Bug 988616 - Split CSP tests for CSP (1.0) and X-CSP, and update build system files r=sstamm r=ckerschb
authorGarrett Robinson <grobinson@mozilla.com>
Mon, 09 Jun 2014 14:26:09 -0700
changeset 187903 293ac7b3303589d321570b78d290b49320400eff
parent 187902 9caaf8004e36cfe32cadefe49e6d79d4b2f4fcd1
child 187904 fc3e515dda6445759fe020bba46705418c7a684b
push id26939
push userkwierso@gmail.com
push dateWed, 11 Jun 2014 01:28:04 +0000
treeherderautoland@b9f589c4d2e7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssstamm, ckerschb
bugs988616
milestone33.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 988616 - Split CSP tests for CSP (1.0) and X-CSP, and update build system files r=sstamm r=ckerschb
content/base/test/csp/file_CSP_evalscript_main_getCRMFRequest.html^headers^
content/base/test/csp/file_csp_redirects_main.html
content/base/test/csp/file_csp_report.sjs
content/base/test/csp/file_multi_policy_injection_bypass.html^headers^
content/base/test/csp/file_multi_policy_injection_bypass_2.html^headers^
content/base/test/csp/file_redirect_content.sjs
content/base/test/csp/file_subframe_run_js_if_allowed.html^headers^
content/base/test/csp/mochitest.ini
content/base/test/csp/test_301_redirect.html
content/base/test/csp/test_302_redirect.html
content/base/test/csp/test_303_redirect.html
content/base/test/csp/test_307_redirect.html
content/base/test/csp/test_CSP.html
content/base/test/csp/test_CSP_evalscript.html
content/base/test/csp/test_CSP_evalscript_getCRMFRequest.html
content/base/test/csp/test_CSP_frameancestors.html
content/base/test/csp/test_CSP_inlinescript.html
content/base/test/csp/test_CSP_inlinestyle.html
content/base/test/csp/test_csp_bug768029.html
content/base/test/csp/test_csp_bug773891.html
content/base/test/csp/test_csp_redirects.html
content/base/test/csp/test_csp_report.html
content/base/test/csp/test_multi_policy_injection_bypass.html
content/base/test/csp/test_subframe_run_js_if_allowed.html
content/base/test/moz.build
content/base/test/xcsp/file_CSP.css
content/base/test/xcsp/file_CSP_frameancestors_main.js
content/base/test/xcsp/file_csp_redirects_main.html
content/base/test/xcsp/mochitest.ini
content/base/test/xcsp/test_CSP.html
content/base/test/xcsp/test_CSP_evalscript.html
content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html
content/base/test/xcsp/test_CSP_frameancestors.html
content/base/test/xcsp/test_CSP_inlinescript.html
content/base/test/xcsp/test_CSP_inlinestyle.html
content/base/test/xcsp/test_csp_redirects.html
content/base/test/xcsp/test_csp_report.html
--- a/content/base/test/csp/file_CSP_evalscript_main_getCRMFRequest.html^headers^
+++ b/content/base/test/csp/file_CSP_evalscript_main_getCRMFRequest.html^headers^
@@ -1,2 +1,2 @@
 Cache-Control: no-cache
-X-Content-Security-Policy: default-src 'self'
+Content-Security-Policy: default-src 'self'
--- a/content/base/test/csp/file_csp_redirects_main.html
+++ b/content/base/test/csp/file_csp_redirects_main.html
@@ -6,26 +6,17 @@
 <div id="container"></div>
 </body>
 
 <script>
 var thisSite = "http://mochi.test:8888";
 var otherSite = "http://example.com";
 var page = "/tests/content/base/test/csp/file_csp_redirects_page.sjs";
 
-var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
-              "frame-src": thisSite+page+"?testid=frame-src&csp=1",
-              "img-src":  thisSite+page+"?testid=img-src&csp=1",
-              "media-src":  thisSite+page+"?testid=media-src&csp=1",
-              "object-src":  thisSite+page+"?testid=object-src&csp=1",
-              "script-src":  thisSite+page+"?testid=script-src&csp=1",
-              "style-src":  thisSite+page+"?testid=style-src&csp=1",
-              "worker":  thisSite+page+"?testid=worker&csp=1",
-              "xhr-src":  thisSite+page+"?testid=xhr-src&csp=1",
-              "font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
+var tests = { "font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
               "frame-src-spec-compliant": thisSite+page+"?testid=frame-src-spec-compliant&csp=1&spec=1",
               "img-src-spec-compliant":  thisSite+page+"?testid=img-src-spec-compliant&csp=1&spec=1",
               "media-src-spec-compliant":  thisSite+page+"?testid=media-src-spec-compliant&csp=1&spec=1",
               "object-src-spec-compliant":  thisSite+page+"?testid=object-src-spec-compliant&csp=1&spec=1",
               "script-src-spec-compliant":  thisSite+page+"?testid=script-src-spec-compliant&csp=1&spec=1",
               "style-src-spec-compliant":  thisSite+page+"?testid=style-src-spec-compliant&csp=1&spec=1",
               "worker-spec-compliant":  thisSite+page+"?testid=worker-spec-compliant&csp=1&spec=1",
               "xhr-src-spec-compliant":  thisSite+page+"?testid=xhr-src-spec-compliant&csp=1&spec=1",
--- a/content/base/test/csp/file_csp_report.sjs
+++ b/content/base/test/csp/file_csp_report.sjs
@@ -9,17 +9,17 @@ function handleRequest(request, response
   });
 
   response.setHeader("Content-Type", "text/html", false);
 
   // avoid confusing cache behaviors
   response.setHeader("Cache-Control", "no-cache", false);
 
   // set CSP header
-  response.setHeader("X-Content-Security-Policy",
-                     "allow 'self'; report-uri http://mochi.test:8888/csp-report.cgi",
+  response.setHeader("Content-Security-Policy",
+                     "default-src 'self'; report-uri http://mochi.test:8888/csp-report.cgi",
                      false);
 
   // content which will trigger a violation report
   response.write('<html><body>');
   response.write('<img src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png"> </img>');
   response.write('</body></html>');
 }
--- a/content/base/test/csp/file_multi_policy_injection_bypass.html^headers^
+++ b/content/base/test/csp/file_multi_policy_injection_bypass.html^headers^
@@ -1,1 +1,1 @@
-X-Content-Security-Policy: default-src 'self', allow *
+Content-Security-Policy: default-src 'self', default-src *
--- a/content/base/test/csp/file_multi_policy_injection_bypass_2.html^headers^
+++ b/content/base/test/csp/file_multi_policy_injection_bypass_2.html^headers^
@@ -1,1 +1,1 @@
-X-Content-Security-Policy: default-src 'self'   ,    allow *
+Content-Security-Policy: default-src 'self'   ,    default-src *
--- a/content/base/test/csp/file_redirect_content.sjs
+++ b/content/base/test/csp/file_redirect_content.sjs
@@ -20,17 +20,17 @@ function handleRequest(request, response
     var loc = "http://example.com/some/fake/path";
     response.setStatusLine("1.1", 302, "Found");
     response.setHeader("Location", loc, false);
     return;
   }
 
   var csp = "default-src \'self\';report-uri http://mochi.test:8888/tests/content/base/test/csp/file_redirect_report.sjs?" + redirect;
 
-  response.setHeader("X-Content-Security-Policy", csp, false);
+  response.setHeader("Content-Security-Policy", csp, false);
 
   // the actual file content.
   // this image load will (intentionally) fail due to the CSP policy of default-src: 'self'
   // specified by the CSP string above.
   var content = "<!DOCTYPE HTML><html><body><img src = \"http://some.other.domain.example.com\"></body></html>";
 
   response.write(content);
 
