Bug 1608451 [wpt PR 21133] - [Trusted Types] Implement require-trusted-types-for, a=testonly
authorYifan Luo <lyf@google.com>
Tue, 21 Jan 2020 10:55:24 +0000
changeset 511439 4ecc10398d748f78fe16b439c7696965802b7c61
parent 511438 0231963a7be9cd2c36edb1d9bb4416b622176982
child 511440 6546ad18608aa4cc696abdbf0fd21e31bfeb4183
push id37048
push userrmaries@mozilla.com
push dateThu, 23 Jan 2020 21:42:24 +0000
treeherdermozilla-central@fb6b61e49217 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1608451, 21133, 1030257, 1993351, 732848
milestone74.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1608451 [wpt PR 21133] - [Trusted Types] Implement require-trusted-types-for, a=testonly Automatic update from web-platform-tests [Trusted Types] Implement require-trusted-types-for This CL separates 'require-trusted-types-for' from 'trusted-typs' Content Security Policy directive, which currently has only one injection sink 'script'. https://w3c.github.io/webappsec-trusted-types/dist/spec/#require-trusted-types-for-csp-directive Bug: 1030257 Change-Id: I1c241c5b6be318aa195323178cf974df138d5788 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1993351 Commit-Queue: Yifan Luo <lyf@google.com> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#732848} -- wpt-commits: b302c6dcdad515be7a446ee05cfda1027805226b wpt-pr: 21133
testing/web-platform/tests/trusted-types/GlobalEventHandlers-onclick.tentative.html
testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-metadata.tentative.html
testing/web-platform/tests/trusted-types/WorkerGlobalScope-importScripts.https.html
testing/web-platform/tests/trusted-types/block-Node-multiple-arguments.tentative.html
testing/web-platform/tests/trusted-types/block-string-assignment-to-DOMParser-parseFromString.tentative.html
testing/web-platform/tests/trusted-types/block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.tentative.html
testing/web-platform/tests/trusted-types/block-string-assignment-to-Document-write.tentative.html
testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-insertAdjacentHTML.tentative.html
testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-outerHTML.tentative.html
testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.tentative.html
testing/web-platform/tests/trusted-types/block-string-assignment-to-HTMLElement-generic.tentative.html
testing/web-platform/tests/trusted-types/block-string-assignment-to-Range-createContextualFragment.tentative.html
testing/web-platform/tests/trusted-types/block-text-node-insertion-into-script-element.tentative.html
testing/web-platform/tests/trusted-types/default-policy-report-only.tentative.html.headers
testing/web-platform/tests/trusted-types/default-policy.tentative.html.headers
testing/web-platform/tests/trusted-types/empty-default-policy-report-only.tentative.html.headers
testing/web-platform/tests/trusted-types/empty-default-policy.tentative.html.headers
testing/web-platform/tests/trusted-types/eval-csp-tt-default-policy.tentative.html
testing/web-platform/tests/trusted-types/eval-csp-tt-no-default-policy.tentative.html
testing/web-platform/tests/trusted-types/eval-with-permissive-csp.tentative.html
testing/web-platform/tests/trusted-types/no-require-trusted-types-for-report-only.tentative.html
testing/web-platform/tests/trusted-types/no-require-trusted-types-for-report-only.tentative.html.headers
testing/web-platform/tests/trusted-types/no-require-trusted-types-for.tentative.html
testing/web-platform/tests/trusted-types/require-trusted-types-for-report-only.tentative.html
testing/web-platform/tests/trusted-types/require-trusted-types-for-report-only.tentative.html.headers
testing/web-platform/tests/trusted-types/require-trusted-types-for.tentative.html
testing/web-platform/tests/trusted-types/support/WorkerGlobalScope-importScripts.https.js.headers
testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html.headers
testing/web-platform/tests/trusted-types/support/navigation-support.html.headers
testing/web-platform/tests/trusted-types/trusted-types-createHTMLDocument.tentative.html
testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html
testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html.headers
testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html
testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html.headers
testing/web-platform/tests/trusted-types/trusted-types-eval-reporting.tentative.https.html
testing/web-platform/tests/trusted-types/trusted-types-eval-reporting.tentative.https.html.headers
testing/web-platform/tests/trusted-types/trusted-types-navigation.tentative.html
testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.https.html
testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.https.html.headers
testing/web-platform/tests/trusted-types/trusted-types-reporting.tentative.https.html
testing/web-platform/tests/trusted-types/trusted-types-reporting.tentative.https.html.headers
testing/web-platform/tests/trusted-types/tt-block-eval.tentative.html
--- a/testing/web-platform/tests/trusted-types/GlobalEventHandlers-onclick.tentative.html
+++ b/testing/web-platform/tests/trusted-types/GlobalEventHandlers-onclick.tentative.html
@@ -1,14 +1,14 @@
 <!DOCTYPE html>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="support/helper.sub.js"></script>
 
