Bug 1530812 [wpt PR 15495] - Add signed exchange reporting error test cases, a=testonly
authorTsuyoshi Horo <horo@chromium.org>
Wed, 06 Mar 2019 12:34:45 +0000
changeset 464654 7e01f5fb1b40
parent 464653 11b9b53dc207
child 464655 9b7b2b7524d9
push id35717
push useraciure@mozilla.com
push dateSun, 17 Mar 2019 09:45:26 +0000
treeherdermozilla-central@e0861be8d6c0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1530812, 15495, 910516, 1480363, 634520
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1530812 [wpt PR 15495] - Add signed exchange reporting error test cases, a=testonly Automatic update from web-platform-tests Add signed exchange reporting error test cases Bug: 910516 Change-Id: I01f776e0a787e97430cc033d55bb1a32e900f9e9 Reviewed-on: https://chromium-review.googlesource.com/c/1480363 Commit-Queue: Tsuyoshi Horo <horo@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org> Cr-Commit-Position: refs/heads/master@{#634520} -- wpt-commits: a4d3950853b324eaeb4c49be58df1bed832519ca wpt-pr: 15495
testing/web-platform/tests/network-error-logging/support/nel.sub.js
testing/web-platform/tests/network-error-logging/support/pass.png.sub.headers
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-cert_fetch_error-downgraded.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-cert_fetch_error.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-cert_parse_error-downgraded.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-cert_parse_error.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-cert_verification_error-downgraded.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-cert_verification_error.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-failed-zero-success-fraction.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-invalid_integrity_header.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-mi_error.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-parse_error.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-signature_verification_error-downgraded.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-signature_verification_error.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-cert_fetch_error-downgraded.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-cert_fetch_error.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-cert_parse_error-downgraded.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-cert_parse_error.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-cert_verification_error-downgraded.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-cert_verification_error.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-failed-zero-success-feaction.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-invalid_integrity_header.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-mi_error.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-parse_error.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-signature_verification_error-downgraded.tentative.html
testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-signature_verification_error.tentative.html
testing/web-platform/tests/signed-exchange/resources/generate-test-sxgs.sh
testing/web-platform/tests/signed-exchange/resources/invalid-cert-format.cbor
testing/web-platform/tests/signed-exchange/resources/invalid-cert-format.cbor.headers
testing/web-platform/tests/signed-exchange/resources/sxg/sxg-cert-not-found-on-alt-origin.sxg
testing/web-platform/tests/signed-exchange/resources/sxg/sxg-cert-not-found.sxg
testing/web-platform/tests/signed-exchange/resources/sxg/sxg-invalid-cert-format-on-alt-origin.sxg
testing/web-platform/tests/signed-exchange/resources/sxg/sxg-invalid-cert-format.sxg
testing/web-platform/tests/signed-exchange/resources/sxg/sxg-invalid-cert-sha256-cert-on-alt-origin.sxg
testing/web-platform/tests/signed-exchange/resources/sxg/sxg-invalid-cert-sha256.sxg
testing/web-platform/tests/signed-exchange/resources/sxg/sxg-invalid-format.sxg
testing/web-platform/tests/signed-exchange/resources/sxg/sxg-invalid-integrity-header.sxg
testing/web-platform/tests/signed-exchange/resources/sxg/sxg-location-cert-on-alt-origin.sxg
testing/web-platform/tests/signed-exchange/resources/sxg/sxg-validity-period-too-long-cert-on-alt-origin.sxg
testing/web-platform/tests/signed-exchange/resources/sxg/sxg-validity-period-too-long.sxg
--- a/testing/web-platform/tests/network-error-logging/support/nel.sub.js
+++ b/testing/web-platform/tests/network-error-logging/support/nel.sub.js
@@ -50,24 +50,29 @@ function _getNELResourceURL(subdomain, s
  * Fetches a resource whose headers define a basic NEL policy (i.e., with no
  * include_subdomains flag).  We ensure that we request the resource from a
  * different origin than is used for the main test case HTML file or for report
  * uploads.  This minimizes the number of reports that are generated for this
  * policy.
  */
 
 function getURLForResourceWithBasicPolicy(subdomain) {
-  return _getNELResourceURL(subdomain, "pass.png?id="+reportID);
+  return _getNELResourceURL(subdomain, "pass.png?id="+reportID+"&success_fraction=1.0");
 }
 
 function fetchResourceWithBasicPolicy(subdomain) {
   const url = getURLForResourceWithBasicPolicy(subdomain);
   return fetch(url, {mode: "no-cors"});
 }
 
+function fetchResourceWithZeroSuccessFractionPolicy(subdomain) {
+  const url = _getNELResourceURL(subdomain, "pass.png?id="+reportID+"&success_fraction=0.0");
+  return fetch(url, {mode: "no-cors"});
+}
+
 /*
  * Fetches a resource whose headers define an include_subdomains NEL policy.
  */
 
 function getURLForResourceWithIncludeSubdomainsPolicy(subdomain) {
   return _getNELResourceURL(subdomain, "subdomains-pass.png?id="+reportID);
 }
 
--- a/testing/web-platform/tests/network-error-logging/support/pass.png.sub.headers
+++ b/testing/web-platform/tests/network-error-logging/support/pass.png.sub.headers
@@ -1,6 +1,6 @@
 Expires: Mon, 26 Jul 1997 05:00:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate
 Cache-Control: post-check=0, pre-check=0, false
 Pragma: no-cache
 Report-To: { "group": "nel-group", "max_age": 10886400, "endpoints": [{ "url": "https://{{hosts[][www]}}:{{ports[https][0]}}/network-error-logging/support/report.py?op=put&reportID={{GET[id]}}" }] }
-NEL: {"report_to": "nel-group", "max_age": 10886400, "success_fraction": 1.0}
+NEL: {"report_to": "nel-group", "max_age": 10886400, "success_fraction": {{GET[success_fraction]}}}
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-cert_fetch_error-downgraded.tentative.html
@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed downgraded from sxg.cert_fetch_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin + '/signed-exchange/resources/sxg/sxg-cert-not-found.sxg?navigation';
+  const cert_url = test_origin + '/signed-exchange/resources/not_found_certfile.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.failed downgraded from sxg.cert_fetch_error for' +
+   ' navigation.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-cert_fetch_error.tentative.html
@@ -0,0 +1,76 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.cert_fetch_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-cert-not-found-on-alt-origin.sxg?navigation';
+  const cert_url =
+      alt_origin + '/signed-exchange/resources/not_found_certfile.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is same as the reporting origin. So
+        // the report must not be downgraded.