--- a/content/base/test/csp/file_subframe_run_js_if_allowed.html^headers^
+++ b/content/base/test/csp/file_subframe_run_js_if_allowed.html^headers^
@@ -1,1 +1,1 @@
-X-Content-Security-Policy: default-src *; options inline-script
+Content-Security-Policy: default-src *; script-src 'unsafe-inline'
--- a/content/base/test/csp/mochitest.ini
+++ b/content/base/test/csp/mochitest.ini
@@ -12,63 +12,45 @@ support-files =
   file_CSP_bug802872.js
   file_CSP_bug802872.sjs
   file_CSP_bug885433_allows.html
   file_CSP_bug885433_allows.html^headers^
   file_CSP_bug885433_blocks.html
   file_CSP_bug885433_blocks.html^headers^
   file_CSP_bug888172.html
   file_CSP_bug888172.sjs
-  file_CSP_bug916446.html
-  file_CSP_bug916446.html^headers^
-  file_CSP_evalscript_main.html
-  file_CSP_evalscript_main.html^headers^
   file_CSP_evalscript_main.js
   file_CSP_evalscript_main_allowed.js
   file_CSP_evalscript_main_allowed_getCRMFRequest.js
-  file_CSP_evalscript_main_getCRMFRequest.html
-  file_CSP_evalscript_main_getCRMFRequest.html^headers^
   file_CSP_evalscript_main_getCRMFRequest.js
   file_CSP_evalscript_main_spec_compliant.html
   file_CSP_evalscript_main_spec_compliant.html^headers^
   file_CSP_evalscript_main_spec_compliant_allowed.html
   file_CSP_evalscript_main_spec_compliant_allowed.html^headers^
   file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html
   file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html^headers^
   file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html
   file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html^headers^
   file_CSP_evalscript_no_CSP_at_all.html
   file_CSP_evalscript_no_CSP_at_all.html^headers^
   file_CSP_evalscript_no_CSP_at_all.js
-  file_CSP_frameancestors.sjs
-  file_CSP_frameancestors_main.html
-  file_CSP_frameancestors_main.js
   file_CSP_frameancestors_main_spec_compliant.html
   file_CSP_frameancestors_main_spec_compliant.js
   file_CSP_frameancestors_spec_compliant.sjs
-  file_CSP_inlinescript_main.html
-  file_CSP_inlinescript_main.html^headers^
   file_CSP_inlinescript_main_spec_compliant.html
   file_CSP_inlinescript_main_spec_compliant.html^headers^
   file_CSP_inlinescript_main_spec_compliant_allowed.html
   file_CSP_inlinescript_main_spec_compliant_allowed.html^headers^
-  file_CSP_inlinestyle_main.html
-  file_CSP_inlinestyle_main.html^headers^
   file_CSP_inlinestyle_main_spec_compliant.html
   file_CSP_inlinestyle_main_spec_compliant.html^headers^
   file_CSP_inlinestyle_main_spec_compliant_allowed.html
   file_CSP_inlinestyle_main_spec_compliant_allowed.html^headers^
-  file_CSP_main.html
-  file_CSP_main.html^headers^
-  file_CSP_main.js
   file_CSP_main_spec_compliant.html
   file_CSP_main_spec_compliant.html^headers^
   file_CSP_main_spec_compliant.js
-  file_bothCSPheaders.html
-  file_bothCSPheaders.html^headers^
   file_bug836922_npolicies.html
   file_bug836922_npolicies.html^headers^
   file_bug836922_npolicies_ro_violation.sjs
   file_bug836922_npolicies_violation.sjs
   file_bug886164.html
   file_bug886164.html^headers^
   file_bug886164_2.html
   file_bug886164_2.html^headers^
@@ -99,67 +81,59 @@ support-files =
   file_policyuri_regression_from_multipolicy_policy
   file_nonce_source.html
   file_nonce_source.html^headers^
   file_CSP_bug941404.html
   file_CSP_bug941404_xhr.html
   file_CSP_bug941404_xhr.html^headers^
   file_hash_source.html
   file_hash_source.html^headers^
-  file_dual_headers_warning.html
-  file_dual_headers_warning.html^headers^
   file_self_none_as_hostname_confusion.html
   file_self_none_as_hostname_confusion.html^headers^
   file_csp_testserver.sjs
   file_csp_regexp_parsing.html
   file_csp_regexp_parsing.js
   file_report_uri_missing_in_report_only_header.html
   file_report_uri_missing_in_report_only_header.html^headers^
   file_csp_report.sjs
-  file_policyuri_async_fetch.html
-  file_policyuri_async_fetch.html^headers^
   file_redirect_content.sjs
   file_redirect_report.sjs
   file_subframe_run_js_if_allowed.html
   file_subframe_run_js_if_allowed.html^headers^
   file_multi_policy_injection_bypass.html
   file_multi_policy_injection_bypass.html^headers^
   file_multi_policy_injection_bypass_2.html
   file_multi_policy_injection_bypass_2.html^headers^
 
 [test_CSP.html]
 [test_CSP_bug663567.html]
 [test_CSP_bug802872.html]
 [test_CSP_bug885433.html]
 [test_CSP_bug888172.html]
-[test_CSP_bug916446.html]
 [test_CSP_evalscript.html]
 [test_CSP_evalscript_getCRMFRequest.html]
 skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s # no (deprecated) window.crypto support in multiprocess (bug 824652)
 [test_CSP_frameancestors.html]
 skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'android' # Times out, not sure why (bug 1008445)
 [test_CSP_inlinescript.html]
 [test_CSP_inlinestyle.html]
-[test_bothCSPheaders.html]
 [test_bug836922_npolicies.html]
 [test_bug886164.html]
 [test_csp_redirects.html]
 [test_CSP_bug910139.html]
 [test_CSP_bug909029.html]
 [test_policyuri_regression_from_multipolicy.html]
 [test_nonce_source.html]
 [test_CSP_bug941404.html]
 [test_hash_source.html]
 skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
-[test_dual_headers_warning.html]
 [test_self_none_as_hostname_confusion.html]
 [test_bug949549.html]
 [test_csp_regexp_parsing.html]
 [test_report_uri_missing_in_report_only_header.html]
 [test_csp_report.html]
 skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
-[test_policyuri_async_fetch.html]
 [test_301_redirect.html]
 [test_302_redirect.html]
 [test_303_redirect.html]
 [test_307_redirect.html]
 [test_subframe_run_js_if_allowed.html]
 [test_multi_policy_injection_bypass.html]
--- a/content/base/test/csp/test_301_redirect.html
+++ b/content/base/test/csp/test_301_redirect.html
@@ -61,13 +61,19 @@ window.done = function(result) {
   // clean up observers and finish the test
   window.examiner.remove();
   SimpleTest.finish();
 }
 
 SimpleTest.waitForExplicitFinish();
 
 // save this for last so that our listeners are registered.
-document.getElementById('content_iframe').src = 'file_redirect_content.sjs?301';
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+    function() {
+      // save this for last so that our listeners are registered.
+      // ... this loads the testbed of good and bad requests.
+      document.getElementById('content_iframe').src = 'file_redirect_content.sjs?301';
+    });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_302_redirect.html
+++ b/content/base/test/csp/test_302_redirect.html
@@ -61,13 +61,19 @@ window.done = function(result) {
   // clean up observers and finish the test
   window.examiner.remove();
   SimpleTest.finish();
 }
 
 SimpleTest.waitForExplicitFinish();
 
