonce="noncynonce">
         alert_assert('PASS (closely-quoted nonce)');
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html

@@ -19,8 +19,8 @@
         });
     </script>
     <script nonce='noncynonce'>
-        var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src"]');
-        var expected_alerts = ["PASS (1/2)", "PASS (2/2)", "violated-directive=script-src"];
+        var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"]');
+        var expected_alerts = ["PASS (1/2)", "PASS (2/2)", "violated-directive=script-src-elem"];
 
         function alert_assert(msg) {
             t_alert.step(function() {

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html

@@ -7,7 +7,7 @@
     <title>srcdoc-doesnt-bypass-script-src</title>
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["violated-directive=script-src"]'></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem"]'></script>
 </head>
 
 <body>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked.html

+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src-attr 'unsafe-inline';
+    style-src 'none';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+      var t = async_test("Should apply the style attribute");
+      window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event"));
+    </script>
+</head>
+
+<body style="background: green">
+    <script>
+      t.step(function() {
+        assert_true(document.body.style.length > 0);
+        t.done();
+      });
+    </script>
+</body>
+
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html

+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src-attr 'none';
+    style-src 'unsafe-inline';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+      var t = async_test("Should fire a security policy violation event");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, 'style-src-attr');
+        assert_equals(e.blockedURI, 'inline');
+      }));
+    </script>
+</head>
+
+<body style="background: green">
+  <script>
+    async_test(function(test) {
+      assert_equals(document.body.style.length, 0);
+      test.done();
+    }, "The attribute style should not be applied");
+  </script>
+</body>
+
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html

+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src-elem 'unsafe-inline';
+    style-src-attr 'none';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+      var t = async_test("Should fire a security policy violation for the attribute");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, 'style-src-attr');
+        assert_equals(e.blockedURI, 'inline');
+      }));
+    </script>
+</head>
+
+<body style="background: green">
+  <style>
+    body {background: blue;}
+  </style>
+
+  <script>
+    async_test(function(test) {
+      assert_equals(document.body.style.length, 0);
+      assert_equals(document.styleSheets.length, 1);
+      test.done();
+    }, "The attribute style should not be applied and the inline style should be applied");
+  </script>
+
+</body>
+
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked.html

+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src-elem 'unsafe-inline';
+    style-src 'none';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+      var t = async_test("Inline style should be applied");
+      window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event"));
+    </script>
+</head>
+
+<body>
+    <style>
+      body {background: green;}
+    </style>
+    <script>
+      t.step(function() {
+        assert_equals(document.styleSheets.length, 1);
+        t.done();
+      });
+    </script>
+</body>
+
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html

+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src-elem 'none';
+    script-src-attr 'unsafe-inline'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+      var t = async_test("Should fire a security policy violation for the inline block");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, 'style-src-elem');
+        assert_equals(e.blockedURI, 'inline');
+      }));
+    </script>
+</head>
+
+<body style="background: green">
+  <style>
+    body {background: blue;}
+  </style>
+
+  <script>
+    async_test(function(test) {
+      assert_true(document.body.style.length > 0);
+      assert_equals(document.styleSheets.length, 0);
+      test.done();
+    }, "The inline style should not be applied and the attribute style should be applied");
+  </script>
+
+</body>
+
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html

+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src-elem 'none';
+    style-src 'unsafe-inline';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+      var t = async_test("Should fire a security policy violation event");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, 'style-src-elem');
+        assert_equals(e.blockedURI, 'inline');
+      }));
+    </script>
+</head>
+
+<body>
+  <style>
+    body {background: green;}
+  </style>
+  <script>
+    async_test(function(test) {
+      assert_equals(document.styleSheets.length, 0);
+      test.done();
+    }, "The inline style should not be applied");
+  </script>
+</body>
+
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/injected-inline-style-blocked.sub.html

@@ -7,7 +7,7 @@
     <title>injected-inline-style-blocked</title>
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["violated-directive=style-src","PASS"]'></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=style-src-elem","PASS"]'></script>
     <script src="../support/alertAssert.sub.js?alerts=[]"></script>
 </head>
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/inline-style-attribute-blocked.sub.html