+        type: "sxg.cert_fetch_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: cert_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "http.error",
+        status_code: 404,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.cert_fetch_error for navigation.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-cert_parse_error-downgraded.tentative.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed downgraded from sxg.cert_parse_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-cert-format.sxg?navigation';
+  const cert_url =
+      test_origin + '/signed-exchange/resources/invalid-cert-format.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.failed downgraded from sxg.cert_parse_error for navigation.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-cert_parse_error.tentative.html
@@ -0,0 +1,76 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.cert_parse_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-cert-format-on-alt-origin.sxg?navigation';
+  const cert_url =
+      alt_origin + '/signed-exchange/resources/invalid-cert-format.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is same as the reporting origin. So
+        // the report must not be downgraded.
+        type: "sxg.cert_parse_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: cert_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.cert_parse_error for navigation.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-cert_verification_error-downgraded.tentative.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed downgraded from sxg.cert_verification_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-validity-period-too-long.sxg?navigation';
+  const cert_url = test_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html', 'location');
+  assert_true(message.is_fallback, 'is_fallback');
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.failed downgraded from ' +
+    'sxg.cert_verification_error for navigation.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-cert_verification_error.tentative.html
@@ -0,0 +1,60 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.cert_verification_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-validity-period-too-long-cert-on-alt-origin.sxg?navigation';
+  const cert_url = alt_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.cert_verification_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.cert_verification_error for navigation.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-failed-zero-success-fraction.tentative.html
@@ -0,0 +1,69 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed for navigation (zero success fraction)</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithZeroSuccessFractionPolicy();
+  const sxg_url =
+      alt_origin + '/signed-exchange/resources/sxg/sxg-cert-not-found.sxg?navigation';
+  const cert_url = test_origin + '/signed-exchange/resources/not_found_certfile.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportExists(
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: cert_url
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    }
+  ), 'SXG error reporting must be downgraded when the cert URL is different ' +
+     'from the reporting origin');
+  assert_false(await reportExists(
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    }
+  ), 'Succeeded normal NEL report should not be sent when success fraction ' +
+     'is zero.');
+}, 'SXG error report must be downgraded when the cert URL is different from ' +
+   'the reporting origin. And succeeded normal NEL report should not be sent ' +
+   ' when success fraction is zero.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-invalid_integrity_header.tentative.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.invalid_integrity_header for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-integrity-header.sxg?navigation';
+  const cert_url = test_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.invalid_integrity_header",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.invalid_integrity_header for navigation.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-mi_error.tentative.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.mi_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-merkle-integrity-error.sxg?navigation';
+  const cert_url = test_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  try {
+    const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+    if (message.is_fallback) {
+        assert_unreached('Fallback redirect should not have happened');
+    } else {
+        assert_unreached('SXG should not have loaded');
+    }
+  } catch (e) {
+    assert_equals(e, 'timeout');
+  }
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.mi_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    }
+  ]));
+}, 'SXG reporting test of sxg.mi_error for navigation.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-parse_error.tentative.html
@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.parse_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-format.sxg?navigation';
+  try {
+    const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+    if (message.is_fallback) {
+        assert_unreached('Fallback redirect should not have happened');
+    } else {
+        assert_unreached('SXG should not have loaded');
+    }
+  } catch (e) {
+    assert_equals(e, 'timeout');
+  }
+
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.parse_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          cert_url: []
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.parse_error for navigation.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-signature_verification_error-downgraded.tentative.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed downgraded from sxg.signature_verification_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-cert-sha256.sxg?navigation';
+  const cert_url = test_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.failed downgraded from ' +
+   'sxg.signature_verification_error for navigation.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-navigation-signature_verification_error.tentative.html
@@ -0,0 +1,60 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.signature_verification_error for navigation</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-cert-sha256-cert-on-alt-origin.sxg?navigation';
+  const cert_url = alt_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  const message = await openSXGInIframeAndWaitForMessage(t, sxg_url);
+  assert_equals(message.location,
+                innerURLOrigin() + '/signed-exchange/resources/inner-url.html');
+  assert_true(message.is_fallback);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.signature_verification_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.signature_verification_error for navigation.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-cert_fetch_error-downgraded.tentative.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed downgraded from sxg.cert_fetch_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin + '/signed-exchange/resources/sxg/sxg-cert-not-found.sxg?prefetch';
+  const cert_url =
+      test_origin + '/signed-exchange/resources/not_found_certfile.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.failed downgraded from ' +
+   'sxg.cert_fetch_error for prefetch.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-cert_fetch_error.tentative.html
@@ -0,0 +1,73 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.cert_fetch_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-cert-not-found-on-alt-origin.sxg?prefetch';
+  const cert_url =
+      alt_origin + '/signed-exchange/resources/not_found_certfile.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is same as the reporting origin. So
+        // the report must not be downgraded.
+        type: "sxg.cert_fetch_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: cert_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "http.error",
+        status_code: 404,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.cert_fetch_error for prefetch.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-cert_parse_error-downgraded.tentative.html
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed downgraded from sxg.cert_parse_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-cert-format.sxg?prefetch';
+  const cert_url =
+      test_origin + '/signed-exchange/resources/invalid-cert-format.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.failed downgraded from sxg.cert_parse_error for' +
+    ' prefetch.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-cert_parse_error.tentative.html
@@ -0,0 +1,73 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.cert_parse_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-cert-format-on-alt-origin.sxg?prefetch';
+  const cert_url =
+      alt_origin + '/signed-exchange/resources/invalid-cert-format.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is same as the reporting origin. So
+        // the report must not be downgraded.
