Add signed exchange reporting error test cases

Bug: 910516
Change-Id: I01f776e0a787e97430cc033d55bb1a32e900f9e9
Reviewed-on: https://chromium-review.googlesource.com/c/1480363
Commit-Queue: Tsuyoshi Horo <horo@chromium.org>
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org>
Cr-Commit-Position: refs/heads/master@{#634520}

content/browser/web_package/signed_exchange_signature_verifier.cc

@@ -196,11 +196,8 @@ base::Time TimeFromSignedExchangeUnixTime(uint64_t t) {
   return base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(t);
 }
 
-// Implements steps 3-4 of
-// https://wicg.github.io/webpackage/draft-yasskin-httpbis-origin-signed-exchanges-impl.html#signature-validity
-SignedExchangeSignatureVerifier::Result VerifyTimestamps(
-    const SignedExchangeEnvelope& envelope,
-    const base::Time& verification_time) {
+SignedExchangeSignatureVerifier::Result VerifyValidityPeriod(
+    const SignedExchangeEnvelope& envelope) {
   base::Time expires_time =
       TimeFromSignedExchangeUnixTime(envelope.signature().expires);
   base::Time creation_time =
@@ -211,6 +208,18 @@ SignedExchangeSignatureVerifier::Result VerifyTimestamps(
   if ((expires_time - creation_time).InSeconds() > kOneWeek.InSeconds()) {
     return SignedExchangeSignatureVerifier::Result::kErrValidityPeriodTooLong;
   }
+  return SignedExchangeSignatureVerifier::Result::kSuccess;
+}
+
+// Implements "Signature validity" of
+// https://wicg.github.io/webpackage/draft-yasskin-httpbis-origin-signed-exchanges-impl.html#signature-validity
+SignedExchangeSignatureVerifier::Result VerifyTimestamps(
+    const SignedExchangeEnvelope& envelope,
+    const base::Time& verification_time) {
+  base::Time expires_time =
+      TimeFromSignedExchangeUnixTime(envelope.signature().expires);
+  base::Time creation_time =
+      TimeFromSignedExchangeUnixTime(envelope.signature().date);
 
   // 4. "If the current time is before date or after expires, return
   // "invalid"."
@@ -258,6 +267,17 @@ SignedExchangeSignatureVerifier::Result SignedExchangeSignatureVerifier::Verify(
   TRACE_EVENT0(TRACE_DISABLED_BY_DEFAULT("loading"),
                "SignedExchangeSignatureVerifier::Verify");
   DCHECK(certificate);
+  const auto validity_period_result = VerifyValidityPeriod(envelope);
+  if (validity_period_result != Result::kSuccess) {
+    signed_exchange_utils::ReportErrorAndTraceEvent(
+        devtools_proxy,
+        base::StringPrintf(
+            "Specified validity period too long. creation_time: %" PRIu64
+            ", expires_time: %" PRIu64 ", verification_time: %" PRIu64,
+            envelope.signature().date, envelope.signature().expires,
+            (verification_time - base::Time::UnixEpoch()).InSeconds()));
+    return validity_period_result;
+  }
   const auto timestamp_result = VerifyTimestamps(envelope, verification_time);
   if (timestamp_result != Result::kSuccess &&
       !ShouldIgnoreTimestampError(certificate)) {

third_party/blink/web_tests/external/wpt/network-error-logging/support/nel.sub.js

@@ -55,7 +55,7 @@ function _getNELResourceURL(subdomain, suffix) {
  */
 
 function getURLForResourceWithBasicPolicy(subdomain) {
-  return _getNELResourceURL(subdomain, "pass.png?id="+reportID);
+  return _getNELResourceURL(subdomain, "pass.png?id="+reportID+"&success_fraction=1.0");
 }
 
 function fetchResourceWithBasicPolicy(subdomain) {
@@ -63,6 +63,11 @@ function fetchResourceWithBasicPolicy(subdomain) {
   return fetch(url, {mode: "no-cors"});
 }
 