-<meta http-equiv="Content-Security-Policy" content="trusted-types *">
+<meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script'">
 <body>
 <div id="container"></div>
 <script>
 var container = document.querySelector('#container');
 const policy = createScript_policy(window, 'onclick');
 const policy_html = createHTML_policy(window, 'onclick-html');
 
 // Trusted Type assignments do not throw.
--- a/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-metadata.tentative.html
+++ b/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-metadata.tentative.html
@@ -1,15 +1,15 @@
 <!DOCTYPE html>
 <meta name="timeout" content="long">
 <script src="/resources/testharness.js" ></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="support/helper.sub.js"></script>
 
-<meta http-equiv="Content-Security-Policy" content="trusted-types *">
+<meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
 <body>
 <div id="target"></div>
 <script>
   const policy = trustedTypes.createPolicy("anythinggoes", {
     "createHTML": x => x,
     "createScript": x => x,
     "createScriptURL": x => x,
   });
--- a/testing/web-platform/tests/trusted-types/WorkerGlobalScope-importScripts.https.html
+++ b/testing/web-platform/tests/trusted-types/WorkerGlobalScope-importScripts.https.html
@@ -1,12 +1,12 @@
 <!doctype html>
 <html>
 <head>
-  <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+  <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
 </head>
 <body>
 <div id=log></div>
 
 <script>
 
--- a/testing/web-platform/tests/trusted-types/block-Node-multiple-arguments.tentative.html
+++ b/testing/web-platform/tests/trusted-types/block-Node-multiple-arguments.tentative.html
@@ -1,15 +1,15 @@
 <!DOCTYPE html>
 <html>
 <head>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
   <script src="support/helper.sub.js"></script>
-  <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+  <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
 </head>
 <body>
 <div id="container"></div>
 <script>
   const container = document.querySelector("#container");
   const policy = window.trustedTypes.createPolicy("policy", {
     createScript: t => t,
   });
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-DOMParser-parseFromString.tentative.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-DOMParser-parseFromString.tentative.html
@@ -1,14 +1,14 @@
 <!DOCTYPE html>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="support/helper.sub.js"></script>
 
-<meta http-equiv="Content-Security-Policy" content="trusted-types *">
+<meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
 <body>
 <script>
   // Trusted HTML assignments do not throw.
   test(t => {
     let p = createHTML_policy(window, 1);
     let html = p.createHTML(INPUTS.HTML);
     let parser = new DOMParser();
     let doc = parser.parseFromString(html, "text/html");
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.tentative.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.tentative.html
@@ -1,14 +1,14 @@
 <!DOCTYPE html>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="support/helper.sub.js"></script>
 
-<meta http-equiv="Content-Security-Policy" content="trusted-types *">
+<meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
 <body>
 <script>
   // setTimeout tests
   // TrustedScript assignments do not throw.
   async_test(t => {
     window.timeoutTest = t;
     let policy = createScript_policy(window, 'timeout');
     let script = policy.createScript("window.timeoutTest.done();");
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Document-write.tentative.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Document-write.tentative.html
@@ -1,16 +1,16 @@
 <!DOCTYPE html>
 <html>
 <head>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
   <script src="support/helper.sub.js"></script>
 
-  <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+  <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
 </head>
 <body>
 <script>
   // TrustedURL assignments do not throw.
   let p = createHTML_policy(window, 1);
   test(t => {
     document.body.innerText = '';
     let html = p.createHTML(INPUTS.HTML);
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-insertAdjacentHTML.tentative.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-insertAdjacentHTML.tentative.html
@@ -1,16 +1,16 @@
 <!DOCTYPE html>
 <html>
 <head>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
   <script src="support/helper.sub.js"></script>
 
-  <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+  <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
 </head>
 <body>
 <div id="container"></div>
 <script>
   var container = document.querySelector('#container');
 
   // Trusted HTML assignments do not throw.
   test(t => {
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-outerHTML.tentative.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-outerHTML.tentative.html
@@ -1,16 +1,16 @@
 <!DOCTYPE html>
 <html>
 <head>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
   <script src="support/helper.sub.js"></script>
 