+        type: "sxg.cert_parse_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: cert_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.cert_parse_error for prefetch.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-cert_verification_error-downgraded.tentative.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed downgraded from sxg.cert_verification_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-validity-period-too-long.sxg?prefetch';
+  const cert_url = test_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.failed downgraded from ' +
+   'sxg.cert_verification_error for prefetch.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-cert_verification_error.tentative.html
@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.cert_verification_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-validity-period-too-long-cert-on-alt-origin.sxg?prefetch';
+  const cert_url = alt_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.cert_verification_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.cert_verification_error for prefetch.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-failed-zero-success-feaction.tentative.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed for prefetch (zero success fraction)</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithZeroSuccessFractionPolicy();
+  const sxg_url =
+      alt_origin + '/signed-exchange/resources/sxg/sxg-cert-not-found.sxg?prefetch';
+  const cert_url =
+      test_origin + '/signed-exchange/resources/not_found_certfile.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportExists(
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ), 'SXG error reporting must be downgraded when the cert URL is different ' +
+     'from the reporting origin');
+  assert_false(await reportExists(
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    }
+  ), 'Succeeded normal NEL report should not be sent when success fraction ' +
+     'is zero.');
+}, 'SXG error report must be downgraded when the cert URL is different from ' +
+   'the reporting origin. And succeeded normal NEL report should not be sent ' +
+   ' when success fraction is zero.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-invalid_integrity_header.tentative.html
@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.invalid_integrity_header for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-integrity-header.sxg?prefetch';
+  const cert_url = test_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.invalid_integrity_header",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.invalid_integrity_header for prefetch.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-mi_error.tentative.html
@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.mi_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-merkle-integrity-error.sxg?prefetch';
+  const cert_url = test_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.mi_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    }
+  ]));
+}, 'SXG reporting test of sxg.mi_error for prefetch.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-parse_error.tentative.html
@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.parse_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-format.sxg?prefetch';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.parse_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          cert_url: []
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.parse_error for prefetch.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-signature_verification_error-downgraded.tentative.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.failed downgraded from sxg.signature_verification_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+const test_origin = get_host_info().HTTPS_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-cert-sha256.sxg?prefetch';
+  const cert_url = test_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        // The origin of this SXG's certURL is different from the reporting
+        // origin. So the report must be downgraded.
+        type: "sxg.failed",
+        elapsed_time: 0,
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.failed downgraded from ' +
+   'sxg.signature_verification_error for prefetch.');
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/reporting/sxg-reporting-prefetch-signature_verification_error.tentative.html
@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<title>SXG reporting test of sxg.signature_verification_error for prefetch</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/network-error-logging/support/nel.sub.js"></script>
+<script src="../resources/sxg-util.js"></script>
+<body>
+<script>
+const alt_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
+
+nel_test(async t => {
+  await fetchResourceWithBasicPolicy();
+  const sxg_url =
+      alt_origin +
+      '/signed-exchange/resources/sxg/sxg-invalid-cert-sha256-cert-on-alt-origin.sxg?prefetch';
+  const cert_url = alt_origin + '/signed-exchange/resources/127.0.0.1.sxg.pem.cbor';
+  addPrefetch(sxg_url);
+  assert_true(await reportsExist([
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "sxg",
+        type: "sxg.signature_verification_error",
+        status_code: 200,
+        referrer: location.href,
+        sxg: {
+          outer_url: sxg_url,
+          inner_url:
+              innerURLOrigin() + '/signed-exchange/resources/inner-url.html',
+          cert_url: [cert_url]
+        }
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+    {
+      url: sxg_url,
+      user_agent: navigator.userAgent,
+      type: "network-error",
+      body: {
+        phase: "application",
+        type: "ok",
+        status_code: 200,
+        referrer: location.href,
+      },
+      metadata: {
+        content_type: "application/reports+json",
+      },
+    },
+  ]));
+}, 'SXG reporting test of sxg.signature_verification_error for prefetch.');
+</script>
+</body>
--- a/testing/web-platform/tests/signed-exchange/resources/generate-test-sxgs.sh
+++ b/testing/web-platform/tests/signed-exchange/resources/generate-test-sxgs.sh
@@ -2,16 +2,17 @@
 sxg_version=1b3
 certfile=127.0.0.1.sxg.pem
 keyfile=127.0.0.1.sxg.key
 inner_url_origin=https://127.0.0.1:8444
 # TODO: Stop hard-coding "web-platform.test" when generating Signed Exchanges on
 # the fly.
 wpt_test_origin=https://web-platform.test:8444
 wpt_test_remote_origin=https://www1.web-platform.test:8444
+wpt_test_alt_origin=https://not-web-platform.test:8444
 cert_url_origin=$wpt_test_origin
 sxg_content_type='content-type: application/signed-exchange;v=b3'
 
 set -e
 
 for cmd in gen-signedexchange gen-certurl; do
     if ! command -v $cmd > /dev/null 2>&1; then
         echo "$cmd is not installed. Please run:"
@@ -35,16 +36,32 @@ gen-signedexchange \
   -certUrl $cert_url_origin/signed-exchange/resources/$certfile.cbor \
   -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
   -privateKey $keyfile \
   -date 2018-04-01T00:00:00Z \
   -expire 168h \
   -o sxg/sxg-location.sxg \
   -miRecordSize 100
 
+# A valid Signed Exchange. The origin of certUrl is the "alt" origin where NEL
+# policy is installed in reporting tests.
+gen-signedexchange \
+  -version $sxg_version \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-location.html \
+  -certificate $certfile \
+  -certUrl $wpt_test_alt_origin/signed-exchange/resources/$certfile.cbor \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2018-04-01T00:00:00Z \
+  -expire 168h \
+  -o sxg/sxg-location-cert-on-alt-origin.sxg \
+  -miRecordSize 100
+
 # A signed exchange of unsupported version.
 gen-signedexchange \
   -version 1b2 \
   -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
   -status 200 \
   -content sxg-location.html \
   -certificate $certfile \
   -certUrl $cert_url_origin/signed-exchange/resources/$certfile.cbor \
@@ -149,32 +166,96 @@ gen-signedexchange \
   -validityUrl https://example.com/signed-exchange/resources/resource.validity.msg \
   -privateKey $keyfile \
   -date 2018-04-01T00:00:00Z \
   -expire 168h \
   -o sxg/sxg-invalid-validity-url.sxg \
   -miRecordSize 100 \
   -ignoreErrors true
 
+# certUrl is 404 and the origin of certUrl is different from the "alt" origin
+# where NEL policy is installed in reporting tests.
