Bug 1418236 - Correct EventTarget for CSP violation events, r=ckerschb
authorAndrea Marchesini <amarchesini@mozilla.com>
Tue, 10 Jul 2018 17:40:21 +0200
changeset 816220 1b3143e4ec831f400df95c1fef8ee87d6f3368d2
parent 816219 8bcdfbe1d0dcf4ce58095da36fd8371fa68f7c3d
child 816221 8d27637a7296be10eef44de9ff252a62e9dc9f2d
child 816242 9dc32fadc13a6b3d7323f8d0cdb38faa98f4d42d
child 816297 f017a427c3cbccf397c9bf960a7b84ae5e801cb9
child 816972 9000547c1b8f069054aa455ac65da806bc4e8ee9
push id115778
push userbmo:mstriemer@mozilla.com
push dateTue, 10 Jul 2018 18:49:28 +0000
reviewersckerschb
bugs1418236
milestone63.0a1
Bug 1418236 - Correct EventTarget for CSP violation events, r=ckerschb
caps/nsScriptSecurityManager.cpp
dom/base/nsDocument.cpp
dom/base/nsJSTimeoutHandler.cpp
dom/base/nsStyledElement.cpp
dom/events/EventListenerManager.cpp
dom/html/HTMLFormElement.cpp
dom/html/HTMLSharedElement.cpp
dom/interfaces/security/nsIContentSecurityPolicy.idl
dom/jsurl/nsJSProtocolHandler.cpp
dom/script/ScriptLoader.cpp
dom/security/nsCSPContext.cpp
dom/security/nsCSPContext.h
dom/security/test/unit/test_csp_reports.js
dom/workers/RuntimeService.cpp
dom/workers/ScriptLoader.cpp
layout/style/Loader.cpp
layout/style/nsStyleUtil.cpp
testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini
testing/web-platform/meta/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html.ini
testing/web-platform/meta/content-security-policy/securitypolicyviolation/script-sample.html.ini
testing/web-platform/meta/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html.ini
testing/web-platform/meta/content-security-policy/securitypolicyviolation/style-sample.html.ini
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@@ -504,16 +504,17 @@ nsScriptSecurityManager::ContentSecurity
                                        &columnNum)) {
             if (const char *file = scriptFilename.get()) {
                 CopyUTF8toUTF16(nsDependentCString(file), fileName);
             }
         } else {
             MOZ_ASSERT(!JS_IsExceptionPending(cx));
         }
         csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
+                                 nullptr, // triggering element
                                  fileName,
                                  scriptSample,
                                  lineNum,
                                  columnNum,
                                  EmptyString(),
                                  EmptyString());
     }
 
--- a/dom/base/nsDocument.cpp
+++ b/dom/base/nsDocument.cpp
@@ -11946,17 +11946,18 @@ nsIDocument::InlineScriptAllowedByCSP()
   nsCOMPtr<nsIContentSecurityPolicy> csp;
   nsresult rv = NodePrincipal()->GetCsp(getter_AddRefs(csp));
   NS_ENSURE_SUCCESS(rv, true);
   bool allowsInlineScript = true;
   if (csp) {
     nsresult rv = csp->GetAllowsInline(nsIContentPolicy::TYPE_SCRIPT,
                                        EmptyString(), // aNonce
                                        true,          // aParserCreated
-                                       nullptr, // FIXME get script sample (bug 1314567)
+                                       nullptr,       // aTriggeringElement
+                                       EmptyString(), // FIXME get script sample (bug 1314567)
                                        0,             // aLineNumber
                                        0,             // aColumnNumber
                                        &allowsInlineScript);
     NS_ENSURE_SUCCESS(rv, true);
   }
   return allowsInlineScript;
 }
 
--- a/dom/base/nsJSTimeoutHandler.cpp
+++ b/dom/base/nsJSTimeoutHandler.cpp
@@ -201,16 +201,17 @@ CheckCSPForEval(JSContext* aCx, nsGlobal
     uint32_t columnNum = 0;
     nsAutoString fileNameString;
     if (!nsJSUtils::GetCallingLocation(aCx, fileNameString, &lineNum,
                                        &columnNum)) {
       fileNameString.AssignLiteral("unknown");
     }
 
     csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
+                             nullptr, // triggering element
                              fileNameString, scriptSample, lineNum, columnNum,
                              EmptyString(), EmptyString());
   }
 
   return allowsEval;
 }
 
 nsJSScriptTimeoutHandler::nsJSScriptTimeoutHandler()
--- a/dom/base/nsStyledElement.cpp
+++ b/dom/base/nsStyledElement.cpp
@@ -203,17 +203,17 @@ nsStyledElement::ParseStyleAttribute(con
                                      nsIPrincipal* aMaybeScriptedPrincipal,
                                      nsAttrValue& aResult,
                                      bool aForceInDataDoc)
 {
   nsIDocument* doc = OwnerDoc();
   bool isNativeAnon = IsInNativeAnonymousSubtree();
 