+function fetchResourceWithZeroSuccessFractionPolicy(subdomain) {
+  const url = _getNELResourceURL(subdomain, "pass.png?id="+reportID+"&success_fraction=0.0");
+  return fetch(url, {mode: "no-cors"});
+}
+
 /*
  * Fetches a resource whose headers define an include_subdomains NEL policy.
  */

third_party/blink/web_tests/external/wpt/network-error-logging/support/pass.png.sub.headers

@@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
 Cache-Control: post-check=0, pre-check=0, false
 Pragma: no-cache
 Report-To: { "group": "nel-group", "max_age": 10886400, "endpoints": [{ "url": "https://{{hosts[][www]}}:{{ports[https][0]}}/network-error-logging/support/report.py?op=put&reportID={{GET[id]}}" }] }
-NEL: {"report_to": "nel-group", "max_age": 10886400, "success_fraction": 1.0}
+NEL: {"report_to": "nel-group", "max_age": 10886400, "success_fraction": {{GET[success_fraction]}}}

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-navigation-cert_fetch_error-downgraded.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed downgraded from sxg.cert_fetch_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin + '/signed-exchange/resources/sxg/sxg-cert-not-found.sxg?navigation';
+  const cert_url = test_origin + '/signed-exchange/resources/not_found_certfile.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.failed downgraded from sxg.cert_fetch_error for' +
+   ' navigation.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-navigation-cert_fetch_error.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.cert_fetch_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-cert-not-found-on-alt-origin.sxg?navigation';
+  const cert_url =
+      alt_origin + '/signed-exchange/resources/not_found_certfile.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is same as the reporting origin. So
+        // the report must not be downgraded.
+        type: "sxg.cert_fetch_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: cert_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "http.error",
+        status_code: 404,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.cert_fetch_error for navigation.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-navigation-cert_parse_error-downgraded.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed downgraded from sxg.cert_parse_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-cert-format.sxg?navigation';
+  const cert_url =
+      test_origin + '/signed-exchange/resources/invalid-cert-format.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.failed downgraded from sxg.cert_parse_error for navigation.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-navigation-cert_parse_error.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.cert_parse_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-cert-format-on-alt-origin.sxg?navigation';
+  const cert_url =
+      alt_origin + '/signed-exchange/resources/invalid-cert-format.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is same as the reporting origin. So
+        // the report must not be downgraded.
+        type: "sxg.cert_parse_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: cert_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.cert_parse_error for navigation.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-navigation-cert_verification_error-downgraded.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed downgraded from sxg.cert_verification_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-validity-period-too-long.sxg?navigation';
+  const cert_url = test_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html', 'location');
+  assert_true(message.is_fallback, 'is_fallback');
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.failed downgraded from ' +
+    'sxg.cert_verification_error for navigation.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-navigation-cert_verification_error.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.cert_verification_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-validity-period-too-long-cert-on-alt-origin.sxg?navigation';
+  const cert_url = alt_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.cert_verification_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.cert_verification_error for navigation.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-navigation-failed-zero-success-fraction.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed for navigation (zero success fraction)</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithZeroSuccessFractionPolicy();
+  const sxg_url =
+      alt_origin + '/signed-exchange/resources/sxg/sxg-cert-not-found.sxg?navigation';
+  const cert_url = test_origin + '/signed-exchange/resources/not_found_certfile.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportExists(
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: cert_url
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    }
+  ), 'SXG error reporting must be downgraded when the cert URL is different ' +
+     'from the reporting origin');
+  assert_false(await reportExists(
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    }
+  ), 'Succeeded normal NEL report should not be sent when success fraction ' +
+     'is zero.');
+}, 'SXG error report must be downgraded when the cert URL is different from ' +
+   'the reporting origin. And succeeded normal NEL report should not be sent ' +
+   ' when success fraction is zero.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-navigation-invalid_integrity_header.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.invalid_integrity_header for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-integrity-header.sxg?navigation';
+  const cert_url = test_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.invalid_integrity_header",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.invalid_integrity_header for navigation.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-navigation-mi_error.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.mi_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-merkle-integrity-error.sxg?navigation';
+  const cert_url = test_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  try {
+    const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+    if (message.is_fallback) {
+        assert_unreached('Fallback redirect should not have happened');
+    } else {
+        assert_unreached('SXG should not have loaded');
+    }
+  } catch (e) {
+    assert_equals(e, 'timeout');
+  }
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.mi_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    }
+  ]));
+}, 'SXG reporting test of sxg.mi_error for navigation.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-navigation-parse_error.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.parse_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-format.sxg?navigation';
+  try {
+    const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+    if (message.is_fallback) {
+        assert_unreached('Fallback redirect should not have happened');
+    } else {
+        assert_unreached('SXG should not have loaded');
+    }
+  } catch (e) {
+    assert_equals(e, 'timeout');
+  }
+