+gen-signedexchange \
+  -version $sxg_version \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-location.html \
+  -certificate $certfile \
+  -certUrl $cert_url_origin/signed-exchange/resources/not_found_certfile.cbor \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2018-04-01T00:00:00Z \
+  -expire 168h \
+  -o sxg/sxg-cert-not-found.sxg \
+  -miRecordSize 100
+
+# certUrl is 404 and the origin of certUrl is the "alt" origin where NEL policy
+# is installed in reporting tests.
+gen-signedexchange \
+  -version $sxg_version \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-location.html \
+  -certificate $certfile \
+  -certUrl $wpt_test_alt_origin/signed-exchange/resources/not_found_certfile.cbor \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2018-04-01T00:00:00Z \
+  -expire 168h \
+  -o sxg/sxg-cert-not-found-on-alt-origin.sxg \
+  -miRecordSize 100
+
 # certUrl is 404 and fallback URL is another signed exchange.
 gen-signedexchange \
   -version $sxg_version \
   -uri $inner_url_origin/signed-exchange/resources/sxg/sxg-location.sxg \
   -status 200 \
   -content failure.html \
   -certificate $certfile \
   -certUrl $cert_url_origin/signed-exchange/resources/not_found_$certfile.cbor \
   -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
   -privateKey $keyfile \
   -date 2018-04-01T00:00:00Z \
   -expire 168h \
   -o sxg/fallback-to-another-sxg.sxg \
   -miRecordSize 100 \
   -ignoreErrors true
 
+# certUrl is an invalid cert and the origin of certUrl is different from the
+# "alt" origin where NEL policy is installed in reporting tests.
+gen-signedexchange \
+  -version $sxg_version \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-location.html \
+  -certificate $certfile \
+  -certUrl $cert_url_origin/signed-exchange/resources/invalid-cert-format.cbor \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2018-04-01T00:00:00Z \
+  -expire 168h \
+  -o sxg/sxg-invalid-cert-format.sxg \
+  -miRecordSize 100
+
+# certUrl is an invalid cert and the origin of certUrl is the "alt" origin where
+# NEL policy is installed in reporting tests.
+gen-signedexchange \
+  -version $sxg_version \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-location.html \
+  -certificate $certfile \
+  -certUrl $wpt_test_alt_origin/signed-exchange/resources/invalid-cert-format.cbor \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2018-04-01T00:00:00Z \
+  -expire 168h \
+  -o sxg/sxg-invalid-cert-format-on-alt-origin.sxg \
+  -miRecordSize 100
+
 # Nested signed exchange.
 gen-signedexchange \
   -version $sxg_version \
   -uri "$inner_url_origin/signed-exchange/resources/inner-url.html?fallback-from-nested-sxg" \
   -status 200 \
   -content sxg/sxg-location.sxg \
   -responseHeader "$sxg_content_type" \
   -certificate $certfile \
@@ -267,12 +348,61 @@ gen-signedexchange \
   -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
   -privateKey $keyfile \
   -date 2018-04-01T00:00:00Z \
   -expire 168h \
   -o sxg/sxg-hsts.sxg \
   -miRecordSize 100 \
   -ignoreErrors true
 
+
+
 # Signed Exchange with payload integrity error.
 echo 'garbage' | cat sxg/sxg-location.sxg - >sxg/sxg-merkle-integrity-error.sxg
 
+# An invalid signed exchange which integrity header is invalid.
+cat sxg/sxg-location.sxg |
+  sed 's/digest\/mi-sha256-03/digest\/mi-sha256-xx/' \
+    > sxg/sxg-invalid-integrity-header.sxg
+
+# An invalid signed exchange which cert-sha256 is invalid.
+dummy_sha256=`echo "dummy" | openssl dgst -binary -sha256 | base64`
+cat sxg/sxg-location.sxg |
+  sed "s/cert-sha256=\*[^*]*\*;/cert-sha256=*$dummy_sha256*;/" \
+    > sxg/sxg-invalid-cert-sha256.sxg
+cat sxg/sxg-location-cert-on-alt-origin.sxg |
+  sed "s/cert-sha256=\*[^*]*\*;/cert-sha256=*$dummy_sha256*;/" \
+    > sxg/sxg-invalid-cert-sha256-cert-on-alt-origin.sxg
+
+# An invalid signed exchange which validity period is too long.
+gen-signedexchange \
+  -version $sxg_version \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-location.html \
+  -certificate $certfile \
+  -certUrl $cert_url_origin/signed-exchange/resources/$certfile.cbor \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2018-04-01T00:00:00Z \
+  -expire 300h \
+  -o sxg/sxg-validity-period-too-long.sxg \
+  -miRecordSize 100 \
+  -ignoreErrors true
+
+# An invalid signed exchange which validity period is too long. The origin of
+# certUrl is the "alt" origin where NEL policy is installed in reporting tests.
+gen-signedexchange \
+  -version $sxg_version \
+  -uri $inner_url_origin/signed-exchange/resources/inner-url.html \
+  -status 200 \
+  -content sxg-location.html \
+  -certificate $certfile \
+  -certUrl $wpt_test_alt_origin/signed-exchange/resources/$certfile.cbor \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2018-04-01T00:00:00Z \
+  -expire 300h \
+  -o sxg/sxg-validity-period-too-long-cert-on-alt-origin.sxg \
+  -miRecordSize 100 \
+  -ignoreErrors true
+
 rm -fr $tmpdir
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/resources/invalid-cert-format.cbor
@@ -0,0 +1,1 @@
+This is an invalid certificate file.