-  <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+  <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
 </head>
 <body>
 <div id="container"></div>
 <script>
   var container = document.querySelector('#container')
 
   // TrustedHTML assignments do not throw.
   test(t => {
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
@@ -1,16 +1,16 @@
 <!DOCTYPE html>
 <html>
 <head>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
   <script src="support/helper.sub.js"></script>
 
-  <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+  <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
 </head>
 <body>
 <script>
   const nullPolicy = trustedTypes.createPolicy('NullPolicy', {createScript: s => s});
 
   // TrustedScriptURL Assignments
   const scriptURLTestCases = [
     [ 'embed', 'src' ],
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.tentative.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.tentative.html
@@ -1,16 +1,16 @@
 <!DOCTYPE html>
 <html>
 <head>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
   <script src="support/helper.sub.js"></script>
 
-  <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+  <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
 </head>
 <body>
 <script>
     test(t => {
       assert_element_accepts_trusted_html_set_ns(window, '0', t, 'a', 'b', RESULTS.HTML);
     }, "Element.setAttributeNS assigned via policy (successful HTML transformation)");
 
     test(t => {
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-HTMLElement-generic.tentative.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-HTMLElement-generic.tentative.html
@@ -1,16 +1,16 @@
 <!DOCTYPE html>
 <html>
 <head>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
   <script src="support/helper.sub.js"></script>
 
-  <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+  <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
 </head>
 <body>
 <script>
   var testnb = 0;
   // TrustedScriptURL Assignments
   const scriptURLTestCases = [
     [ 'embed', 'src' ],
     [ 'object', 'codeBase' ],
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Range-createContextualFragment.tentative.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Range-createContextualFragment.tentative.html
@@ -1,14 +1,14 @@
 <!DOCTYPE html>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="support/helper.sub.js"></script>
 
-<meta http-equiv="Content-Security-Policy" content="trusted-types *">
+<meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
 <body>
 <script>
   // TrustedHTML assignments do not throw.
   test(t => {
     let p = createHTML_policy(window, 1);
     let html = p.createHTML(INPUTS.HTML);
     var range = document.createRange();
     range.selectNodeContents(document.documentElement);
--- a/testing/web-platform/tests/trusted-types/block-text-node-insertion-into-script-element.tentative.html
+++ b/testing/web-platform/tests/trusted-types/block-text-node-insertion-into-script-element.tentative.html
@@ -1,14 +1,14 @@
 <!DOCTYPE html>
 <html>
 <head>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
-  <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+  <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
 </head>
 <body>
 <div id="container"></div>
 <script id="script1">"hello world!";</script>
 <script id="trigger"></script>
 <script>
   var container = document.querySelector("#container");
   const policy_dict = {
--- a/testing/web-platform/tests/trusted-types/default-policy-report-only.tentative.html.headers
+++ b/testing/web-platform/tests/trusted-types/default-policy-report-only.tentative.html.headers
@@ -1,1 +1,1 @@
-Content-Security-Policy-Report-Only: trusted-types *
+Content-Security-Policy-Report-Only: trusted-types *; require-trusted-types-for 'script';
--- a/testing/web-platform/tests/trusted-types/default-policy.tentative.html.headers
+++ b/testing/web-platform/tests/trusted-types/default-policy.tentative.html.headers
@@ -1,1 +1,1 @@
-Content-Security-Policy: trusted-types *
+Content-Security-Policy: trusted-types *; require-trusted-types-for 'script';
--- a/testing/web-platform/tests/trusted-types/empty-default-policy-report-only.tentative.html.headers
+++ b/testing/web-platform/tests/trusted-types/empty-default-policy-report-only.tentative.html.headers
@@ -1,1 +1,1 @@
-Content-Security-Policy-Report-Only: trusted-types *
+Content-Security-Policy-Report-Only: trusted-types *; require-trusted-types-for 'script';
--- a/testing/web-platform/tests/trusted-types/empty-default-policy.tentative.html.headers
+++ b/testing/web-platform/tests/trusted-types/empty-default-policy.tentative.html.headers
@@ -1,1 +1,1 @@
-Content-Security-Policy: trusted-types *
+Content-Security-Policy: trusted-types *; require-trusted-types-for 'script';
--- a/testing/web-platform/tests/trusted-types/eval-csp-tt-default-policy.tentative.html
+++ b/testing/web-platform/tests/trusted-types/eval-csp-tt-default-policy.tentative.html
@@ -11,17 +11,17 @@
   trustedTypes.createPolicy("default", {createScript: s => s + 4});
   const p = trustedTypes.createPolicy("p", {createScript: s => s});
 