 // save this for last so that our listeners are registered.
-document.getElementById('content_iframe').src = 'file_redirect_content.sjs?302';
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+    function() {
+      // save this for last so that our listeners are registered.
+      // ... this loads the testbed of good and bad requests.
+      document.getElementById('content_iframe').src = 'file_redirect_content.sjs?302';
+    });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_303_redirect.html
+++ b/content/base/test/csp/test_303_redirect.html
@@ -61,13 +61,19 @@ window.done = function(result) {
   // clean up observers and finish the test
   window.examiner.remove();
   SimpleTest.finish();
 }
 
 SimpleTest.waitForExplicitFinish();
 
 // save this for last so that our listeners are registered.
-document.getElementById('content_iframe').src = 'file_redirect_content.sjs?303';
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+    function() {
+      // save this for last so that our listeners are registered.
+      // ... this loads the testbed of good and bad requests.
+      document.getElementById('content_iframe').src = 'file_redirect_content.sjs?303';
+    });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_307_redirect.html
+++ b/content/base/test/csp/test_307_redirect.html
@@ -61,13 +61,19 @@ window.done = function(result) {
   // clean up observers and finish the test
   window.examiner.remove();
   SimpleTest.finish();
 }
 
 SimpleTest.waitForExplicitFinish();
 
 // save this for last so that our listeners are registered.
-document.getElementById('content_iframe').src = 'file_redirect_content.sjs?307';
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+    function() {
+      // save this for last so that our listeners are registered.
+      // ... this loads the testbed of good and bad requests.
+      document.getElementById('content_iframe').src = 'file_redirect_content.sjs?307';
+    });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_CSP.html
+++ b/content/base/test/csp/test_CSP.html
@@ -5,40 +5,21 @@
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <iframe style="width:200px;height:200px;" id='cspframe'></iframe>
-<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
 // These are test results: -1 means it hasn't run,
 // true/false is the pass/fail result.
 window.tests = {
-  img_good: -1,
-  img_bad: -1,
-  style_good: -1,
-  style_bad: -1,
-  frame_good: -1,
-  frame_bad: -1,
-  script_good: -1,
-  script_bad: -1,
-  xhr_good: -1,
-  xhr_bad: -1,
-  media_good: -1,
-  media_bad: -1,
-  font_good: -1,
-  font_bad: -1,
-  object_good: -1,
-  object_bad: -1,
   img_spec_compliant_good: -1,
   img_spec_compliant_bad: -1,
   style_spec_compliant_good: -1,
   style_spec_compliant_bad: -1,
   frame_spec_compliant_good: -1,
   frame_spec_compliant_bad: -1,
   script_spec_compliant_good: -1,
   script_spec_compliant_bad: -1,
@@ -125,15 +106,14 @@ SpecialPowers.pushPrefEnv(
           // blocks loading the resource until the user interacts with a
           // corresponding widget, which breaks the media_* tests. We set it
           // back to the default used by desktop Firefox to get consistent
           // behavior.
           ["media.preload.default", 2]]},
     function() {
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
-      document.getElementById('cspframe').src = 'file_CSP_main.html';
-      document.getElementById('cspframe2').src = 'file_CSP_main_spec_compliant.html';
+      document.getElementById('cspframe').src = 'file_CSP_main_spec_compliant.html';
     });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_CSP_evalscript.html
+++ b/content/base/test/csp/test_CSP_evalscript.html
@@ -6,24 +6,21 @@
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
 var evalScriptsThatRan = 0;
 var evalScriptsBlocked = 0;
-var evalScriptsTotal = 24;
+var evalScriptsTotal = 16;
 
 // called by scripts that run
 var scriptRan = function(shouldrun, testname, data) {
   evalScriptsThatRan++;
   ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
   checkTestResults();
 }
 
@@ -49,17 +46,15 @@ var checkTestResults = function() {
 // set up and go
 SimpleTest.waitForExplicitFinish();
 
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
     function() {
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
-      document.getElementById('cspframe').src = 'file_CSP_evalscript_main.html';
-      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant.html';
-      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
-      // document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
+      document.getElementById('cspframe').src = 'file_CSP_evalscript_main_spec_compliant.html';
+      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
     });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_CSP_evalscript_getCRMFRequest.html
+++ b/content/base/test/csp/test_CSP_evalscript_getCRMFRequest.html
@@ -7,24 +7,23 @@
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe4'></iframe>
 <script class="testbody" type="text/javascript">
 
 var path = "/tests/content/base/test/csp/";
 
 var evalScriptsThatRan = 0;
 var evalScriptsBlocked = 0;
-var evalScriptsTotal = 4;
+var evalScriptsTotal = 3;
 
 // called by scripts that run
 var scriptRan = function(shouldrun, testname, data) {
   evalScriptsThatRan++;
   ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
   checkTestResults();
 }
 
@@ -49,17 +48,16 @@ var checkTestResults = function() {
 // set up and go
 SimpleTest.waitForExplicitFinish();
 
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
     function() {
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
-      document.getElementById('cspframe').src = 'file_CSP_evalscript_main_getCRMFRequest.html';
-      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
-      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
-      document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
+      document.getElementById('cspframe').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
+      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
+      document.getElementById('cspframe3').src = 'file_CSP_evalscript_no_CSP_at_all.html';
     });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_CSP_frameancestors.html
+++ b/content/base/test/csp/test_CSP_frameancestors.html
@@ -5,47 +5,34 @@
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
 // These are test results: -1 means it hasn't run,
 // true/false is the pass/fail result.
 var framesThatShouldLoad = {
-  aa_allow: -1,    /* innermost frame allows a */
-  //aa_block: -1,    /* innermost frame denies a */
-  ab_allow: -1,    /* innermost frame allows a */
-  //ab_block: -1,    /* innermost frame denies a */
-  aba_allow: -1,   /* innermost frame allows b,a */
-  //aba_block: -1,   /* innermost frame denies b */
-  //aba2_block: -1,  /* innermost frame denies a */
-  abb_allow: -1,   /* innermost frame allows b,a */
-  //abb_block: -1,   /* innermost frame denies b */
-  //abb2_block: -1,  /* innermost frame denies a */
   aa_allow_spec_compliant: -1,    /* innermost frame allows a *
   //aa_block_spec_compliant: -1,    /* innermost frame denies a */
   ab_allow_spec_compliant: -1,    /* innermost frame allows a */
   //ab_block_spec_compliant: -1,    /* innermost frame denies a */
   aba_allow_spec_compliant: -1,   /* innermost frame allows b,a */
   //aba_block_spec_compliant: -1,   /* innermost frame denies b */
   //aba2_block_spec_compliant: -1,  /* innermost frame denies a */
   abb_allow_spec_compliant: -1,   /* innermost frame allows b,a */
   //abb_block_spec_compliant: -1,   /* innermost frame denies b */
   //abb2_block_spec_compliant: -1,  /* innermost frame denies a */
 };
 
-var expectedViolationsLeft = 12;
+var expectedViolationsLeft = 6;
 
 // This is used to watch the blocked data bounce off CSP and allowed data
 // get sent out to the wire.
 function examiner() {
   SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
 }
 examiner.prototype  = {
   observe: function(subject, topic, data) {
@@ -121,16 +108,15 @@ window.examiner = new examiner();
 SimpleTest.waitForExplicitFinish();
 
 // added this so the tests run even if we don't flip the pref on by default.
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
   function() {
     // save this for last so that our listeners are registered.
     // ... this loads the testbed of good and bad requests.
-    document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
-    document.getElementById('cspframe2').src = 'file_CSP_frameancestors_main_spec_compliant.html';
+    document.getElementById('cspframe').src = 'file_CSP_frameancestors_main_spec_compliant.html';
   });
 