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.parse_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          cert_url: []
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.parse_error for navigation.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-navigation-signature_verification_error-downgraded.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed downgraded from sxg.signature_verification_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-cert-sha256.sxg?navigation';
+  const cert_url = test_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.failed downgraded from ' +
+   'sxg.signature_verification_error for navigation.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-navigation-signature_verification_error.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.signature_verification_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-cert-sha256-cert-on-alt-origin.sxg?navigation';
+  const cert_url = alt_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.signature_verification_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.signature_verification_error for navigation.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-prefetch-cert_fetch_error-downgraded.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed downgraded from sxg.cert_fetch_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin + '/signed-exchange/resources/sxg/sxg-cert-not-found.sxg?prefetch';
+  const cert_url =
+      test_origin + '/signed-exchange/resources/not_found_certfile.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.failed downgraded from ' +
+   'sxg.cert_fetch_error for prefetch.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-prefetch-cert_fetch_error.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.cert_fetch_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-cert-not-found-on-alt-origin.sxg?prefetch';
+  const cert_url =
+      alt_origin + '/signed-exchange/resources/not_found_certfile.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is same as the reporting origin. So
+        // the report must not be downgraded.
+        type: "sxg.cert_fetch_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: cert_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "http.error",
+        status_code: 404,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.cert_fetch_error for prefetch.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-prefetch-cert_parse_error-downgraded.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed downgraded from sxg.cert_parse_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-cert-format.sxg?prefetch';
+  const cert_url =
+      test_origin + '/signed-exchange/resources/invalid-cert-format.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.failed downgraded from sxg.cert_parse_error for' +
+    ' prefetch.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-prefetch-cert_parse_error.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.cert_parse_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-cert-format-on-alt-origin.sxg?prefetch';
+  const cert_url =
+      alt_origin + '/signed-exchange/resources/invalid-cert-format.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is same as the reporting origin. So
+        // the report must not be downgraded.
+        type: "sxg.cert_parse_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: cert_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.cert_parse_error for prefetch.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-prefetch-cert_verification_error-downgraded.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed downgraded from sxg.cert_verification_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-validity-period-too-long.sxg?prefetch';
+  const cert_url = test_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.failed downgraded from ' +
+   'sxg.cert_verification_error for prefetch.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-prefetch-cert_verification_error.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.cert_verification_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-validity-period-too-long-cert-on-alt-origin.sxg?prefetch';
+  const cert_url = alt_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.cert_verification_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.cert_verification_error for prefetch.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-prefetch-failed-zero-success-feaction.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed for prefetch (zero success fraction)</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithZeroSuccessFractionPolicy();
+  const sxg_url =
+      alt_origin + '/signed-exchange/resources/sxg/sxg-cert-not-found.sxg?prefetch';
+  const cert_url =
+      test_origin + '/signed-exchange/resources/not_found_certfile.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportExists(
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ), 'SXG error reporting must be downgraded when the cert URL is different ' +
+     'from the reporting origin');
+  assert_false(await reportExists(
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    }
+  ), 'Succeeded normal NEL report should not be sent when success fraction ' +
+     'is zero.');
+}, 'SXG error report must be downgraded when the cert URL is different from ' +
+   'the reporting origin. And succeeded normal NEL report should not be sent ' +
+   ' when success fraction is zero.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-prefetch-invalid_integrity_header.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.invalid_integrity_header for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-integrity-header.sxg?prefetch';
+  const cert_url = test_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.invalid_integrity_header",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.invalid_integrity_header for prefetch.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-prefetch-mi_error.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.mi_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-merkle-integrity-error.sxg?prefetch';
+  const cert_url = test_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.mi_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    }
+  ]));
+}, 'SXG reporting test of sxg.mi_error for prefetch.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-prefetch-parse_error.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.parse_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-format.sxg?prefetch';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.parse_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          cert_url: []
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.parse_error for prefetch.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-prefetch-signature_verification_error-downgraded.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed downgraded from sxg.signature_verification_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-cert-sha256.sxg?prefetch';
+  const cert_url = test_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.failed downgraded from ' +
+   'sxg.signature_verification_error for prefetch.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/reporting/sxg-reporting-prefetch-signature_verification_error.tentative.html