   test(t => {
     assert_equals(eval(p.createScript('1+1')), 2);
   }, "eval of TrustedScript works.");
 
   test(t => {
-    assert_equals(eval('1+1'), 15);
+    assert_equals(eval('1+1'), 2);
   }, "eval of string works.");
 
   test(t => {
     assert_equals(eval(42), 42);
     assert_object_equals(eval({}), {});
     assert_equals(eval(null), null);
     assert_equals(eval(undefined), undefined);
    }, "eval of !TrustedScript and !string works.");
--- a/testing/web-platform/tests/trusted-types/eval-csp-tt-no-default-policy.tentative.html
+++ b/testing/web-platform/tests/trusted-types/eval-csp-tt-no-default-policy.tentative.html
@@ -1,15 +1,15 @@
 <!DOCTYPE html>
 <html>
 <head>
   <script nonce="abc" src="/resources/testharness.js"></script>
   <script nonce="abc" src="/resources/testharnessreport.js"></script>
   <script nonce="abc" src="support/helper.sub.js"></script>
-  <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+  <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
 </head>
 <body>
 <script>
   const p = trustedTypes.createPolicy("p", {createScript: s => s});
 
   test(t => {
     assert_equals(eval(p.createScript('1+1')), 2);
   }, "eval of TrustedScript works.");
--- a/testing/web-platform/tests/trusted-types/eval-with-permissive-csp.tentative.html
+++ b/testing/web-platform/tests/trusted-types/eval-with-permissive-csp.tentative.html
@@ -2,17 +2,17 @@
 <html>
 <head>
   <script nonce="abc" src="/resources/testharness.js"></script>
   <script nonce="abc" src="/resources/testharnessreport.js"></script>
   <script nonce="abc" src="support/helper.sub.js"></script>
 