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_CSP_inlinescript.html
+++ b/content/base/test/csp/test_CSP_inlinescript.html
@@ -6,26 +6,23 @@
   <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 
-<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe1'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
 var inlineScriptsThatRan = 0;
 var inlineScriptsBlocked = 0;
-var inlineScriptsTotal = 12;
+var inlineScriptsTotal = 8;
 
 // This is used to watch the blocked data bounce off CSP and allowed data
 // get sent out to the wire.
 function examiner() {
   SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
 }
 examiner.prototype  = {
   observe: function(subject, topic, data) {
@@ -74,55 +71,47 @@ var scriptBlocked = function(testname, d
 var checkTestResults = function() {
   // if any test is incomplete, keep waiting
   if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal)
     return;
 
   // The four scripts in the page with 'unsafe-inline' should run.
   is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
 
-  // The other eight scripts in the other two pages should be blocked.
-  is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked");
+  // The four scripts in the other page should be blocked.
+  is(inlineScriptsBlocked, 4, "there should be 4 inline scripts that were blocked");
 
   // ... otherwise, finish
   window.examiner.remove();
   SimpleTest.finish();
 }
 
 //////////////////////////////////////////////////////////////////////
 // set up and go
 window.examiner = new examiner();
 SimpleTest.waitForExplicitFinish();
 
-function clickit() {
-  var cspframe = document.getElementById('cspframe');
-  var a = cspframe.contentDocument.getElementById('anchortoclick');
-  sendMouseEvent({type:'click'}, a, cspframe.contentWindow);
+function clickit1() {
+  var cspframe1 = document.getElementById('cspframe1');
+  var a = cspframe1.contentDocument.getElementById('anchortoclick');
+  sendMouseEvent({type:'click'}, a, cspframe1.contentWindow);
 }
 
 function clickit2() {
   var cspframe2 = document.getElementById('cspframe2');
   var a = cspframe2.contentDocument.getElementById('anchortoclick');
   sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
 }
 
-function clickit3() {
-  var cspframe3 = document.getElementById('cspframe3');
-  var a = cspframe3.contentDocument.getElementById('anchortoclick');
-  sendMouseEvent({type:'click'}, a, cspframe3.contentWindow);
-}
-
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
   function() {
     // save this for last so that our listeners are registered.
     // ... this loads the testbed of good and bad requests.
-    document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';
-    document.getElementById('cspframe').addEventListener('load', clickit, false);
-    document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html';
+    document.getElementById('cspframe1').src = 'file_CSP_inlinescript_main_spec_compliant.html';
+    document.getElementById('cspframe1').addEventListener('load', clickit1, false);
+    document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
     document.getElementById('cspframe2').addEventListener('load', clickit2, false);
-    document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
-    document.getElementById('cspframe3').addEventListener('load', clickit3, false);
   });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_CSP_inlinestyle.html
+++ b/content/base/test/csp/test_CSP_inlinestyle.html
@@ -5,138 +5,107 @@
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 
-<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe1'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
-
 //////////////////////////////////////////////////////////////////////
 // set up and go
 SimpleTest.waitForExplicitFinish();
 
 var done = 0;
 
-// Our original CSP implementation does not block inline styles.
-function checkStyles(evt) {
-  var cspframe = document.getElementById('cspframe');
+// When a CSP 1.0 compliant policy is specified we should block inline
+// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
+// (when it's not explicitly allowed.)
+function checkStylesSpecCompliant(evt) {
+  var cspframe = document.getElementById('cspframe1');
   var color;
 
   // black means the style wasn't applied.  green colors are used for styles
   //expected to be applied.  A color is red if a style is erroneously applied
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (original CSP implementation) (' + color + ')');
+  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (original CSP implementation) (' + color + ')');
+  ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Style Attribute (original CSP implementation) (' + color + ')');
+  ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('csstextstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
+  // SMIL tests
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTest',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
+
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
+
+  checkIfDone();
+}
+
+// When a CSP 1.0 compliant policy is specified we should allow inline
+// styles when it is explicitly allowed.
+function checkStylesSpecCompliantAllowed(evt) {
+  var cspframe = document.getElementById('cspframe2');
+  var color;
+
+  // black means the style wasn't applied.  green colors are used for styles
+  // expected to be applied.  A color is red if a style is erroneously applied
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
+
+  // Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
+  // since it relies on executing script to set .cssText
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('csstextstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
   // SMIL tests
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null))['fill'];
   ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTest',null))['fill'];
   ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
   ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];
   ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
-  checkIfDone();
-}
 
-// When a CSP 1.0 compliant policy is specified we should block inline
-// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
-// (when it's not explicitly allowed.)
-function checkStylesSpecCompliant(evt) {
-  var cspframe = document.getElementById('cspframe2');
-  var color;
-
-  // black means the style wasn't applied.  green colors are used for styles
-  //expected to be applied.  A color is red if a style is erroneously applied
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('linkstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('inlinestylediv'),null)['color'];
-  ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('attrstylediv'),null)['color'];
-  ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('csstextstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
-  // SMIL tests
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('xmlTest',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTest',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssSetTestById',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
-
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
-
-  checkIfDone();
-}
-
-// When a CSP 1.0 compliant policy is specified we should allow inline
-// styles when it is explicitly allowed.
-function checkStylesSpecCompliantAllowed(evt) {
-  var cspframe = document.getElementById('cspframe3');
-  var color;
-
-  // black means the style wasn't applied.  green colors are used for styles
-  // expected to be applied.  A color is red if a style is erroneously applied
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('linkstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('inlinestylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('attrstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
-
-  // Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
-  // since it relies on executing script to set .cssText
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('csstextstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  // SMIL tests
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('xmlTest',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTest',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssSetTestById',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
-
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
   ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
 
   checkIfDone();
 }
 
 function checkIfDone() {
   done++;
-  if (done == 3)
+  if (done == 2)
     SimpleTest.finish();
 }
 
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
   function() {
     // save this for last so that our listeners are registered.
     // ... this loads the testbed of good and bad requests.
-    document.getElementById('cspframe').src = 'file_CSP_inlinestyle_main.html';
-    document.getElementById('cspframe').addEventListener('load', checkStyles, false);
-    document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
-    document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliant, false);
-    document.getElementById('cspframe3').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
-    document.getElementById('cspframe3').addEventListener('load', checkStylesSpecCompliantAllowed, false);
+    document.getElementById('cspframe1').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
+    document.getElementById('cspframe1').addEventListener('load', checkStylesSpecCompliant, false);
+    document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
+    document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliantAllowed, false);
   }
 );
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_csp_bug768029.html
+++ b/content/base/test/csp/test_csp_bug768029.html
@@ -208,16 +208,17 @@ function runTest() {
 var gTestRunner = runTest();
 
 // load the default CSP and pref it on
 SpecialPowers.addPermission("browser", true, "https://example.com");
 SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
                                    ["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
                                    ["security.apps.certified.CSP.default", DEFAULT_CSP_CERT],
                                    ["security.mixed_content.block_active_content", false],
-                                   ["security.mixed_content.block_display_content", false]]},
+                                   ["security.mixed_content.block_display_content", false],
+                                   ["security.csp.speccompliant", true]]},
                           function() {  gTestRunner.next(); });
 
 
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_csp_bug773891.html
+++ b/content/base/test/csp/test_csp_bug773891.html
@@ -1,12 +1,12 @@
 <!DOCTYPE HTML>
 <html>
 <!--
-  https://bugzilla.mozilla.org/show_bug.cgi?id=768029
+  https://bugzilla.mozilla.org/show_bug.cgi?id=773891
 -->
 <head>
   <meta charset="utf-8">
   <title>Test for CSP on trusted/certified and installed apps -- bug 773891</title>
   <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
 </head>
 <body>
@@ -213,16 +213,17 @@ function runTest() {
 
 var gTestRunner = runTest();
 