+<!DOCTYPE html>
+<title>SXG reporting test of sxg.signature_verification_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-cert-sha256-cert-on-alt-origin.sxg?prefetch';
+  const cert_url = alt_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.signature_verification_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.signature_verification_error for prefetch.');
+</script>
+</body>

third_party/blink/web_tests/external/wpt/signed-exchange/resources/generate-test-sxgs.sh

@@ -7,6 +7,7 @@ inner_url_origin=https://127.0.0.1:8444
 # the fly.
 wpt_test_origin=https://web-platform.test:8444
 wpt_test_remote_origin=https://www1.web-platform.test:8444
+wpt_test_alt_origin=https://not-web-platform.test:8444
 cert_url_origin=$wpt_test_origin
 sxg_content_type='content-type: application/signed-exchange;v=b3'
 
@@ -40,6 +41,22 @@ gen-signedexchange \
   -o sxg/sxg-location.sxg \
   -miRecordSize 100
 
+# A valid Signed Exchange. The origin of certUrl is the "alt" origin where NEL
+# policy is installed in reporting tests.
+gen-signedexchange \
+  -version $sxg_version \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-location.html \
+  -certificate $certfile \
+  -certUrl $wpt_test_alt_origin/signed-exchange/resources/$certfile.cbor \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2018-04-01T00:00:00Z \
+  -expire 168h \
+  -o sxg/sxg-location-cert-on-alt-origin.sxg \
+  -miRecordSize 100
+
 # A signed exchange of unsupported version.
 gen-signedexchange \
   -version 1b2 \
@@ -154,6 +171,38 @@ gen-signedexchange \
   -miRecordSize 100 \
   -ignoreErrors true
 
+# certUrl is 404 and the origin of certUrl is different from the "alt" origin
+# where NEL policy is installed in reporting tests.
+gen-signedexchange \
+  -version $sxg_version \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-location.html \
+  -certificate $certfile \
+  -certUrl $cert_url_origin/signed-exchange/resources/not_found_certfile.cbor \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2018-04-01T00:00:00Z \
+  -expire 168h \
+  -o sxg/sxg-cert-not-found.sxg \
+  -miRecordSize 100
+
+# certUrl is 404 and the origin of certUrl is the "alt" origin where NEL policy
+# is installed in reporting tests.
+gen-signedexchange \
+  -version $sxg_version \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-location.html \
+  -certificate $certfile \
+  -certUrl $wpt_test_alt_origin/signed-exchange/resources/not_found_certfile.cbor \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2018-04-01T00:00:00Z \
+  -expire 168h \
+  -o sxg/sxg-cert-not-found-on-alt-origin.sxg \
+  -miRecordSize 100
+
 # certUrl is 404 and fallback URL is another signed exchange.
 gen-signedexchange \
   -version $sxg_version \
@@ -170,6 +219,38 @@ gen-signedexchange \
   -miRecordSize 100 \
   -ignoreErrors true
 