@@ -7,7 +7,7 @@
     <title>inline-style-attribute-blocked</title>
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["violated-directive=style-src","PASS"]'></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=style-src-attr","PASS"]'></script>
     <script src="../support/alertAssert.sub.js?alerts=[]"></script>
     <script>
        window.addEventListener('securitypolicyviolation', function(e) {

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/style-src-hash-blocked.html

@@ -12,7 +12,7 @@
       var t_spv = async_test("Should fire a securitypolicyviolation event");
 
       document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-        assert_equals("style-src", e.violatedDirective);
+        assert_equals("style-src-elem", e.violatedDirective);
       }));
     </script>
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/style-src-imported-style-blocked.html

@@ -10,7 +10,7 @@
       var t_spv = async_test("Should fire a securitypolicyviolation event");
 
       document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-        assert_equals("style-src", e.violatedDirective);
+        assert_equals("style-src-elem", e.violatedDirective);
       }));
 
       var l = document.createElement("link");

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/style-src-injected-inline-style-blocked.html

@@ -10,7 +10,7 @@
       var t_spv = async_test("Should fire a securitypolicyviolation event");
 
       document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-        assert_equals("style-src", e.violatedDirective);
+        assert_equals("style-src-elem", e.violatedDirective);
       }));
     </script>
 </head>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html

@@ -10,7 +10,7 @@
       var t_spv = async_test("Should fire a securitypolicyviolation event");
 
       document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-        assert_equals("style-src", e.violatedDirective);
+        assert_equals("style-src-elem", e.violatedDirective);
       }));
     </script>
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html

@@ -10,7 +10,7 @@
       var t_spv = async_test("Should fire a securitypolicyviolation event");
 
       document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-        assert_equals("style-src", e.violatedDirective);
+        assert_equals("style-src-attr", e.violatedDirective);
       }));
       onload = t.step_func_done(function(e) {
         var contentEl = document.getElementById("content");

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/style-src-inline-style-blocked.html

@@ -10,7 +10,7 @@
       var t_spv = async_test("Should fire a securitypolicyviolation event");
 
       document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-        assert_equals("style-src", e.violatedDirective);
+        assert_equals("style-src-elem", e.violatedDirective);
       }));
     </script>
     <style>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html

@@ -9,7 +9,7 @@
       var t_spv = async_test("Should fire a securitypolicyviolation event");
 
       document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-        assert_equals("style-src", e.violatedDirective);
+        assert_equals("style-src-elem", e.violatedDirective);
       }));
     </script>
     <style id="style1" nonce="not-nonceynonce"

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html

@@ -10,7 +10,7 @@
       var t_spv = async_test("Should fire a securitypolicyviolation event");
 
       document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-        assert_equals("style-src", e.violatedDirective);
+        assert_equals("style-src-elem", e.violatedDirective);
       }));
     </script>
     <style nonce="not-nonceynonce">

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/style-src-none-blocked.html

@@ -10,7 +10,7 @@
       var t_spv = async_test("Should fire a securitypolicyviolation event");
 
       document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-        assert_equals("style-src", e.violatedDirective);
+        assert_equals("style-src-elem", e.violatedDirective);
       }));
     </script>
     <link href="/content-security-policy/style-src/resources/style-src.css" rel=stylesheet type=text/css>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html

@@ -10,7 +10,7 @@
       var t_spv = async_test("Should fire a securitypolicyviolation event");
 
       document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-        assert_equals("style-src", e.violatedDirective);
+        assert_equals("style-src-elem", e.violatedDirective);
       }));
     </script>
     <link nonce="not-nonceynonce" href="/content-security-policy/style-src/resources/style-src.css?pipe=sub" rel=stylesheet type=text/css>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/stylehash-basic-blocked.sub.html

@@ -13,8 +13,8 @@
             alert_assert("violated-directive=" + e.violatedDirective);
         });
 