   <!-- Note: Trusted Types enforcement, and a CSP that allows all eval. -->
   <meta http-equiv="Content-Security-Policy"
-        content="script-src 'nonce-abc' 'unsafe-eval'; trusted-types *">
+        content="script-src 'nonce-abc' 'unsafe-eval'; trusted-types *; require-trusted-types-for 'script'">
 </head>
 <body>
 <script nonce="abc">
   let p = createScript_policy(window, 1);
   test(t => {
     let a = 0;
     assert_throws(new EvalError(), _ => {
       eval('a="hello there"');
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/trusted-types/no-require-trusted-types-for-report-only.tentative.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<script>
+  const testCases = [
+    ["script", "src"],
+    ["div", "innerHTML"],
+    ["script", "text"],
+  ];
+
+  testCases.forEach(c => {
+    const name = `${c[0]}.${c[1]} `;
+    test(t => {
+      s = document.createElement("script");
+      s.innerText = "1";
+      assert_equals("1", s.innerText.toString());
+    }, name + "without trusted types");
+  });
+
+  p = trustedTypes.createPolicy("policyA",
+      {createScript: s => s + 1, createHTML: s => s + 1, createScriptURL: s => s + 1});
+  testCases.forEach(c => {
+    const name = `${c[0]}.${c[1]} `;
+    test(t => {
+      s = document.createElement("script");
+      script = p.createScript("1");
+      s.innerText = script;
+      assert_equals(script.toString(), s.innerText.toString());
+    }, name + "with trusted types");
+  });
+
+  trustedTypes.createPolicy("default", {});
+  testCases.forEach(c => {
+    const name = `${c[0]}.${c[1]} `;
+    test(t => {
+      s = document.createElement("script");
+      s.innerText = "1";
+      assert_equals(s.innerText.toString(), "1");
+    }, name + "empty default");
+  });
+</script>
\ No newline at end of file
copy from testing/web-platform/tests/trusted-types/default-policy-report-only.tentative.html.headers
copy to testing/web-platform/tests/trusted-types/no-require-trusted-types-for-report-only.tentative.html.headers
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/trusted-types/no-require-trusted-types-for.tentative.html
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+</head>
+<body>
+<script>
+  const testCases = [
+    ["script", "src"],
+    ["div", "innerHTML"],
+    ["script", "text"],
+  ];
+
+  testCases.forEach(c => {
+    const name = `${c[0]}.${c[1]} `;
+    test(t => {
+      s = document.createElement("script");
+      s.innerText = "1";
+      assert_equals("1", s.innerText.toString());
+    }, name + "without trusted types");
+  });
+
+  p = trustedTypes.createPolicy("policyA",
+      {createScript: s => s + 1, createHTML: s => s + 1, createScriptURL: s => s + 1});
+  testCases.forEach(c => {
+    const name = `${c[0]}.${c[1]} `;
+    test(t => {
+      s = document.createElement("script");
+      script = p.createScript("1");
+      s.innerText = script;
+      assert_equals(script.toString(), s.innerText.toString());
+    }, name + "with trusted types");
+  });
+
+  trustedTypes.createPolicy("default", {});
+  testCases.forEach(c => {
+    const name = `${c[0]}.${c[1]} `;
+    test(t => {
+      s = document.createElement("script");
+      s.innerText = "1";
+      assert_equals(s.innerText.toString(), "1");
+    }, name + "empty default");
+  });
+</script>
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/trusted-types/require-trusted-types-for-report-only.tentative.html
@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<script>
+
+  function promise_violation(filter_arg) {
+    return _ => new Promise((resolve, reject) => {
+      function handler(e) {
+        let matches = (filter_arg instanceof Function)
+            ? filter_arg(e)
+            : (e.originalPolicy.includes(filter_arg));
+        if (matches) {
+          document.removeEventListener("securitypolicyviolation", handler);
+          e.stopPropagation();
+          resolve(e);
+        }
+      }
+
+      document.addEventListener("securitypolicyviolation", handler);
+    });
+  }
+
+  promise_test(t => {
+    let p = Promise.resolve()
+        .then(promise_violation("require-trusted-types-for 'script'"));
+
+    d = document.createElement("div");
+    d.innerHTML = "a";
+    assert_equals("a", d.innerHTML);
+    return p;
+  }, "Require trusted types for 'script' block create HTML.");
+
+  promise_test(t => {
+    let p = Promise.resolve()
+        .then(promise_violation("require-trusted-types-for 'script'"));
+
+    d = document.createElement("script");
+    d.innerText = "a";
+    assert_equals("a", d.innerText);
+    return p;
+  }, "Require trusted types for 'script' block create script.");
+
+  promise_test(t => {
+    let p = Promise.resolve()
+        .then(promise_violation("require-trusted-types-for 'script'"));
+
+    s = document.createElement("script");
+    s.src = "a";
+    assert_true(s.src.includes("/trusted-types/a"));
+    return p;
+  }, "Require trusted types for 'script' block create script URL.");
+
+  promise_test(t => {
+    return new Promise(resolve => {
+      p = trustedTypes.createPolicy("policyA", {createScript: s => s+1});
+      p1 = trustedTypes.createPolicy("policyA", {createHTML: _ => ""});
+      p2 = trustedTypes.createPolicy("default", {});
+      script = p.createScript("1");
+      assert_equals(script.toString(), "11");
+      s = document.createElement("script");
+      s.innerText = script;
+      assert_equals(script.toString(), s.innerText.toString());
+      s.innerText = "1";
+      assert_equals("1", s.innerText);
+      resolve();
+    });
+  }, "Set require trusted types for 'script' without CSP for trusted types don't block policy creation and using.");
+</script>
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/trusted-types/require-trusted-types-for-report-only.tentative.html.headers
@@ -0,0 +1,1 @@
+Content-Security-Policy-Report-Only: require-trusted-types-for 'script'
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/trusted-types/require-trusted-types-for.tentative.html
@@ -0,0 +1,78 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
+</head>
+<body>
+<script>
+
+  function promise_violation(filter_arg) {
+    return _ => new Promise((resolve, reject) => {
+      function handler(e) {
+        let matches = (filter_arg instanceof Function)
+            ? filter_arg(e)
+            : (e.originalPolicy.includes(filter_arg));
+        if (matches) {
+          document.removeEventListener("securitypolicyviolation", handler);
+          e.stopPropagation();
+          resolve(e);
+        }
+      }
+
+      document.addEventListener("securitypolicyviolation", handler);
+    });
+  }
+
+  promise_test(t => {
+    let p = Promise.resolve()
+        .then(promise_violation("require-trusted-types-for 'script'"));
+    d = document.createElement("div");
+    assert_throws(new TypeError(),
+        _ => {
+          d.innerHTML = "a";
+        });
+    assert_equals("", d.innerHTML);
+    return p;
+  }, "Require trusted types for 'script' block create HTML.");
+
+  promise_test(t => {
+    let p = Promise.resolve()
+        .then(promise_violation("require-trusted-types-for 'script'"));
+    d = document.createElement("script");
+    assert_throws(new TypeError(),
+        _ => {
+          d.innerText = "a";
+        });
+    assert_equals("", d.innerText);
+    return p;
+  }, "Require trusted types for 'script' block create script.");
+
+  promise_test(t => {
+    let p = Promise.resolve()
+        .then(promise_violation("require-trusted-types-for 'script'"));
+    s = document.createElement("script");
+    assert_throws(new TypeError(),
+        _ => {
+          s.src = "a";
+        });
+    assert_equals("", s.src);
+    return p;
+  }, "Require trusted types for 'script' block create script URL.");
+
+  promise_test(t => {
+    return new Promise(resolve => {
+      p = trustedTypes.createPolicy("policyA", {createScript: s => s + 1});
+      p1 = trustedTypes.createPolicy("policyA", {createHTML: _ => ""});
+      p2 = trustedTypes.createPolicy("default", {createScript: s => s});
+      script = p.createScript("1");
+      assert_equals(script.toString(), "11");
+      s = document.createElement("script");
+      s.innerText = script;
+      assert_equals(script.toString(), s.innerText.toString());
+      s.innerText = "1";
+      assert_equals("1", s.innerText.toString());
+      resolve();
+    });
+  }, "Set require trusted types for 'script' without CSP for trusted types don't block policy creation and using.");
+</script>
\ No newline at end of file
--- a/testing/web-platform/tests/trusted-types/support/WorkerGlobalScope-importScripts.https.js.headers
+++ b/testing/web-platform/tests/trusted-types/support/WorkerGlobalScope-importScripts.https.js.headers
@@ -1,1 +1,1 @@
-Content-Security-Policy: trusted-types *
+Content-Security-Policy: trusted-types *; require-trusted-types-for 'script';
--- a/testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html.headers
+++ b/testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html.headers
@@ -1,1 +1,1 @@
-Content-Security-Policy-Report-Only: trusted-types *
+Content-Security-Policy-Report-Only: trusted-types *; require-trusted-types-for 'script';
--- a/testing/web-platform/tests/trusted-types/support/navigation-support.html.headers
+++ b/testing/web-platform/tests/trusted-types/support/navigation-support.html.headers
@@ -1,1 +1,1 @@
-Content-Security-Policy: trusted-types *
+Content-Security-Policy: trusted-types *; require-trusted-types-for 'script';
--- a/testing/web-platform/tests/trusted-types/trusted-types-createHTMLDocument.tentative.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-createHTMLDocument.tentative.html
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <head>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
-  <meta http-equiv="Content-Security-Policy" content="trusted-types * 'allow-duplicates'">
+  <meta http-equiv="Content-Security-Policy" content="trusted-types * 'allow-duplicates'; require-trusted-types-for 'script'">
 </head>
 <body>
 <script>
 