 // load the default CSP and pref it on
 SpecialPowers.addPermission("browser", true, "https://example.com");
 
 SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
                                    ["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
-                                   ["security.apps.certified.CSP.default", DEFAULT_CSP_CERT]]},
+                                   ["security.apps.certified.CSP.default", DEFAULT_CSP_CERT],
+                                   ["security.csp.speccompliant", true]]},
                           function() {  gTestRunner.next(); });
 
 
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_csp_redirects.html
+++ b/content/base/test/csp/test_csp_redirects.html
@@ -63,35 +63,17 @@ examiner.prototype  = {
   remove: function() {
     SpecialPowers.removeObserver(this, "csp-on-violate-policy");
     SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
   }
 }
 window.examiner = new examiner();
 
 // contains { test_frame_id : expected_result }
-var testExpectedResults = { "font-src": true,
-                            "font-src-redir": false,
-                            "frame-src": true,
-                            "frame-src-redir": false,
-                            "img-src": true,
-                            "img-src-redir": false,
-                            "media-src": true,
-                            "media-src-redir": false,
-                            "object-src": true,
-                            "object-src-redir": false,
-                            "script-src": true,
-                            "script-src-redir": false,
-                            "style-src": true,
-                            "style-src-redir": false,
-                            "worker": true,
-                            "worker-redir": false,
-                            "xhr-src": true,
-                            "xhr-src-redir": false,
-                            "font-src-spec-compliant": true,
+var testExpectedResults = { "font-src-spec-compliant": true,
                             "font-src-redir-spec-compliant": false,
                             "frame-src-spec-compliant": true,
                             "frame-src-redir-spec-compliant": false,
                             "img-src-spec-compliant": true,
                             "img-src-redir-spec-compliant": false,
                             "media-src-spec-compliant": true,
                             "media-src-redir-spec-compliant": false,
                             "object-src-spec-compliant": true,
--- a/content/base/test/csp/test_csp_report.html
+++ b/content/base/test/csp/test_csp_report.html
@@ -95,14 +95,19 @@ window.checkResults = function(reportObj
   // change with the trunk
 }
 
 window.examiner = new examiner();
 
 SimpleTest.waitForExplicitFinish();
 
 // load the resource which will generate a CSP violation report
-document.getElementById("cspframe").src = testFile;
-
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+    function() {
+      // save this for last so that our listeners are registered.
+      // ... this loads the testbed of good and bad requests.
+      document.getElementById("cspframe").src = testFile;
+    });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_multi_policy_injection_bypass.html
+++ b/content/base/test/csp/test_multi_policy_injection_bypass.html
@@ -105,17 +105,19 @@ window.testResult = function(testname, r
   // ... otherwise, finish
   window.examiner.remove();
   SimpleTest.finish();
 }
 
 SimpleTest.waitForExplicitFinish();
 
 // save this for last so that our listeners are registered.
-// ... this loads the testbed of good and bad requests.
-
-document.getElementById('cspframe').src = 'file_multi_policy_injection_bypass.html';
-document.getElementById('cspframe2').src = 'file_multi_policy_injection_bypass_2.html';
-
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+    function() {
+      // ... this loads the testbed of good and bad requests.
+      document.getElementById('cspframe').src = 'file_multi_policy_injection_bypass.html';
+      document.getElementById('cspframe2').src = 'file_multi_policy_injection_bypass_2.html';
+    });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_subframe_run_js_if_allowed.html
+++ b/content/base/test/csp/test_subframe_run_js_if_allowed.html
@@ -8,25 +8,30 @@ permitted to execute javascript: URLs as
 allows this.
 -->
 <head>
   <title>Test for Bug 702439</title>
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
+<iframe id="i"></iframe>
 <script class="testbody" type="text/javascript">
 var javascript_link_ran = false;
 
 // check that the script in the child frame's javascript: URL ran
 function checkResult()
 {
   is(javascript_link_ran, true,
      "javascript URL didn't execute");
 
   SimpleTest.finish();
 }
 
 SimpleTest.waitForExplicitFinish();
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+  function() {
+    document.getElementById('i').src = 'file_subframe_run_js_if_allowed.html';
+  });
 </script>
-<iframe id="i" src="file_subframe_run_js_if_allowed.html"></iframe>
 </body>
 </html>
--- a/content/base/test/moz.build
+++ b/content/base/test/moz.build
@@ -1,16 +1,17 @@
 # -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 TEST_TOOL_DIRS += [
     'csp',
+    'xcsp',
     'websocket_hybi',
 ]
 
 XPCSHELL_TESTS_MANIFESTS += ['unit/xpcshell.ini']
 
 # FIXME/bug 575918: out-of-process xpcshell is broken on OS X
 if CONFIG['OS_ARCH'] != 'Darwin':
     XPCSHELL_TESTS_MANIFESTS += ['unit_ipc/xpcshell.ini']
--- a/content/base/test/xcsp/file_CSP.css
+++ b/content/base/test/xcsp/file_CSP.css
@@ -7,14 +7,14 @@
 
 /* CSS font embedding tests */
 @font-face {
   font-family: "arbitrary_good";
   src: url('file_CSP.sjs?testid=font_good&type=application/octet-stream');
 }
 @font-face {
   font-family: "arbitrary_bad";
-  src: url('http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
+  src: url('http://example.org/tests/content/base/test/xcsp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
 }
 
 .div_arbitrary_good { font-family: "arbitrary_good"; }
 .div_arbitrary_bad { font-family: "arbitrary_bad"; }
 
--- a/content/base/test/xcsp/file_CSP_frameancestors_main.js
+++ b/content/base/test/xcsp/file_CSP_frameancestors_main.js
@@ -1,17 +1,17 @@
 // Script to populate the test frames in the frame ancestors mochitest.
 //
 function setupFrames() {
 
   var $ = function(v) { return document.getElementById(v); }
   var base = {
-        self: '/tests/content/base/test/csp/file_CSP_frameancestors.sjs',
-        a: 'http://mochi.test:8888/tests/content/base/test/csp/file_CSP_frameancestors.sjs',
-        b: 'http://example.com/tests/content/base/test/csp/file_CSP_frameancestors.sjs'
+        self: '/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs',
+        a: 'http://mochi.test:8888/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs',
+        b: 'http://example.com/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs'
   };
 
   var host = { a: 'http://mochi.test:8888', b: 'http://example.com:80' };
 
   var innerframeuri = null;
   var elt = null;
 
   elt = $('aa_allow');
--- a/content/base/test/xcsp/file_csp_redirects_main.html
+++ b/content/base/test/xcsp/file_csp_redirects_main.html
@@ -4,36 +4,27 @@
 </head>
 <body>
 <div id="container"></div>
 </body>
 