-        var t_alert = async_test('Expecting alerts: ["PASS: The \'p\' element\'s text is green, which means the style was correctly applied.", "violated-directive=style-src"]');
-        var expected_alerts = ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src"];
+        var t_alert = async_test('Expecting alerts: ["PASS: The \'p\' element\'s text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"]');
+        var expected_alerts = ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"];
 
         function alert_assert(msg) {
             t_alert.step(function() {

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/stylenonce-allowed.sub.html

@@ -12,7 +12,7 @@
     <script>
         var t_spv = async_test("Should fire securitypolicyviolation");
         window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) {
-            assert_equals(e.violatedDirective, "style-src");
+            assert_equals(e.violatedDirective, "style-src-elem");
         }));
 
     </script>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/stylenonce-blocked.sub.html

@@ -13,7 +13,7 @@
     <script>
         var t_spv = async_test("Should fire securitypolicyviolation");
         window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) {
-            assert_equals(e.violatedDirective, "style-src");
+            assert_equals(e.violatedDirective, "style-src-elem");
         }));
     </script>
     <style nonce="noncynonce">

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/svg/svg-inline.sub.html

@@ -8,7 +8,7 @@
     <script>
         var t_spv = async_test("Should fire violation event");
         window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-            assert_equals(e.violatedDirective, "script-src");
+            assert_equals(e.violatedDirective, "script-src-elem");
         }));
     </script>
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html

@@ -18,7 +18,7 @@
         var t1 = async_test("Test that the javascript: src is not allowed to run");
 
         window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-            assert_equals(e.violatedDirective, 'script-src');
+            assert_equals(e.violatedDirective, 'script-src-elem');
             assert_equals(e.blockedURI, 'inline');
         }));
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html

@@ -18,7 +18,7 @@
         var t1 = async_test("Test that the javascript: src is not allowed to run");
 
         window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-             assert_equals(e.violatedDirective, 'script-src');
+             assert_equals(e.violatedDirective, 'script-src-elem');
              assert_equals(e.blockedURI, 'inline');
         }));
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html

@@ -19,7 +19,7 @@
         window.onmessage = t1.unreached_func("Should have not received any message");
 
         window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-            assert_equals(e.violatedDirective, 'script-src');
+            assert_equals(e.violatedDirective, 'script-src-elem');
             assert_equals(e.blockedURI, 'inline');
         }));
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html

@@ -18,7 +18,7 @@
         var t1 = async_test("Test that the javascript: src is not allowed to run");
 
         window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-            assert_equals(e.violatedDirective, 'script-src');
+            assert_equals(e.violatedDirective, 'script-src-elem');
             assert_equals(e.blockedURI, 'inline');
         }));
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html

@@ -18,7 +18,7 @@
         var t1 = async_test("Test that the javascript: src is not allowed to run");
 
         window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-             assert_equals(e.violatedDirective, 'script-src');
+             assert_equals(e.violatedDirective, 'script-src-elem');
              assert_equals(e.blockedURI, 'inline');
         }));
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html

@@ -19,7 +19,7 @@
         window.onmessage = t1.unreached_func("Should have not received any message");
 
         window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-            assert_equals(e.violatedDirective, 'script-src');
+            assert_equals(e.violatedDirective, 'script-src-elem');
             assert_equals(e.blockedURI, 'inline');
         }));
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html

@@ -15,7 +15,7 @@
         var t1 = async_test("Test that the inline event handler is not allowed to run");
 
         window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-            assert_equals(e.violatedDirective, 'script-src');
+            assert_equals(e.violatedDirective, 'script-src-attr');
             assert_equals(e.blockedURI, 'inline');
         }));
     </script>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html

@@ -14,7 +14,7 @@
         var t1 = async_test("Test that the inline event handler is not allowed to run");
 
         window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-            assert_equals(e.violatedDirective, 'script-src');
+            assert_equals(e.violatedDirective, 'script-src-attr');
             assert_equals(e.blockedURI, 'inline');
         }));
     </script>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html

@@ -18,7 +18,7 @@
         var t1 = async_test("Test that the inline style attribute is blocked");
 
         window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-            assert_equals(e.violatedDirective, 'style-src');
+            assert_equals(e.violatedDirective, 'style-src-attr');
             assert_equals(e.blockedURI, 'inline');
         }));
 