 // Test Trusted Types in document types other than the main document, such as
 // documents created by createHTMLDocument or XHR requests.
 
 function create_XHR_document() {
--- a/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html
@@ -71,17 +71,17 @@
       document.body.appendChild(o);
     });
   }
 
   window.script_run_beacon = 'never_overwritten';
 
   promise_test(t => {
     let p = Promise.resolve()
-        .then(promise_violation("trusted-types *"))
+        .then(promise_violation("require-trusted-types-for 'script'"))
         .then(promise_flush());
     expect_throws(_ => eval('script_run_beacon="should not run"'));
     assert_equals(script_run_beacon, 'never_overwritten');
     flush();
     return p;
   }, "Trusted Type violation report: evaluating a string violates both script-src and trusted-types.");
 
   promise_test(t => {
--- a/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html.headers
@@ -1,4 +1,4 @@
 Content-Security-Policy: trusted-types *
 Content-Security-Policy: script-src http: https: 'nonce-123' 'report-sample'
 Content-Security-Policy: plugin-types bla/blubb
-
+Content-Security-Policy: require-trusted-types-for 'script'
--- a/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html
@@ -71,17 +71,17 @@
       document.body.appendChild(o);
     });
   }
 
   window.script_run_beacon = 'vanilla';
 
   promise_test(t => {
     let p = Promise.resolve()
-        .then(promise_violation("trusted-types *"))
+        .then(promise_violation("require-trusted-types-for 'script'"))
         .then(promise_flush());
     eval('script_run_beacon="report-only-does-not-stop"');
     assert_equals(script_run_beacon, 'report-only-does-not-stop');
     flush();
     return p;
   }, "Trusted Type violation report: evaluating a string.");
 
   promise_test(t => {
--- a/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html.headers
@@ -1,4 +1,5 @@
 Content-Security-Policy-Report-Only: trusted-types *
 Content-Security-Policy: script-src http: https: 'nonce-123' 'unsafe-eval'
 Content-Security-Policy: plugin-types bla/blubb
+Content-Security-Policy-Report-Only: require-trusted-types-for 'script'
 