+# certUrl is an invalid cert and the origin of certUrl is different from the
+# "alt" origin where NEL policy is installed in reporting tests.
+gen-signedexchange \
+  -version $sxg_version \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-location.html \
+  -certificate $certfile \
+  -certUrl $cert_url_origin/signed-exchange/resources/invalid-cert-format.cbor \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2018-04-01T00:00:00Z \
+  -expire 168h \
+  -o sxg/sxg-invalid-cert-format.sxg \
+  -miRecordSize 100
+
+# certUrl is an invalid cert and the origin of certUrl is the "alt" origin where
+# NEL policy is installed in reporting tests.
+gen-signedexchange \
+  -version $sxg_version \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-location.html \
+  -certificate $certfile \
+  -certUrl $wpt_test_alt_origin/signed-exchange/resources/invalid-cert-format.cbor \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2018-04-01T00:00:00Z \
+  -expire 168h \
+  -o sxg/sxg-invalid-cert-format-on-alt-origin.sxg \
+  -miRecordSize 100
+
 # Nested signed exchange.
 gen-signedexchange \
   -version $sxg_version \
@@ -272,7 +353,56 @@ gen-signedexchange \
   -miRecordSize 100 \
   -ignoreErrors true
 
+
+
 # Signed Exchange with payload integrity error.
 echo 'garbage' | cat sxg/sxg-location.sxg - >sxg/sxg-merkle-integrity-error.sxg
 
+# An invalid signed exchange which integrity header is invalid.
+cat sxg/sxg-location.sxg |
+  sed 's/digest\/mi-sha256-03/digest\/mi-sha256-xx/' \
+    > sxg/sxg-invalid-integrity-header.sxg
+
+# An invalid signed exchange which cert-sha256 is invalid.
+dummy_sha256=`echo "dummy" | openssl dgst -binary -sha256 | base64`
+cat sxg/sxg-location.sxg |
+  sed "s/cert-sha256=\*[^*]*\*;/cert-sha256=*$dummy_sha256*;/" \
+    > sxg/sxg-invalid-cert-sha256.sxg
+cat sxg/sxg-location-cert-on-alt-origin.sxg |
+  sed "s/cert-sha256=\*[^*]*\*;/cert-sha256=*$dummy_sha256*;/" \
+    > sxg/sxg-invalid-cert-sha256-cert-on-alt-origin.sxg
+
+# An invalid signed exchange which validity period is too long.
+gen-signedexchange \
+  -version $sxg_version \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-location.html \
+  -certificate $certfile \
+  -certUrl $cert_url_origin/signed-exchange/resources/$certfile.cbor \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2018-04-01T00:00:00Z \
+  -expire 300h \
+  -o sxg/sxg-validity-period-too-long.sxg \
+  -miRecordSize 100 \
+  -ignoreErrors true
+
+# An invalid signed exchange which validity period is too long. The origin of
+# certUrl is the "alt" origin where NEL policy is installed in reporting tests.
+gen-signedexchange \
+  -version $sxg_version \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-location.html \
+  -certificate $certfile \
+  -certUrl $wpt_test_alt_origin/signed-exchange/resources/$certfile.cbor \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2018-04-01T00:00:00Z \
+  -expire 300h \
+  -o sxg/sxg-validity-period-too-long-cert-on-alt-origin.sxg \
+  -miRecordSize 100 \
+  -ignoreErrors true
+
 rm -fr $tmpdir

third_party/blink/web_tests/external/wpt/signed-exchange/resources/invalid-cert-format.cbor

+This is an invalid certificate file.

third_party/blink/web_tests/external/wpt/signed-exchange/resources/invalid-cert-format.cbor.headers

+Content-Type: application/cert-chain+cbor

third_party/blink/web_tests/external/wpt/signed-exchange/resources/sxg/sxg-invalid-format.sxg

+This is an invalid Signed Exchange.