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/resources/invalid-cert-format.cbor.headers
@@ -0,0 +1,1 @@
+Content-Type: application/cert-chain+cbor
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..2a7dbf6fa69ae29055e51f6c7d32d3ab4ceb6765
GIT binary patch
literal 996
zc$}3|O=}ZD7)}usaug8{9@Z+fO}n2-n$Jy1lg)=DZPK(ht%ow%o!y;gv%Abpl1)nw
zf=~p}i+?~7>e+(_!HeJzsGdaxJ$Vohig?l8rh$4AXJC2e-S>H(c^`&&hRAlJq0o{^
zsY}v4FG>kc@VA&w#$qv^Aj5_l3q92YwgGtziPOg_Bs{Whh}k~2IFt6Q(9}^V^vD7o
zXk{3mBuDB>vrsMR?q*d=wyHQ$8;K>M=@s_kZB!g=j#8;E81(fm*MXu^+;a0MuU3e@
zx{IW;pdgs9w&%@MVtXyxS~ZF*2`^EJH%sMZuV@aWrYuJ?%m7$OLv$3}LZ1Hb2_}e}
z=x{w^OlKHmQ)poSEKh65fQ0fr#1a!o@kLgM`VA_?^lwkwq3jTLSl0qncW{rRKJ8!r
zK50jH`nI+c2<pg!oZ4~l#9-_wN8Hv%s^8YNxV5=vb+>!-d(Z?mudQ#I%bhB`S#Ff_
zgZg~RERi4-4NxeHaY>5Dgrp#380fjkHw|i0F&1AGgr}wPT<z4^!DIngZo*coYH4HC
z8>YNEU$|uqE0tYZ+pxMyb;WCf*h;g#R_V&+G@*d@NkI~Xn(Fw8*_5Rt7q+iZ=utj+
z6aE|~zywmcPjxogn6yD#bu?rfwX^P_@zS!_imQe7t%kw`61i}eB5J{0Va#P5ooSr}
zT3KIjD5sfb`EgS?OH_<pnhOt+tvN#uXqqzcX*EQAHpH_tJxB<+@#6W{;|tF5n|<-&
zrK?jvKHUHO?4nnCy)<|I<>LoA(||Jz%q$F;bBvs0_QMQwa^n1O0p~iH`X55;ftUej
zga5&@92HRH*l9*{)P64@OiG-Ip}uh1=R^4MZA3c%oB8$b>%G*S%TJEJOZoSQcW-|=
veDx`+d^`6OV~Ee_1eBmOkw9ce2bR?VYB$aJh`@unO!#17jD48pCt3UfN0V1D
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..072125400abb5b6a19039d798a5f29261154efaf
GIT binary patch
literal 992
zc$}3|O=}ZD7)}usaug8{9@Z-KGy9dKZ9X=oNs}gRnkH@2ru9%JyR*B~%<jaQ$yZAc
zf=~p}i+{im(6a{*f)~LbP(6zXdh$>_DB?wTn+EDhoPp(;ci-oE=6x8}wUkgj90<(X
zoHtoqk`#4Xl)bIQXCje^#E|7eBLus;4O|OK6f)AHI%E=ZT}VSMibb0{I56}i5O|0|
z9pZ%Gk+kvUY$a2e+o~>=WCf=SWQuPq)o``4uFhL+)r2d~p47u8sw(YDEwVN}hte}r
zrMGA+#ln)_A+|YDR<{gHOE6M4HY)j2n$&NVx8?M%UhQbwctU6cj10tk{w=iO|DIrg
z#DR|JFl#s=AeTdndS`9eKo(?Na!`obK#fj?<gnMEL(2d5?7(`ci2*kWbwut_{^jiw
zzGIS>YwY-9Cc;qE>x2%(`)=BJbFCU{)l4IbH&=0E+nLydHYj#$=BAyl7vSPTIXBl{
zo`~5w<_BT`4mBmJs?mr%Bg+W^cALmE^=n}z5}lIer@8)2wb<FAG#TLLw3{vHxoXep
z#JbB;X2a^_^SiuQ#f@yC)UAL>sZv|bH?)N~<AAqVMwR8FPQ0{S9^$<wtX<)-%O(Fk
zcyri*GRU<SH$yY!K^t^+Vj$Nlo^=oOmyx_Szmi$sDrW^>A{9(>#4$`|`dopS!rDoo
z`Sta3_B7L^)NcwVnNCrYr-B{i8l)ov!^pNhS`jgi4e98J0~rH1UcNX!x<HQJ?kf*2
zT^;)I@!pr`7rVJPvt!p^J-VN=EjThMj6$C|CTJ;PKPU(%C(#QRh)qJd_hEe57qj4~
z|KDGj=zt^Q#s!1uEypJeN}^4nIeFUWLHOz2xO)D#@az5Y-PrBRkDq;4=RO?Xx%u_*
u_2+Q*+qs{VLV8BWr}(9T1Y$cTz_<?dMqKa^g9l@Y;K5`cdoU>tviJjR@m2T$
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..62acedd390e1a40379f4f48994d6ef7673a46f0d
GIT binary patch
literal 997
zc$}3|%WD%s98M7waug8{9@Z+fO}mf0+PpR;O*apl)TB*K8V@qro!y;eU(QUPr3XPM
zg6PG6KoRWOg9pKj;2%&uiwJu1P&_E&MR$`1>Peh|<(uFBzVDmg$B=;*WLsgMZ&jz%
zAqk!jhE_Pi-N8gG5{d8xX%<viIFNN<X^_W|*j+3`!XwLqnC)VN)2V6rW)6M6#|CIY
zBgwcVF;JGO*<xlnnw1IN$&aMG+Fl>x-Dr5IwcEu8DM-QHJJKjNv?A?ZwykB*8mbE$
zt$ZQM<BfWGw9c10%@OLzPSdRQL#3u|uAqKzqtnRTtcqeF$@GAM6hw#KEyUUXo?wc&