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html

@@ -18,7 +18,7 @@
         var t1 = async_test("Test that the inline style attribute is blocked");
 
         window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-            assert_equals(e.violatedDirective, 'style-src');
+            assert_equals(e.violatedDirective, 'style-src-attr');
             assert_equals(e.blockedURI, 'inline');
         }));
 

third_party/WebKit/LayoutTests/external/wpt/preload/preload-strict-dynamic.html

@@ -22,7 +22,7 @@
   }
   window.addEventListener("securitypolicyviolation", (e) => {
     counter++;
-    if (e.violatedDirective == "script-src" && e.blockedURI.includes("static-no-nonce")) {
+    if (e.violatedDirective == "script-src-elem" && e.blockedURI.includes("static-no-nonce")) {
       cspViolation = true;
     }
   });

third_party/WebKit/LayoutTests/http/tests/htmlimports/csp-block-import-expected.txt

 CONSOLE WARNING: HTML Imports is deprecated and will be removed in M73, around March 2019. Please use ES modules instead. See https://www.chromestatus.com/features/5144752345317376 for more details.
-CONSOLE ERROR: line 5: Refused to load the script 'http://127.0.0.1:8000/htmlimports/resources/hello.html' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
+CONSOLE ERROR: line 5: Refused to load the script 'http://127.0.0.1:8000/htmlimports/resources/hello.html' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 PASS
 

third_party/WebKit/LayoutTests/http/tests/htmlimports/csp-block-import-non-self-expected.txt

 CONSOLE WARNING: HTML Imports is deprecated and will be removed in M73, around March 2019. Please use ES modules instead. See https://www.chromestatus.com/features/5144752345317376 for more details.
-CONSOLE ERROR: line 6: Refused to load the script 'http://localhost:8080/htmlimports/resources/cors-basic.cgi' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
+CONSOLE ERROR: line 6: Refused to load the script 'http://localhost:8080/htmlimports/resources/cors-basic.cgi' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 PASS
 PASS

third_party/WebKit/LayoutTests/http/tests/htmlimports/csp-import-block-but-domain-expected.txt

 CONSOLE WARNING: HTML Imports is deprecated and will be removed in M73, around March 2019. Please use ES modules instead. See https://www.chromestatus.com/features/5144752345317376 for more details.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/htmlimports/resources/external-script.js' because it violates the following Content Security Policy directive: "script-src http://localhost:8000".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/htmlimports/resources/external-script.js' because it violates the following Content Security Policy directive: "script-src http://localhost:8000". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: line 2: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src http://localhost:8000".
 

third_party/WebKit/LayoutTests/http/tests/htmlimports/csp-import-block-but-domain-nested-expected.txt

 CONSOLE WARNING: HTML Imports is deprecated and will be removed in M73, around March 2019. Please use ES modules instead. See https://www.chromestatus.com/features/5144752345317376 for more details.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/htmlimports/resources/external-script.js' because it violates the following Content Security Policy directive: "script-src http://localhost:8000".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/htmlimports/resources/external-script.js' because it violates the following Content Security Policy directive: "script-src http://localhost:8000". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: line 2: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src http://localhost:8000".
 

third_party/WebKit/LayoutTests/http/tests/htmlimports/csp-import-block-but-nonce-expected.txt

 CONSOLE WARNING: HTML Imports is deprecated and will be removed in M73, around March 2019. Please use ES modules instead. See https://www.chromestatus.com/features/5144752345317376 for more details.
-CONSOLE ERROR: Refused to load the script 'http://localhost:8080/htmlimports/resources/external-script.js' because it violates the following Content Security Policy directive: "script-src http://localhost:8000 'nonce-hello'".
+CONSOLE ERROR: Refused to load the script 'http://localhost:8080/htmlimports/resources/external-script.js' because it violates the following Content Security Policy directive: "script-src http://localhost:8000 'nonce-hello'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: line 4: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src http://localhost:8000 'nonce-hello'".
 

third_party/WebKit/LayoutTests/http/tests/htmlimports/csp-import-block-but-nonce-nested-expected.txt