--- a/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting.tentative.https.html
@@ -63,17 +63,17 @@
       o.type = "application/x-shockwave-flash";
       document.body.appendChild(o);
     });
   }
 
   promise_test(t => {
     let beacon = 'never_overwritten';
     let p = Promise.resolve()
-        .then(promise_violation("trusted-types *"))
+        .then(promise_violation("require-trusted-types-for 'script'"))
         .then(promise_flush());
     assert_throws(new EvalError(),
                   _ => eval('beacon="should not run"'));
     assert_equals(beacon, 'never_overwritten');
     flush();
     return p;
   }, "Trusted Type violation report: evaluating a string.");
 
--- a/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting.tentative.https.html.headers
@@ -1,4 +1,5 @@
 Content-Security-Policy: trusted-types *
 Content-Security-Policy: script-src http: https: 'nonce-123' 'unsafe-eval'
 Content-Security-Policy: plugin-types bla/blubb
+Content-Security-Policy: require-trusted-types-for 'script'
 
--- a/testing/web-platform/tests/trusted-types/trusted-types-navigation.tentative.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-navigation.tentative.html
@@ -7,17 +7,18 @@
 <script>
   function expectMessage(filter) {
     return new Promise(resolve => {
       window.addEventListener("message", e => { if (filter(e)) resolve(); });
     });
   }
 
   function expectViolationAsMessage(sample) {
-    const filter = e => (e.data.effectiveDirective == "trusted-types" &&
+    const filter = e => ((e.data.effectiveDirective == "require-trusted-types-for" ||
+                          e.data.effectiveDirective == "trusted-types") &&
                          (!sample || e.data.sample.startsWith(sample)));
     return new expectMessage(filter);
   }
 
   function expectLoadedAsMessage(uri) {
     const filter = e => (e.data.type == "DOMContentLoaded" &&
                         (!uri || e.data.uri.endsWith(uri)));
     return new expectMessage(filter);
--- a/testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.https.html
@@ -72,15 +72,15 @@
   }, "Trusted Type violation report-only: assign string to script content");
 
   promise_test(t => {
     let p = expect_violation("trusted-types two");
     document.getElementById("script").src = "#def";
     return p.then(report => {
       assert_equals(report.documentURI, "" + window.location);
       assert_equals(report.disposition, "report");
-      assert_equals(report.effectiveDirective, "trusted-types");
-      assert_equals(report.violatedDirective, "trusted-types");
+      assert_equals(report.effectiveDirective, "require-trusted-types-for");
+      assert_equals(report.violatedDirective, "require-trusted-types-for");
       assert_true(report.originalPolicy.startsWith("trusted-types two;"));
     });
   }, "Trusted Type violation report: check report contents");
   </script>
 </body>
--- a/testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.https.html.headers
@@ -1,1 +1,1 @@
-Content-Security-Policy-Report-Only: trusted-types two; report-uri /content-security-policy/resources/dummy-report.php
+Content-Security-Policy-Report-Only: trusted-types two; report-uri /content-security-policy/resources/dummy-report.php; require-trusted-types-for 'script';
--- a/testing/web-platform/tests/trusted-types/trusted-types-reporting.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-reporting.tentative.https.html
@@ -120,23 +120,23 @@
         .then(promise_violation("trusted-types two"))
         .then(promise_flush());
     policy_one = trustedTypes.createPolicy("one", a_policy);
     flush();
     return p;
   }, "Trusted Type violation report: creating a forbidden-but-not-reported policy.");
 
   promise_test(t => {
-    let p = promise_violation("trusted-types two")();
+    let p = promise_violation("require-trusted-types-for 'script'")();
     expect_throws(_ => document.getElementById("script").src = url);
     return p;
   }, "Trusted Type violation report: assign string to script url");
 
   promise_test(t => {
-    let p = promise_violation("trusted-types two")();
+    let p = promise_violation("require-trusted-types-for 'script'")();
     expect_throws(_ => document.getElementById("div").innerHTML = "abc");
     return p;
   }, "Trusted Type violation report: assign string to html");
 
   promise_test(t => {
     let p = promise_flush()();
     document.getElementById("script").text = policy_one.createScript("2+2;");
     flush();
@@ -147,60 +147,60 @@
     let p = promise_flush()();
     document.getElementById("div").innerHTML = policy_one.createHTML("abc");
     flush();
     return p;
   }, "Trusted Type violation report: assign trusted HTML to html; no report");
 