zsSalnZ8pgui$V>%XK_|R8YGlA5leIsiY~K4*lmy@rhj`{Hf8&;#X1I{s*O#Ky0m{M
zI5uX-avlp%PHx$F>M*es1J3qNyxUNfs8QcCI!$wN1a(jvG}OAj)+)m5`ARO+D=)_N
z9Pv_70EJ>O8VW@tLQD{n3>-Mfb@giDU?jRM2+wkp!5Z<?lZgT_oE1wd%DJ7P*^dv(
zeD<c+FBICev}1In;^v?VBAeC5R-q&26NCcVCE1W5lw{kD%%UtEI<Rqx!U5&IN8!$)
z156+lyHsUkm1!HaWLrU&RyytOn=B=DW&K9Bwp)=HPa^G4QA7=x&Q7?Dtuou=L<_ZA
zMLG#J#ZQ|2DI#O!(6qmgEXD3~KvATgODiGbvLT+IGa(`1+RGQmN9XLLw|l`y7cS5I
z`1s(<;rT)C&FaF{S5F?Mbq&rfG4s%4E-+%6+4D2Z_{6#40?x59bw7lbJuwZ=d;h&<
z*fOBVwi1kD%U#nWOiP@Op}KU^=R)}DT_AM!H}mWL@%{MSi%*|_4`n_a+`IMl;PvOQ
r^zF<~j3GXy<59fQR05IPDlm)|kUI&+MFj3IB>nqK6YRniKh5F~=LT60
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..30e4fcd9124955b498810069492ab7e83b208e63
GIT binary patch
literal 993
zc$}3|O=}ZD7)}usaug8{9@Z+fO}iiYZ1b@xN!)xiNt>jJP3u7>yOZ5X_KTTGvT5l-
z5Q-pr@ee2kJ$vvVcoF;o)w778ClAGgB3^X2X`r6O8Cafq_kEsc-iINM8e}_RpKn#8
z)Fug@4~CXG!QH{cN+c5D2~tg{u+Wh;V5*SEkXQpOL&77|gqR&*oztkH`(_S(zQ;P~
zKt0L0Br#Bx>ba7X)w?j3&+gWNq4cn-spYCNZuYG0%npd7EUoo>xs3wJwv-IY=CWpc
zt-Kg3H<lyCqJq?MrrP31PI*wvH+s=gHPa4d@vyL4sf%JD$qa#x6hz0~EyUUXo?wc&
zsSallbvDT$lR_1{XK~iO10<9;5KA-=ipE$W>^8^{)4x4Ou*2Fqpj`_a9Ca!GPVdB&
zJ(2QQfO2xj!c+B$ofxn;Tk%1=t3>s!hTh*X7I&crDo(q*rDZ!MxK^m;GsEg)T+0(L
z5d}~v2BV=+G$O1BLXv@wja*l+77j+DF+n)YPljs8&rT%@K)07osU+uHV`CI|s(kL2
zIw}@>w9?Z1Qfb|(gUEWl-6;0OLV{302P78~go<praha5*V;i=wQ0P$Jdl2p%8o&fn
zaX`E5N^RN(P1#bAsaDRq`zA|CUAwuFYi`#h#*;|<Qxs7hrgIZ6V|AI$lSGTnW=%Q`
zHN{Vw{3#-1WYe^NgiOU6aX?X|p-ZbE;<6#0pEDpK;Ks`r$43{eqqlp(N0+Y7{P_6b
z%kzs){>|#b^;b_GrZpALEiv=ZV=gdan%VO+%*ly!!v&meVd{Pet$JcAocI2FOSfb|
zk!2<r#gYexN0^p44a4rzX`c(>r+0zS`QOa1_s93+cP~GE_C1vOaB%PT*Mrxe!_v2N
pKQV^*jE+a~N>d3$?sS2!cYxeaFfJl+e<A7LUz%VSrub<Ve*jU*R_y=)
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..066a3cc0a4d4c31c342fc06107e459e1def04cad
GIT binary patch
literal 995
zc$}3|O=}ZD7)}usaug8{9@Z+fO}ii2Bu(?NDeWfh#wInfNt)n6CcBf}ZD&86nN2p9
z9t5EXq8I;wBI?<L2f>Tr52&6+1U-2u9u)DSyG<kYB+kI{%)9UNJo7#b@%1>{O++G#
z2Bj{^@_bxOb3(A=*@a{>$rDqzp~gaAHGr){9z)`IScQZ)Z5v|N!-zAeg(4GAB9R9O
zbRo(y0ZEEgOHH|4FU~s3Ws$7OjX@_>xk0>QU0Aohrm`V6h81z3Z7NN%=y>f_q?dJ2
zX)L=v(O61s^-`r)29j2qU#b#w8MQa%jE5~<?9_(IS=o_dIi?SgshM;b-a?xE?+M0;
z8|!cu(I<0^X;Y}<;4DpQrVa_^Et4e%5L5H4kO&%7i0R*+wnNzg?6NKbwC7-pqXF$-
z{(mmY5ntzAXmM)S!DIcAp%fElX~ROTt!BR_z_QX-(nX{tNWbQ~a#LF?4m!Sl(?zyc
zQNv6$K%o>*iDD`#EC@o5fxc@7o?$H!Pp0Mt;ql67taj%3T#^8go3=}3b)`A91{uG~
z%PoDNC|k7BMBAnEx?cy$^?LiNvMsG<2?f+6vM2}@)d>Q#DNBbgY@eghr+oM%f;kL;
z38a!od+b7O+y-sc(M(&f9Cwe5mX^OzydpO`wGtCb6ry=*QUnX~h|4%VX5%nVrO~LB
zjv~$Tqo!z{sMvIAAv!Q^%^7e&(@On-RxwGyhIo3)f`oueFP<OlpK|u!?8NV%IY06J
z!`;u%PWvmb7iTWMe0Z;5=x}O|nT8>AhLH-)PLyE|Ph1c#;9LjO;6rFN6w~2!_&;38
zQ2{j_JIiQ}>RBOST;dE2dviy90fZml#>A7qn4j+s?qqJAef0F3xb%MS_O&m2uRbM8
rUr+qN7~*3(Atfx0B}{U?2N3E4bvw%hh``;MTy%GCgaer8$65Raaobf#