 <script>
 var thisSite = "http://mochi.test:8888";
 var otherSite = "http://example.com";
-var page = "/tests/content/base/test/csp/file_csp_redirects_page.sjs";
+var page = "/tests/content/base/test/xcsp/file_csp_redirects_page.sjs";
 
 var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
               "frame-src": thisSite+page+"?testid=frame-src&csp=1",
               "img-src":  thisSite+page+"?testid=img-src&csp=1",
               "media-src":  thisSite+page+"?testid=media-src&csp=1",
               "object-src":  thisSite+page+"?testid=object-src&csp=1",
               "script-src":  thisSite+page+"?testid=script-src&csp=1",
               "style-src":  thisSite+page+"?testid=style-src&csp=1",
               "worker":  thisSite+page+"?testid=worker&csp=1",
               "xhr-src":  thisSite+page+"?testid=xhr-src&csp=1",
-              "font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
-              "frame-src-spec-compliant": thisSite+page+"?testid=frame-src-spec-compliant&csp=1&spec=1",
-              "img-src-spec-compliant":  thisSite+page+"?testid=img-src-spec-compliant&csp=1&spec=1",
-              "media-src-spec-compliant":  thisSite+page+"?testid=media-src-spec-compliant&csp=1&spec=1",
-              "object-src-spec-compliant":  thisSite+page+"?testid=object-src-spec-compliant&csp=1&spec=1",
-              "script-src-spec-compliant":  thisSite+page+"?testid=script-src-spec-compliant&csp=1&spec=1",
-              "style-src-spec-compliant":  thisSite+page+"?testid=style-src-spec-compliant&csp=1&spec=1",
-              "worker-spec-compliant":  thisSite+page+"?testid=worker-spec-compliant&csp=1&spec=1",
-              "xhr-src-spec-compliant":  thisSite+page+"?testid=xhr-src-spec-compliant&csp=1&spec=1",
             };
 
 var container = document.getElementById("container");
 
 // load each test in its own iframe
 for (tid in tests) {
   var i = document.createElement("iframe");
   i.id = tid;
--- a/content/base/test/xcsp/mochitest.ini
+++ b/content/base/test/xcsp/mochitest.ini
@@ -1,164 +1,68 @@
 [DEFAULT]
 support-files =
   file_CSP.css
   file_CSP.sjs
-  file_CSP_bug663567.xsl
-  file_CSP_bug663567_allows.xml
-  file_CSP_bug663567_allows.xml^headers^
-  file_CSP_bug663567_blocks.xml
-  file_CSP_bug663567_blocks.xml^headers^
-  file_CSP_bug802872.html
-  file_CSP_bug802872.html^headers^
-  file_CSP_bug802872.js
-  file_CSP_bug802872.sjs
-  file_CSP_bug885433_allows.html
-  file_CSP_bug885433_allows.html^headers^
-  file_CSP_bug885433_blocks.html
-  file_CSP_bug885433_blocks.html^headers^
-  file_CSP_bug888172.html
-  file_CSP_bug888172.sjs
   file_CSP_bug916446.html
   file_CSP_bug916446.html^headers^
   file_CSP_evalscript_main.html
   file_CSP_evalscript_main.html^headers^
   file_CSP_evalscript_main.js
-  file_CSP_evalscript_main_allowed.js
-  file_CSP_evalscript_main_allowed_getCRMFRequest.js
   file_CSP_evalscript_main_getCRMFRequest.html
   file_CSP_evalscript_main_getCRMFRequest.html^headers^
   file_CSP_evalscript_main_getCRMFRequest.js
-  file_CSP_evalscript_main_spec_compliant.html
-  file_CSP_evalscript_main_spec_compliant.html^headers^
-  file_CSP_evalscript_main_spec_compliant_allowed.html
-  file_CSP_evalscript_main_spec_compliant_allowed.html^headers^
-  file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html
-  file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html^headers^
-  file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html
-  file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html^headers^
   file_CSP_evalscript_no_CSP_at_all.html
   file_CSP_evalscript_no_CSP_at_all.html^headers^
   file_CSP_evalscript_no_CSP_at_all.js
   file_CSP_frameancestors.sjs
   file_CSP_frameancestors_main.html
   file_CSP_frameancestors_main.js
-  file_CSP_frameancestors_main_spec_compliant.html
-  file_CSP_frameancestors_main_spec_compliant.js
-  file_CSP_frameancestors_spec_compliant.sjs
   file_CSP_inlinescript_main.html
   file_CSP_inlinescript_main.html^headers^
-  file_CSP_inlinescript_main_spec_compliant.html
-  file_CSP_inlinescript_main_spec_compliant.html^headers^
-  file_CSP_inlinescript_main_spec_compliant_allowed.html
-  file_CSP_inlinescript_main_spec_compliant_allowed.html^headers^
   file_CSP_inlinestyle_main.html
   file_CSP_inlinestyle_main.html^headers^
-  file_CSP_inlinestyle_main_spec_compliant.html
-  file_CSP_inlinestyle_main_spec_compliant.html^headers^
-  file_CSP_inlinestyle_main_spec_compliant_allowed.html
-  file_CSP_inlinestyle_main_spec_compliant_allowed.html^headers^
   file_CSP_main.html
   file_CSP_main.html^headers^
   file_CSP_main.js
-  file_CSP_main_spec_compliant.html
-  file_CSP_main_spec_compliant.html^headers^
-  file_CSP_main_spec_compliant.js
   file_bothCSPheaders.html
   file_bothCSPheaders.html^headers^
-  file_bug836922_npolicies.html
-  file_bug836922_npolicies.html^headers^
-  file_bug836922_npolicies_ro_violation.sjs
-  file_bug836922_npolicies_violation.sjs
-  file_bug886164.html
-  file_bug886164.html^headers^
-  file_bug886164_2.html
-  file_bug886164_2.html^headers^
-  file_bug886164_3.html
-  file_bug886164_3.html^headers^
-  file_bug886164_4.html
-  file_bug886164_4.html^headers^
-  file_bug886164_5.html
-  file_bug886164_5.html^headers^
-  file_bug886164_6.html
-  file_bug886164_6.html^headers^
   file_csp_bug768029.html
   file_csp_bug768029.sjs
   file_csp_bug773891.html
   file_csp_bug773891.sjs
   file_csp_redirects_main.html
   file_csp_redirects_page.sjs
   file_csp_redirects_resource.sjs
-  file_CSP_bug910139.sjs
-  file_CSP_bug910139.xml
-  file_CSP_bug910139.xsl
-  file_CSP_bug909029_star.html
-  file_CSP_bug909029_star.html^headers^
-  file_CSP_bug909029_none.html
-  file_CSP_bug909029_none.html^headers^
-  file_policyuri_regression_from_multipolicy.html
-  file_policyuri_regression_from_multipolicy.html^headers^
-  file_policyuri_regression_from_multipolicy_policy
-  file_nonce_source.html
-  file_nonce_source.html^headers^
-  file_CSP_bug941404.html
-  file_CSP_bug941404_xhr.html
-  file_CSP_bug941404_xhr.html^headers^
-  file_hash_source.html
-  file_hash_source.html^headers^
   file_dual_headers_warning.html
   file_dual_headers_warning.html^headers^
-  file_self_none_as_hostname_confusion.html
-  file_self_none_as_hostname_confusion.html^headers^
-  file_csp_testserver.sjs
-  file_csp_regexp_parsing.html
-  file_csp_regexp_parsing.js
-  file_report_uri_missing_in_report_only_header.html
-  file_report_uri_missing_in_report_only_header.html^headers^
   file_csp_report.sjs
   file_policyuri_async_fetch.html
   file_policyuri_async_fetch.html^headers^
   file_redirect_content.sjs
   file_redirect_report.sjs
   file_subframe_run_js_if_allowed.html
   file_subframe_run_js_if_allowed.html^headers^
   file_multi_policy_injection_bypass.html
   file_multi_policy_injection_bypass.html^headers^
   file_multi_policy_injection_bypass_2.html
   file_multi_policy_injection_bypass_2.html^headers^
 