   if (!isNativeAnon &&
-      !nsStyleUtil::CSPAllowsInlineStyle(nullptr, NodePrincipal(),
+      !nsStyleUtil::CSPAllowsInlineStyle(this, NodePrincipal(),
                                          aMaybeScriptedPrincipal,
                                          doc->GetDocumentURI(), 0, 0, aValue,
                                          nullptr))
     return;
 
   if (aForceInDataDoc ||
       !doc->IsLoadedAsData() ||
       GetExistingStyle() ||
--- a/dom/events/EventListenerManager.cpp
+++ b/dom/events/EventListenerManager.cpp
@@ -868,26 +868,23 @@ EventListenerManager::SetEventHandler(ns
       if (domNode) {
         tagName = domNode->NodeName();
       }
       // build a "script sample" based on what we know about this element
       scriptSample.Assign(attr);
       scriptSample.AppendLiteral(" attribute on ");
       scriptSample.Append(tagName);
       scriptSample.AppendLiteral(" element");
-      nsCOMPtr<nsISupportsString> sampleIString(do_CreateInstance(NS_SUPPORTS_STRING_CONTRACTID));
-      if (sampleIString) {
-        sampleIString->SetData(scriptSample);
-      }
 
       bool allowsInlineScript = true;
       rv = csp->GetAllowsInline(nsIContentPolicy::TYPE_SCRIPT,
                                 EmptyString(), // aNonce
                                 true, // aParserCreated (true because attribute event handler)
-                                sampleIString,
+                                aElement,
+                                scriptSample,
                                 0,             // aLineNumber
                                 0,             // aColumnNumber
                                 &allowsInlineScript);
       NS_ENSURE_SUCCESS(rv, rv);
 
       // return early if CSP wants us to block inline scripts
       if (!allowsInlineScript) {
         return NS_OK;
--- a/dom/html/HTMLFormElement.cpp
+++ b/dom/html/HTMLFormElement.cpp
@@ -1702,17 +1702,18 @@ HTMLFormElement::GetActionURL(nsIURI** a
   rv = NodePrincipal()->GetCsp(getter_AddRefs(csp));
   NS_ENSURE_SUCCESS(rv, rv);
   if (csp) {
     bool permitsFormAction = true;
 
     // form-action is only enforced if explicitly defined in the
     // policy - do *not* consult default-src, see:
     // http://www.w3.org/TR/CSP2/#directive-default-src
-    rv = csp->Permits(actionURL, nsIContentSecurityPolicy::FORM_ACTION_DIRECTIVE,
+    rv = csp->Permits(this, actionURL,
+                      nsIContentSecurityPolicy::FORM_ACTION_DIRECTIVE,
                       true, &permitsFormAction);
     NS_ENSURE_SUCCESS(rv, rv);
     if (!permitsFormAction) {
       return NS_ERROR_CSP_FORM_ACTION_VIOLATION;
     }
   }
 
   // Potentially the page uses the CSP directive 'upgrade-insecure-requests'. In
--- a/dom/html/HTMLSharedElement.cpp
+++ b/dom/html/HTMLSharedElement.cpp
@@ -149,17 +149,18 @@ SetBaseURIUsingFirstBaseWithHref(nsIDocu
       if (NS_FAILED(rv)) {
         newBaseURI = nullptr;
       }
       if (csp && newBaseURI) {
         // base-uri is only enforced if explicitly defined in the
         // policy - do *not* consult default-src, see:
         // http://www.w3.org/TR/CSP2/#directive-default-src
         bool cspPermitsBaseURI = true;
-        rv = csp->Permits(newBaseURI, nsIContentSecurityPolicy::BASE_URI_DIRECTIVE,
+        rv = csp->Permits(child->AsElement(), newBaseURI,
+                          nsIContentSecurityPolicy::BASE_URI_DIRECTIVE,
                           true, &cspPermitsBaseURI);
         if (NS_FAILED(rv) || !cspPermitsBaseURI) {
           newBaseURI = nullptr;
         }
       }
       aDocument->SetBaseURI(newBaseURI);
       aDocument->SetChromeXHRDocBaseURI(nullptr);
       return;
--- a/dom/interfaces/security/nsIContentSecurityPolicy.idl
+++ b/dom/interfaces/security/nsIContentSecurityPolicy.idl
@@ -5,16 +5,17 @@
 #include "nsISerializable.idl"
 #include "nsIContentPolicy.idl"
 
 interface nsIURI;
 interface nsIDocShell;
 interface nsIEventTarget;
 interface nsIPrincipal;
 
+webidl Element;
 webidl Document;
 
 /**
  * nsIContentSecurityPolicy
  * Describes an XPCOM component used to model and enforce CSPs.  Instances of
  * this class may have multiple policies within them, but there should only be
  * one of these per document/principal.
  */
@@ -117,31 +118,34 @@ interface nsIContentSecurityPolicy : nsI
                     in boolean reportOnly,
                     in boolean deliveredViaMetaTag);
 