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..46d2bb1386ea08ed742b786ac2ec710bedaa9db2
GIT binary patch
literal 991
zc$}3|&ubGw7)=oraug8{9@Z+fO}jsnG-;AeNz+Y}G)YsNEvX)4vNPFiv%fksNj8=q
z1fd9`7yki^pl1&r1TTVrK=mvl=*dIzpokaUZ5pX3aR!z*-+u4C`5r?&U1VF)P-wA3
zsY_BkFG>kc@VA&s#$qv^7`lxhi#)9ZY#s3!5vPYWM0mrt5oUYX<T}(cLlXy~&?6JH
zkeOzDk{qcjYQD6dzp)BSxx6Aak}JiUx1r{SQWwYKXnS=n*Q=GqL4p+Y#ukCKTuIOE
zz`~MM*@R2OvJ!Q?coYyA-%*q0h1v4XQ03REb*bWP)Z>mENi%(58qlD_;1=@ae@`$*
z+*pURh(4KS44Wby`)7F)8ag7Bw+xnafE1r+g{a@4Ax!`F9H18Knt-+)Y;n}5{LA~#
zB{|~hoQo_@YdLtVJu;Ic!YplA=H|BAuM4PDY!(yCCXAAP-F5RSTwNY)dG>ABv|&XH
z@_>LMS&U0kJSHRsA<ZDqHGI#Y78PUhc|mwm7>(3iI6adr0Mkv_N=YlILu;_$Rr&m;
zJ}4HqX+<@=N~z|pgII07dA-<`S5kxm+9P>M5GtDEhh<Zi4qeo|M3G1N;5qnnbO0uZ
z%01d<ll5^MvNZ=9wq7~y9vUr}xw5>LZ*0{SCXmR6Gt{6a%H~I0#%VJf$9WbTjk<CY
zX@(y)g)>CMhD)>Ifnh^uzyS!AzE7(d#AhQsJ!K(6z_l08j}Ff{hi`VphZinSeE)F&
z^Rx3_;q~Io)t8SSWIH;Vnq#I>z?@;^EVCPCnBx=YhYL8@!PNf{S`EZ>G#&g8mg#7K
z8jhV}priGyfG{p`9gNy@Cw)FdAKyl#v%i?1?~d**+_`x0^qZ7>zkm1Um;G0tqRQ7Z
pKQKo4lukeiN@EFw+-d{UYyqvCVtho<-b^~YH#fpQ%<$tZegkweQxE_E
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/signed-exchange/resources/sxg/sxg-invalid-format.sxg
@@ -0,0 +1,1 @@
+This is an invalid Signed Exchange.
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..95d358245c909d7da0c2b6bbf08913c60aceda20
GIT binary patch
literal 991
zc$}3|O=}ZD7)}usaug8{9@Z+fO}n4Tw)xtWG;W%tNt!lEo7RI&b|<^r>{n+d&BoG$
zAQVCL;vcXGdiLN!@FMsFs%H^FPacW~MZD;4(`Y@3Gq61K?)yB?ybpstji=kuP-tE!
z#KlRL<%Kzh^EaQ2$6_%S8=4JO8hVNjYz?vqVyA}`h*`t7A)<T8WOQPgp|OKd=%ESP
z&`eQ2Ns3hDX0EuB+gwtM*__Nb;){i<S8rwqLKnqExV5yL?Nv*Be-7uh#s*fa*`k)+
zR`Uy1c}-myl;o)6iBW)6al08WC8kT;gC@INsR?DLUK1TDlA?BiX{ZJn1h<gJ|9gTF
zVn#ZQg|+b%W!MC2$UjTts-ZzlSj(WX4g_(Q_B_8qfr$L=*@tb~H38{3$YO|3`Iq<a
zOETEg7#CWM(ss~DduS#_+<G(7Yjsr7TwgW2o7VI#sDrZC>a6Pv?IJ8K*7Dh%%5*}{
z;~)<e5Ge7YAc!$8&T%OUdamJn2DK<36K6T@aeg>bEAeM0E-G=rbmwfjsN|aitDo>H
zY;H~K7YbXX+%&s#vFfdWSaqefTIfoPNlXCg;hey6WySHsvI$KFE^J*Q&?9W{9Q-+S
zfG{Ldk96pGZPW&B#Ze7gE1z}`4VRj}a(y}1*r>@=Adv~Di9t-5$ql)b)1m6ec@`Rt
zntT#znjJQU(^x@<OETfUVXID`0jetR__VTteKtgs6Bfi6TzmfP=<u9#_<EOraN+XU
zxA*rxJw5N`U(HWleevjiM%UoP3^fS@<`gAmsNFC{9iJFKT)?;vBK`-HN+71e$>4vm
zOh*C4aO@<dI!ez92%{3CBiNZa>GL7{@FpUh{Ym|JdvrH(`{KcquR`|S{+%12_g{XD
s%3scWM+l-*IsqjpjU)_wvja@C4U}$@@)3r6Q>pOY%n<u9&5pA81t=9$Hvj+t
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..a2ddc77951cebbbdbcd95a4d275501b4f64677f5
GIT binary patch
literal 995
zc$}3|O=}ZD7)}usaug8{9@Z+fO}Zc1ByIDtDd}d@q$V|KlP1-JOm=5Kn*DNSw%J&E
z5QHL#Ui<@!sAmrz1TTU=pn4V&^yHy<P{fPwHjUJiI0MTw@4nCT%=<9d*AjFu8Hp_F
zgt$1%vI%~k;ewsWE~HW^78{xk6&m`o4r~pw2x7-WGQ_N5+Yr$nG8vs%W@O??B=W!n
zJ!s~rfF#7~Qd_JxOL3>N!sE+gYp|KF-N0U{$*tO6yRy!=hBbbmbSiDW<apg>Q>$vA
z)>?8^UN0uM)U>pbfp}w{E!MHIWOh4Z#zU6IZ#IUhxabJ69JLKhLovuOyoE6N-xG`x