 [test_CSP.html]
-[test_CSP_bug663567.html]
-[test_CSP_bug802872.html]
-[test_CSP_bug885433.html]
-[test_CSP_bug888172.html]
 [test_CSP_bug916446.html]
 [test_CSP_evalscript.html]
 [test_CSP_evalscript_getCRMFRequest.html]
 skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s # no (deprecated) window.crypto support in multiprocess (bug 824652)
 [test_CSP_frameancestors.html]
 skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'android' # Times out, not sure why (bug 1008445)
 [test_CSP_inlinescript.html]
 [test_CSP_inlinestyle.html]
 [test_bothCSPheaders.html]
-[test_bug836922_npolicies.html]
-[test_bug886164.html]
 [test_csp_redirects.html]
-[test_CSP_bug910139.html]
-[test_CSP_bug909029.html]
-[test_policyuri_regression_from_multipolicy.html]
-[test_nonce_source.html]
-[test_CSP_bug941404.html]
-[test_hash_source.html]
-skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
 [test_dual_headers_warning.html]
-[test_self_none_as_hostname_confusion.html]
-[test_bug949549.html]
-[test_csp_regexp_parsing.html]
-[test_report_uri_missing_in_report_only_header.html]
 [test_csp_report.html]
 skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
 [test_policyuri_async_fetch.html]
 [test_301_redirect.html]
 [test_302_redirect.html]
 [test_303_redirect.html]
 [test_307_redirect.html]
 [test_subframe_run_js_if_allowed.html]
--- a/content/base/test/xcsp/test_CSP.html
+++ b/content/base/test/xcsp/test_CSP.html
@@ -5,21 +5,18 @@
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <iframe style="width:200px;height:200px;" id='cspframe'></iframe>
-<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
 // These are test results: -1 means it hasn't run,
 // true/false is the pass/fail result.
 window.tests = {
   img_good: -1,
   img_bad: -1,
   style_good: -1,
   style_bad: -1,
   frame_good: -1,
@@ -29,32 +26,16 @@ window.tests = {
   xhr_good: -1,
   xhr_bad: -1,
   media_good: -1,
   media_bad: -1,
   font_good: -1,
   font_bad: -1,
   object_good: -1,
   object_bad: -1,
-  img_spec_compliant_good: -1,
-  img_spec_compliant_bad: -1,
-  style_spec_compliant_good: -1,
-  style_spec_compliant_bad: -1,
-  frame_spec_compliant_good: -1,
-  frame_spec_compliant_bad: -1,
-  script_spec_compliant_good: -1,
-  script_spec_compliant_bad: -1,
-  xhr_spec_compliant_good: -1,
-  xhr_spec_compliant_bad: -1,
-  media_spec_compliant_good: -1,
-  media_spec_compliant_bad: -1,
-  font_spec_compliant_good: -1,
-  font_spec_compliant_bad: -1,
-  object_spec_compliant_good: -1,
-  object_spec_compliant_bad: -1,
 };
 
 // This is used to watch the blocked data bounce off CSP and allowed data
 // get sent out to the wire.
 function examiner() {
   SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
   SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
 }
@@ -126,14 +107,13 @@ SpecialPowers.pushPrefEnv(
           // corresponding widget, which breaks the media_* tests. We set it
           // back to the default used by desktop Firefox to get consistent
           // behavior.
           ["media.preload.default", 2]]},
     function() {
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
       document.getElementById('cspframe').src = 'file_CSP_main.html';
-      document.getElementById('cspframe2').src = 'file_CSP_main_spec_compliant.html';
     });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/xcsp/test_CSP_evalscript.html
+++ b/content/base/test/xcsp/test_CSP_evalscript.html
@@ -5,25 +5,21 @@
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
 var evalScriptsThatRan = 0;
 var evalScriptsBlocked = 0;
-var evalScriptsTotal = 24;
+var evalScriptsTotal = 8;
 
 // called by scripts that run
 var scriptRan = function(shouldrun, testname, data) {
   evalScriptsThatRan++;
   ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
   checkTestResults();
 }
 
@@ -50,16 +46,13 @@ var checkTestResults = function() {
 SimpleTest.waitForExplicitFinish();
 
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
     function() {
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
       document.getElementById('cspframe').src = 'file_CSP_evalscript_main.html';
-      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant.html';
-      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
-      // document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
     });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html
+++ b/content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html
@@ -6,25 +6,23 @@
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe4'></iframe>
 <script class="testbody" type="text/javascript">
 
 var path = "/tests/content/base/test/csp/";
 
 var evalScriptsThatRan = 0;
 var evalScriptsBlocked = 0;
-var evalScriptsTotal = 4;
+var evalScriptsTotal = 2;
 
 // called by scripts that run
 var scriptRan = function(shouldrun, testname, data) {
   evalScriptsThatRan++;
   ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
   checkTestResults();
 }
 
@@ -50,16 +48,14 @@ var checkTestResults = function() {
 SimpleTest.waitForExplicitFinish();
 
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
     function() {
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
       document.getElementById('cspframe').src = 'file_CSP_evalscript_main_getCRMFRequest.html';
-      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
-      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
-      document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
+      document.getElementById('cspframe2').src = 'file_CSP_evalscript_no_CSP_at_all.html';
     });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/xcsp/test_CSP_frameancestors.html
+++ b/content/base/test/xcsp/test_CSP_frameancestors.html
@@ -5,47 +5,34 @@
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
 // These are test results: -1 means it hasn't run,
 // true/false is the pass/fail result.
 var framesThatShouldLoad = {
   aa_allow: -1,    /* innermost frame allows a */
   //aa_block: -1,    /* innermost frame denies a */
   ab_allow: -1,    /* innermost frame allows a */
   //ab_block: -1,    /* innermost frame denies a */
   aba_allow: -1,   /* innermost frame allows b,a */
   //aba_block: -1,   /* innermost frame denies b */
   //aba2_block: -1,  /* innermost frame denies a */
   abb_allow: -1,   /* innermost frame allows b,a */
   //abb_block: -1,   /* innermost frame denies b */
   //abb2_block: -1,  /* innermost frame denies a */
-  aa_allow_spec_compliant: -1,    /* innermost frame allows a *
-  //aa_block_spec_compliant: -1,    /* innermost frame denies a */
-  ab_allow_spec_compliant: -1,    /* innermost frame allows a */
-  //ab_block_spec_compliant: -1,    /* innermost frame denies a */
-  aba_allow_spec_compliant: -1,   /* innermost frame allows b,a */
-  //aba_block_spec_compliant: -1,   /* innermost frame denies b */
-  //aba2_block_spec_compliant: -1,  /* innermost frame denies a */
-  abb_allow_spec_compliant: -1,   /* innermost frame allows b,a */
-  //abb_block_spec_compliant: -1,   /* innermost frame denies b */
-  //abb2_block_spec_compliant: -1,  /* innermost frame denies a */
 };
 
-var expectedViolationsLeft = 12;
+var expectedViolationsLeft = 6;
 
 // This is used to watch the blocked data bounce off CSP and allowed data
 // get sent out to the wire.
 function examiner() {
   SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
 }
 examiner.prototype  = {
   observe: function(subject, topic, data) {
@@ -122,15 +109,14 @@ SimpleTest.waitForExplicitFinish();
 
 // added this so the tests run even if we don't flip the pref on by default.
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
   function() {
     // save this for last so that our listeners are registered.
     // ... this loads the testbed of good and bad requests.
     document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
-    document.getElementById('cspframe2').src = 'file_CSP_frameancestors_main_spec_compliant.html';
   });
 
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/xcsp/test_CSP_inlinescript.html
+++ b/content/base/test/xcsp/test_CSP_inlinescript.html
@@ -7,25 +7,20 @@
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
-var inlineScriptsThatRan = 0;
 var inlineScriptsBlocked = 0;
-var inlineScriptsTotal = 12;
+var inlineScriptsTotal = 4;
 
 // This is used to watch the blocked data bounce off CSP and allowed data
 // get sent out to the wire.
 function examiner() {
   SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
 }
 examiner.prototype  = {
   observe: function(subject, topic, data) {
@@ -48,44 +43,32 @@ examiner.prototype  = {
 