 CONSOLE WARNING: HTML Imports is deprecated and will be removed in M73, around March 2019. Please use ES modules instead. See https://www.chromestatus.com/features/5144752345317376 for more details.
-CONSOLE ERROR: Refused to load the script 'http://localhost:8080/htmlimports/resources/external-script.js' because it violates the following Content Security Policy directive: "script-src http://localhost:8000 'nonce-hello'".
+CONSOLE ERROR: Refused to load the script 'http://localhost:8080/htmlimports/resources/external-script.js' because it violates the following Content Security Policy directive: "script-src http://localhost:8000 'nonce-hello'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: line 4: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src http://localhost:8000 'nonce-hello'".
 

third_party/WebKit/LayoutTests/http/tests/htmlimports/csp-import-block-but-self-expected.txt

 CONSOLE WARNING: HTML Imports is deprecated and will be removed in M73, around March 2019. Please use ES modules instead. See https://www.chromestatus.com/features/5144752345317376 for more details.
 CONSOLE ERROR: line 2: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
 
-CONSOLE ERROR: Refused to load the script 'http://localhost:8000//htmlimports/resources/cors-js.cgi' because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE ERROR: Refused to load the script 'http://localhost:8000//htmlimports/resources/cors-js.cgi' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: line 6: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-wnLyUqsXhUuQ5NVNJO+JjNabqB1yo9OPLLJWPopauN0='), or a nonce ('nonce-...') is required to enable inline execution.
 

third_party/WebKit/LayoutTests/http/tests/htmlimports/csp-import-block-but-self-nested-expected.txt

 CONSOLE WARNING: HTML Imports is deprecated and will be removed in M73, around March 2019. Please use ES modules instead. See https://www.chromestatus.com/features/5144752345317376 for more details.
 CONSOLE ERROR: line 2: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
 
-CONSOLE ERROR: Refused to load the script 'http://localhost:8000//htmlimports/resources/cors-js.cgi' because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE ERROR: Refused to load the script 'http://localhost:8000//htmlimports/resources/cors-js.cgi' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: line 6: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-wnLyUqsXhUuQ5NVNJO+JjNabqB1yo9OPLLJWPopauN0='), or a nonce ('nonce-...') is required to enable inline execution.
 

third_party/WebKit/LayoutTests/http/tests/htmlimports/csp-not-block-import-in-import-expected.txt

 CONSOLE WARNING: HTML Imports is deprecated and will be removed in M73, around March 2019. Please use ES modules instead. See https://www.chromestatus.com/features/5144752345317376 for more details.
-CONSOLE ERROR: Refused to load the script 'http://localhost:8000/htmlimports/resources/cors-basic.cgi' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
+CONSOLE ERROR: Refused to load the script 'http://localhost:8000/htmlimports/resources/cors-basic.cgi' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 PASS
 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt

-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
 
 This page should neither alert "FAIL" nor generate any mixed content warnings in the console. 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt

 CONSOLE ERROR: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 This script should not execute even though there are parse errors in the policy.
 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt

 CONSOLE ERROR: Unrecognized Content-Security-Policy directive 'aaa'.
 
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 This script should not execute even though there are parse errors in the policy.
 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt

 CONSOLE ERROR: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
-CONSOLE ERROR: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
+CONSOLE ERROR: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
 
 This script should not execute even through the second CSP header would allow it.
 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/scriptnonce-blocked-expected.txt

-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-nonce'".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-nonce'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-notnonce'".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-notnonce'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 Only the first two of these scripts should execute even though there are parse errors in the policy.
 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/scriptnonce-invalidnonce-expected.txt

 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''n'. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'n".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'n". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce'. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-''. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-'".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src nonce-abcd".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src nonce-abcd". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: '''. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce- '".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce- '". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: '''. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-     '".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-     '". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'spaces''. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce- nonces have no spaces'".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce- nonces have no spaces'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-{}''. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-{}'".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-{}'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-/\''. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-/\'".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-/\'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 None of these scripts should execute, as all the nonces are invalid.
 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/register-bypassing-scheme-partial-expected.txt