zGuB}&tWD-9!zNHe!C9D83=Lw!S_X}Ez^CVEE*Uh)5Rtz<ZHLeU*rQz&5Y<5zLju~r
z{Qq2(!M?`0&|>7CgU0$JLm}p_w=-T>Rnlf>&Fo*b;y0lVYJOMk=u5pSTv=|Ei`(^h
zMla(q69o_`B+@*ePH_tym!qKX8i8k6OD0n3IgWc=9*xz_9G^?zfa%WLQdKUuht?qD
z*I98x8&oP=q}De3QgzjDg4AlWyH@E7%UMhS@vz8qTupX@z-&U3p$og`2=oaXK8aus
z9Uu&e;1QKxXpGySEjx-~YqjI<k<n7}7fM&e)@DPZLWx2&PYhzhf;i$*j!LZ`=2>aA
z8q!gud3Mwk&0`rEE-6F@hOIaQ1}KWO9nfk94%iS)PgxLSaOuVKgZ)#^{+pe|{WIq$
zzJIv;`Ppf|{CaWb;>(Bk3c3cTW~pfyGG{2EK<z{+>hQz_;R42W5D7k*)I%{1PKW=)
zWjZn-hGS<b#gRQLB#cXpj-Wbw)E7Yb@okJh`HTAb?%+=5*4al-zwyQQd$+HB*?aXV
sDSbWh10jfx>4cQ9G?p;%brqOq56Jy26(9_EXL8Zq*%1z4o*ifL8>|mh;Q#;t
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..294f97b097a457f06c38d209ba24344bcab719ba
GIT binary patch
literal 995
zc$}3|OKTHR7)=orvJ?>)F2*XfO*)UfpOccNlSiGTNt3p*F63tB&ZC(Z_ugrymM#RL
z2%;PRfFkPJg$u!r;18&-MFd^BC@vInqccq-btT>l!@1vl=bZZ;F80(IJxGK?3mPE~
z&a-SRo?$qD$MV@^GRb0HwV+HxPtt&;LKZ=6yGVkV)h!Dm+C>JV5z`1wJqd*#7+?U6
z0_BtVNK@!k8WmHmI?X!l3R%15a1Eha-mYzIp`_4NTkU2o-8aSMRoh-Nl(JryvRZqk
zR^H4E`x&{H%Zl!zGl)8_SX+;#*{fWlSMGLkZ>iJk@O-2|Z39D>b+QxOf}j5H2_}e{
z=rAT$rwf#B5vU^n%uma@3Nc|#oyHo7r_wZ+@EatE$lsopP3RFE(2fC!Vk46wKJ8!r
ze=f>kPh}ivGSa|C6aBFvA91>CIk&IKDPv>R7;c);n@|Iy*H<>Q#X$ou*V=xj&1g=m
z;vf?l5Xi?;@pvl9WjU@uLC?{B&!Cn_$AjAA>UgYv?&MrN2Mi};2@R>bwquTRUX!h?
ztD|~-i->E+P-wKg4oJ2-{nh%AujMfT#Ko03$BB~d2WAnP>^QK0fk2P2!ISXk&;Y`a
z@Gep4Y<toMEy<R3OBGMLhsH}TURqkI^sco9Dv&6Ji$o^|ELFx_%2ufEQJ(c)uPq!$
zT4cvf;Uboh?vPS=q+7B*Vt_0Q+dfUyvCoERcE*GlgDWqdA0C{s58mv??w`9j_5H)$
z&(F?!)z=GimtQ`-SJG5CGf&OJfH_C;C2BWJQAa1n4;L_wjfnrjq#1~*a5nfKEW?%n
z(QPYF$+qO00bx>NGz69T<31n4k8dOK)4!;n?+)+eZk>Ph^jp0Ae*gCMFZ-`PC4{f1
pejo(V37vovlqM27zM%la7yxOQr+kFr-drKPH$TQcEV7d<egh*%Q^^1T
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..e90d9bc66de7fd3937c119afecec3cb4db5fa87c
GIT binary patch
literal 991
zc$}3|O=}ZD7)}usaug8{9@Z+fO`H8n(tK`8nr@nuq$X|Bq<WCq-PzqSvmfqEnr%xD
zf=~p}i+{i(=-Gn@!HeJzsGdaxJ$Vohig?l8rjdFQXJC2e-S>H(c^`)Oh7ea0k;sBc
zsY`MkCx~g554MoYB$G*wAj5`Q9QvvWYy)y0B+kH7A>oj1LoYt?Fl$l^M<xy;k%t&4
z5a*eIB*hwXt6Zxt%9g&=s;A9md8OUOOSf8CoDs8~QZg;zhGJUIrm3|MzhjnADU}}L
z^opY4f!#yhhFaaI_fv|Y3RR3c8Pk&GG}RZo^KHS9q*$KW0vKtCZily!CjWbaF=EF$
ztVN8;JcDcs4KFxLlNvH0p`3-{!~|k$KF%kC1{HerZ_goA;w}bMcRY)w0p(xbe=f-q
z-(X#6v8v*DW9^Zd6m!=**+Ea&Qn<T@``4`59cY5O-_yJ1qEdq^%gst@t1+83D<sTA
z0~AU^N)%H`KEv~Q2Kp`vJi}UIUJPrGE2EKm*^@I#Jiu<+mTPLIvuzEteuFD-7{hAy
zCargHU#_kCEs$Jo_13C=X*owIpaW7CdA_bXL0C48(`^^_E>P%GE_@Eb947Dxq|$)u
z@l12v25r^RkZsgYx<^J!D_mN-T5fMPWhRs;Mhg^C42$IvmvMAv{V30ByWNzJBQ0>F
zrf7kv9&%|hIz+bS3|XLQ@>W2rBNDKoH$7!RLco>h&%PX<aSmVa3J=a*ocR9!-lwN$
z{mQF_naeL8-7lI3oSI{%VaS|eq$0B$WtgKA8-xp3*YRlZA+!;S8E`uMA1>^ufFj4v
zF`A<etdKA+v8D(0x#PY7!Vhm^;^|+^&$nOhW^bQAc=Amwz1zQY{qz3Ij|utfsUMyP
ly%RbiB`l345V@fPj1{2vb4-8;+?&Zq_vS`8fCX-x#cy$+Q#1eo