   // must eventually call this to remove the listener,
   // or mochitests might get borked.
   remove: function() {
     SpecialPowers.removeObserver(this, "csp-on-violate-policy");
   }
 }
 
-// called by scripts that run
-// the first argument is whether the script expects to be allowed or not.
-var scriptRan = function(result, testname, data) {
-  inlineScriptsThatRan++;
-  ok(result, 'INLINE SCRIPT RAN: ' + testname + '(' + data + ')');
-  checkTestResults();
-}
-
 // called when a script is blocked
 // -- we can't determine *which* frame was blocked, but at least we can count them
 var scriptBlocked = function(testname, data) {
   inlineScriptsBlocked++;
   ok(true, 'INLINE SCRIPT BLOCKED: ' + testname + '(' + data + ')');
   checkTestResults();
 }
 
-
 // Check to see if all the tests have run
 var checkTestResults = function() {
   // if any test is incomplete, keep waiting
-  if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal)
+  if (inlineScriptsBlocked < inlineScriptsTotal)
     return;
 
-  // The four scripts in the page with 'unsafe-inline' should run.
-  is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
-
-  // The other eight scripts in the other two pages should be blocked.
-  is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked");
+  // The other four scripts in the other two pages should be blocked.
+  is(inlineScriptsBlocked, 4, "there should be 4 inline scripts that were blocked");
 
   // ... otherwise, finish
   window.examiner.remove();
   SimpleTest.finish();
 }
 
 //////////////////////////////////////////////////////////////////////
 // set up and go
@@ -93,36 +76,20 @@ window.examiner = new examiner();
 SimpleTest.waitForExplicitFinish();
 
 function clickit() {
   var cspframe = document.getElementById('cspframe');
   var a = cspframe.contentDocument.getElementById('anchortoclick');
   sendMouseEvent({type:'click'}, a, cspframe.contentWindow);
 }
 
-function clickit2() {
-  var cspframe2 = document.getElementById('cspframe2');
-  var a = cspframe2.contentDocument.getElementById('anchortoclick');
-  sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
-}
-
-function clickit3() {
-  var cspframe3 = document.getElementById('cspframe3');
-  var a = cspframe3.contentDocument.getElementById('anchortoclick');
-  sendMouseEvent({type:'click'}, a, cspframe3.contentWindow);
-}
-
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
   function() {
     // save this for last so that our listeners are registered.
     // ... this loads the testbed of good and bad requests.
     document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';
     document.getElementById('cspframe').addEventListener('load', clickit, false);
-    document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html';
-    document.getElementById('cspframe2').addEventListener('load', clickit2, false);
-    document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
-    document.getElementById('cspframe3').addEventListener('load', clickit3, false);
   });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/xcsp/test_CSP_inlinestyle.html
+++ b/content/base/test/xcsp/test_CSP_inlinestyle.html
@@ -6,23 +6,18 @@
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
-
 //////////////////////////////////////////////////////////////////////
 // set up and go
 SimpleTest.waitForExplicitFinish();
 
 var done = 0;
 
 // Our original CSP implementation does not block inline styles.
 function checkStyles(evt) {
@@ -44,99 +39,27 @@ function checkStyles(evt) {
   ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
   ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];
   ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
   checkIfDone();
 }
 
-// When a CSP 1.0 compliant policy is specified we should block inline
-// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
-// (when it's not explicitly allowed.)
-function checkStylesSpecCompliant(evt) {
-  var cspframe = document.getElementById('cspframe2');
-  var color;
-
-  // black means the style wasn't applied.  green colors are used for styles
-  //expected to be applied.  A color is red if a style is erroneously applied
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('linkstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('inlinestylediv'),null)['color'];
-  ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('attrstylediv'),null)['color'];
-  ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('csstextstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
-  // SMIL tests
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('xmlTest',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTest',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssSetTestById',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
-
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
-
-  checkIfDone();
-}
-
-// When a CSP 1.0 compliant policy is specified we should allow inline
-// styles when it is explicitly allowed.
-function checkStylesSpecCompliantAllowed(evt) {
-  var cspframe = document.getElementById('cspframe3');
-  var color;
-
-  // black means the style wasn't applied.  green colors are used for styles
-  // expected to be applied.  A color is red if a style is erroneously applied
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('linkstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('inlinestylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('attrstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
-
-  // Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
-  // since it relies on executing script to set .cssText
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('csstextstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  // SMIL tests
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('xmlTest',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTest',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssSetTestById',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
-
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
-
-  checkIfDone();
-}
-
 function checkIfDone() {
   done++;
-  if (done == 3)
+  if (done == 1)
     SimpleTest.finish();
 }
 
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
   function() {
     // save this for last so that our listeners are registered.
     // ... this loads the testbed of good and bad requests.
     document.getElementById('cspframe').src = 'file_CSP_inlinestyle_main.html';
     document.getElementById('cspframe').addEventListener('load', checkStyles, false);
-    document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
-    document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliant, false);
-    document.getElementById('cspframe3').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
-    document.getElementById('cspframe3').addEventListener('load', checkStylesSpecCompliantAllowed, false);
   }
 );
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/xcsp/test_csp_redirects.html
+++ b/content/base/test/xcsp/test_csp_redirects.html
@@ -81,34 +81,16 @@ var testExpectedResults = { "font-src": 
                             "script-src": true,
                             "script-src-redir": false,
                             "style-src": true,
                             "style-src-redir": false,
                             "worker": true,
                             "worker-redir": false,
                             "xhr-src": true,
                             "xhr-src-redir": false,
-                            "font-src-spec-compliant": true,
-                            "font-src-redir-spec-compliant": false,
-                            "frame-src-spec-compliant": true,
-                            "frame-src-redir-spec-compliant": false,
-                            "img-src-spec-compliant": true,
-                            "img-src-redir-spec-compliant": false,
-                            "media-src-spec-compliant": true,
-                            "media-src-redir-spec-compliant": false,
-                            "object-src-spec-compliant": true,
-                            "object-src-redir-spec-compliant": false,
-                            "script-src-spec-compliant": true,
-                            "script-src-redir-spec-compliant": false,
-                            "style-src-spec-compliant": true,
-                            "style-src-redir-spec-compliant": false,
-                            "worker-spec-compliant": true,
-                            "worker-redir-spec-compliant": false,
-                            "xhr-src-spec-compliant": true,
-                            "xhr-src-redir-spec-compliant": false,
                           };
 
 // takes the name of the test, the URL that was tested, and whether the
 // load occurred
 var testResult = function(testName, url, result) {
   log("  testName: "+testName+", result: "+result+", expected: "+testExpectedResults[testName]+"\n");
   is(result, testExpectedResults[testName], testName+" test: "+url);
 
--- a/content/base/test/xcsp/test_csp_report.html
+++ b/content/base/test/xcsp/test_csp_report.html
@@ -77,17 +77,17 @@ examiner.prototype  = {
 
 // content file that triggers a violation report
 var testFile = "file_csp_report.sjs";
 
 window.checkResults = function(reportObj) {
   var cspReport = reportObj["csp-report"];
   // correct violating request
   is(cspReport["document-uri"],
-     "http://mochi.test:8888/tests/content/base/test/csp/" + testFile,
+     "http://mochi.test:8888/tests/content/base/test/xcsp/" + testFile,
      "Incorrect violating request");
   // correct blocked-uri
   is(cspReport["blocked-uri"],
      "http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png",
      "Incorrect blocked uri");
   // correct violated-directive
   is(cspReport["violated-directive"], "default-src http://mochi.test:8888",
      "Incorrect violated directive");