 CONSOLE ERROR: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
 
 CONSOLE MESSAGE: line 15: PASS (1/12)
-CONSOLE ERROR: line 1: Refused to load the stylesheet 'http://127.0.0.1:8000/security/resources/cssStyle.css' because it violates the following Content Security Policy directive: "default-src https:". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
+CONSOLE ERROR: line 1: Refused to load the stylesheet 'http://127.0.0.1:8000/security/resources/cssStyle.css' because it violates the following Content Security Policy directive: "default-src https:". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
 
 CONSOLE MESSAGE: line 15: PASS (2/12)
 CONSOLE MESSAGE: line 15: PASS (3/12)
@@ -9,11 +9,11 @@ CONSOLE MESSAGE: line 15: PASS (4/12)
 CONSOLE ERROR: line 27: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
 
 CONSOLE MESSAGE: line 15: PASS (5/12)
-CONSOLE ERROR: line 1: Refused to load the stylesheet 'http://127.0.0.1:8000/security/resources/cssStyle.css' because it violates the following Content Security Policy directive: "default-src https:". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
+CONSOLE ERROR: line 1: Refused to load the stylesheet 'http://127.0.0.1:8000/security/resources/cssStyle.css' because it violates the following Content Security Policy directive: "default-src https:". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
 
 CONSOLE MESSAGE: line 15: PASS (6/12)
 CONSOLE MESSAGE: line 15: PASS (7/12)
-CONSOLE ERROR: line 1: Refused to load the stylesheet 'http://127.0.0.1:8000/security/resources/cssStyle.css' because it violates the following Content Security Policy directive: "default-src https:". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
+CONSOLE ERROR: line 1: Refused to load the stylesheet 'http://127.0.0.1:8000/security/resources/cssStyle.css' because it violates the following Content Security Policy directive: "default-src https:". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
 
 CONSOLE MESSAGE: line 15: PASS (8/12)
 CONSOLE ERROR: line 27: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
@@ -23,7 +23,7 @@ CONSOLE MESSAGE: line 15: PASS (10/12)
 CONSOLE ERROR: line 27: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
 
 CONSOLE MESSAGE: line 15: PASS (11/12)
-CONSOLE ERROR: line 1: Refused to load the stylesheet 'http://127.0.0.1:8000/security/resources/cssStyle.css' because it violates the following Content Security Policy directive: "default-src https:". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
+CONSOLE ERROR: line 1: Refused to load the stylesheet 'http://127.0.0.1:8000/security/resources/cssStyle.css' because it violates the following Content Security Policy directive: "default-src https:". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
 
 CONSOLE MESSAGE: line 15: PASS (12/12)
 This test ensures that registering a scheme as bypassing CSP actually bypasses CSP. This test passes if only PASSes are generated.

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/register-bypassing-scheme-script.https-expected.txt

-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script-set-attribute.js?t1' because it violates the following Content Security Policy directive: "script-src 'nonce-abc'".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script-set-attribute.js?t1' because it violates the following Content Security Policy directive: "script-src 'nonce-abc'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 This is a testharness.js-based test.
 Harness Error. harness_status.status = 1 , harness_status.message = 1 duplicate test name: "Parser-inserted scripts do not bypass."

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-appended-script-expected.txt

-CONSOLE ERROR: line 14: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
+CONSOLE ERROR: line 14: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 PASS

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt

 CONSOLE ERROR: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed.
 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt

-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src localhost".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src localhost". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 Loads an iframe which in turns tries to load an external script. The request for the script is redirected to 'localhost'. The iframe has a content security policy disabling external scripts from hosts other than 'localhost'. So the script should be allowed to run.
 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-01-expected.txt

-CONSOLE ERROR: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE ERROR: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 
 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-02-expected.txt

-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 
 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-03-expected.txt

-CONSOLE ERROR: Refused to load the script 'https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE ERROR: Refused to load the script 'https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 
 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-01-expected.txt