   promise_test(t => {
     let p = Promise.resolve()
-        .then(promise_violation("trusted-types two"))
+        .then(promise_violation("require-trusted-types-for 'script'"))
         .then(expect_blocked_uri("trusted-types-sink"))
         .then(expect_sample("Element.innerHTML"))
         .then(expect_sample("abc"));
     expect_throws(_ => { document.getElementById("div").innerHTML = "abc" });
     return p;
   }, "Trusted Type violation report: sample for .innerHTML assignment");
 
   promise_test(t => {
     let p = Promise.resolve()
-        .then(promise_violation("trusted-types two"))
+        .then(promise_violation("require-trusted-types-for 'script'"))
         .then(expect_blocked_uri("trusted-types-sink"))
         .then(expect_sample("HTMLScriptElement.src"));
       expect_throws(_ => { document.getElementById("script").src = "" });
     return p;
   }, "Trusted Type violation report: sample for script.src assignment");
 
   promise_test(t => {
     let p = Promise.resolve()
-        .then(promise_violation("trusted-types two"))
+        .then(promise_violation("require-trusted-types-for 'script'"))
         .then(expect_blocked_uri("trusted-types-sink"))
         .then(expect_sample("HTMLElement.innerText"))
         .then(expect_sample("2+2;"));
     expect_throws(_ => document.getElementById("script").innerText = "2+2;");
     return p;
   }, "Trusted Type violation report: sample for script innerText assignment");
 
   promise_test(t => {
     let p = Promise.resolve()
-        .then(promise_violation("trusted-types one"))
+        .then(promise_violation("require-trusted-types-for 'script'"))
         .then(expect_blocked_uri("trusted-types-sink"))
         .then(expect_sample("eval"))
         .then(expect_sample("2+2"))
         .then(promise_flush());
     expect_throws(_ => eval("2+2"));
     flush();
     return p;
   }, "Trusted Type violation report: sample for eval");
 
   promise_test(t => {
     // We expect the sample string to always contain the name, and at least the
     // start of the value, but it should not be excessively long.
     let p = Promise.resolve()
-        .then(promise_violation("trusted-types two"))
+        .then(promise_violation("require-trusted-types-for 'script'"))
         .then(expect_blocked_uri("trusted-types-sink"))
         .then(expect_sample("HTMLElement.innerText"))
         .then(expect_sample("abbb"))
         .then(e => assert_less_than(e.sample.length, 150));
     const value = "a" + "b".repeat(50000);
     expect_throws(_ => document.getElementById("script").innerText = value);
     return p;
   }, "Trusted Type violation report: large values should be handled sanely.");
@@ -209,17 +209,17 @@
   // refer to the DOM elements being modified, so that Custom Elements cannot
   // "mask" the underlying DOM mechanism (for reporting).
   if (customElements) {
     class CustomScript extends HTMLScriptElement {};
     customElements.define("custom-script", CustomScript, { extends: "script" });
 
     promise_test(t => {
       let p = Promise.resolve()
-          .then(promise_violation("trusted-types one"))
+          .then(promise_violation("require-trusted-types-for 'script'"))
           .then(expect_blocked_uri("trusted-types-sink"))
           .then(expect_sample("HTMLScriptElement.src"))
           .then(expect_sample("abc"));
       expect_throws(_ => document.getElementById("customscript").src = "abc");
       return p;
     }, "Trusted Type violation report: sample for custom element assignment");
   }
 
--- a/testing/web-platform/tests/trusted-types/trusted-types-reporting.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/trusted-types-reporting.tentative.https.html.headers
@@ -1,5 +1,6 @@
 Content-Security-Policy: trusted-types one
 Content-Security-Policy-Report-Only: trusted-types two; report-uri /content-security-policy/resources/dummy-report.php
 Content-Security-Policy: plugin-types bla/blubb
 Content-Security-Policy: default-src * 'unsafe-inline'
+Content-Security-Policy: require-trusted-types-for 'script'
 
--- a/testing/web-platform/tests/trusted-types/tt-block-eval.tentative.html
+++ b/testing/web-platform/tests/trusted-types/tt-block-eval.tentative.html
@@ -1,14 +1,14 @@
 <!DOCTYPE html>
 <html>
 <head>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
-  <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+  <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script'">
 </head>
 <body>
 <script>
   trustedTypes.createPolicy("default", {createScript: _ => null});
 
   test(t => {
     let a = 0;
     assert_throws(new EvalError(), _ => {