-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https://127.0.0.1:8000".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https://127.0.0.1:8000". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https://127.0.0.1:*".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https://127.0.0.1:*". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https://127.0.0.1:*".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https://127.0.0.1:*". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 None of these scripts should execute even though there are parse errors in the policy.
 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-03-expected.txt

-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https:".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https:".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 None of these scripts should execute.
 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt

-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path?query=string'. The query component, including the '?', will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path?query=string".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path?query=string". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path#anchor'. The fragment identifier, including the '#', will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path#anchor".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path#anchor". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path?query=string'. The query component, including the '?', will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path?query=string".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path?query=string". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path#anchor'. The fragment identifier, including the '#', will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path#anchor".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path#anchor". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: Unrecognized Content-Security-Policy directive 'pathwithasemicolon'.
 
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/thisisa".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/thisisa". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/this is a path with spaces".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/this is a path with spaces". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 Paths should be ignored when evaluating sources. This test passes if FAIL does not appear in the output, and each of the tests generates a warning about the path component.
 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt

-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path?query=string'. The query component, including the '?', will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path?query=string".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path?query=string". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path#anchor'. The fragment identifier, including the '#', will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path#anchor".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path#anchor". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path?query=string'. The query component, including the '?', will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path?query=string".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path?query=string". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path#anchor'. The fragment identifier, including the '#', will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path#anchor".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path#anchor". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: Unrecognized Content-Security-Policy directive 'pathwithasemicolon'.
 
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/thisisa".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/thisisa". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/this is a path with spaces".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/this is a path with spaces". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 Paths should be ignored when evaluating sources. This test passes if FAIL does not appear in the output, and each of the tests generates a warning about the path component.
 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-07-expected.txt

 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http:/'. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http:/".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http:/". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://'. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http:/127.0.0.1'. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http:/127.0.0.1".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http:/127.0.0.1". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http:///127.0.0.1'. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http:///127.0.0.1".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http:///127.0.0.1". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:/'. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:/".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:/". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'https://127.?.0.1:*'. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https://127.?.0.1:*".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https://127.?.0.1:*". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'https://127.0.0.1:'. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https://127.0.0.1:".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https://127.0.0.1:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''slef''. It will be ignored.
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'slef'".
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'slef'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'https://127.0.0.1:'. It will be ignored.
 Invalid source expressions should log a console warning, and be ignored.

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-08-expected.txt

-CONSOLE ERROR: Refused to load the script 'data:application/javascript;base64,dmFyIHJlc3VsdCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdyZXN1bHQnKTtyZXN1bHQuZmlyc3RDaGlsZC5ub2RlVmFsdWUgPSByZXN1bHQuYXR0cmlidXRlcy5nZXROYW1lZEl0ZW0oJ3RleHQnKS52YWx1ZTs=' because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE ERROR: Refused to load the script 'data:application/javascript;base64,dmFyIHJlc3VsdCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdyZXN1bHQnKTtyZXN1bHQuZmlyc3RDaGlsZC5ub2RlVmFsdWUgPSByZXN1bHQuYXR0cmlidXRlcy5nZXROYW1lZEl0ZW0oJ3RleHQnKS52YWx1ZTs=' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
-CONSOLE ERROR: Refused to load the script 'data:application/javascript;base64,dmFyIHJlc3VsdCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdyZXN1bHQnKTtyZXN1bHQuZmlyc3RDaGlsZC5ub2RlVmFsdWUgPSByZXN1bHQuYXR0cmlidXRlcy5nZXROYW1lZEl0ZW0oJ3RleHQnKS52YWx1ZTs=' because it violates the following Content Security Policy directive: "script-src https://127.0.0.1:8000".
+CONSOLE ERROR: Refused to load the script 'data:application/javascript;base64,dmFyIHJlc3VsdCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdyZXN1bHQnKTtyZXN1bHQuZmlyc3RDaGlsZC5ub2RlVmFsdWUgPSByZXN1bHQuYXR0cmlidXRlcy5nZXROYW1lZEl0ZW0oJ3RleHQnKS52YWx1ZTs=' because it violates the following Content Security Policy directive: "script-src https://127.0.0.1:8000". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
 
 Test proper handling of data: URLs.