   /*
    * Whether this policy allows inline script or style.
    * @param aContentPolicyType Either TYPE_SCRIPT or TYPE_STYLESHEET
    * @param aNonce The nonce string to check against the policy
    * @param aParserCreated If the script element was created by the HTML Parser
-   * @param aElementOrContent The script element of the inline resource to hash
-   *        or the content of the psuedo-script to compare to hash
-   *        (and compare to the hashes listed in the policy)
+   * @param aTriggeringElement The script element of the inline resource to
+   *        hash. It can be null.
+   * @param aContentOfPseudoScript The content of the psuedo-script to compare
+   *                               to hash (and compare to the hashes listed in
+   *                               the policy)
    * @param aLineNumber The line number of the inline resource
    *        (used for reporting)
    * @param aColumnNumber The column number of the inline resource
    *        (used for reporting)
    * @return
    *     Whether or not the effects of the inline style should be allowed
    *     (block the rules if false).
    */
   boolean getAllowsInline(in nsContentPolicyType aContentPolicyType,
                           in AString aNonce,
                           in boolean aParserCreated,
-                          in nsISupports aElementOrContent,
+                          in Element aTriggeringElement,
+                          in AString aContentOfPseudoScript,
                           in unsigned long aLineNumber,
                           in unsigned long aColumnNumber);
 
   /**
    * whether this policy allows eval and eval-like functions
    * such as setTimeout("code string", time).
    * @param shouldReportViolations
    *     Whether or not the use of eval should be reported.
@@ -167,16 +171,18 @@ interface nsIContentSecurityPolicy : nsI
 
   /**
    * For each violated policy (of type violationType), log policy violation on
    * the Error Console and send a report to report-uris present in the violated
    * policies.
    *
    * @param violationType
    *     one of the VIOLATION_TYPE_* constants, e.g. inline-script or eval
+   * @param triggeringElement
+   *     the element that triggers this CSP violation. It can be null.
    * @param sourceFile
    *     name of the source file containing the violation (if available)
    * @param contentSample
    *     sample of the violating content (to aid debugging)
    * @param lineNum
    *     source line number of the violation (if available)
    * @param columnNum
    *     source column number of the violation (if available)
@@ -186,16 +192,17 @@ interface nsIContentSecurityPolicy : nsI
    *     appropriate reports.
    * @param aContent
    *     (optional) If this is a hash violation, include contents of the inline
    *     resource in the question so we can recheck the hash in order to
    *     determine which policies were violated and send the appropriate
    *     reports.
    */
   void logViolationDetails(in unsigned short violationType,
+                           in Element triggeringElement,
                            in AString sourceFile,
                            in AString scriptSample,
                            in int32_t lineNum,
                            in int32_t columnNum,
                            [optional] in AString nonce,
                            [optional] in AString content);
 
   const unsigned short VIOLATION_TYPE_INLINE_SCRIPT          = 1;
@@ -245,32 +252,37 @@ interface nsIContentSecurityPolicy : nsI
 
 
   /**
    * Checks if a specific directive permits loading of a URI.
    *
    * NOTE: Calls to this may trigger violation reports when queried, so the
    * return value should not be cached.
    *
+   * @param aTriggeringElement
+   *        The element that triggers this CSP check. It can be null.
    * @param aURI
    *    The URI about to be loaded or used.
    * @param aDir
    *    The CSPDirective to query (see above constants *_DIRECTIVE).
    * @param aSpecific
    *    If "true" and the directive is specified to fall back to "default-src"
    *    when it's not explicitly provided, directivePermits will NOT try
    *    default-src when the specific directive is not used.  Setting this to
    *    "false" allows CSP to fall back to default-src.  This function
    *    behaves the same for both values of canUseDefault when querying
    *    directives that don't fall-back.
    * @return
    *    Whether or not the provided URI is allowed by CSP under the given
    *    directive. (block the pending operation if false).
    */
-  boolean permits(in nsIURI aURI, in CSPDirective aDir, in boolean aSpecific);
+  boolean permits(in Element aTriggeringElement,
+                  in nsIURI aURI,
+                  in CSPDirective aDir,
+                  in boolean aSpecific);
 
   /**
    * Delegate method called by the service when sub-elements of the protected
    * document are being loaded.  Given a bit of information about the request,
    * decides whether or not the policy is satisfied.
    *
    * Calls to this may trigger violation reports when queried, so
    * this value should not be cached.
--- a/dom/jsurl/nsJSProtocolHandler.cpp
+++ b/dom/jsurl/nsJSProtocolHandler.cpp
@@ -174,18 +174,19 @@ nsresult nsJSThunk::EvaluateScript(nsICh
     // allowed.
     nsCOMPtr<nsIContentSecurityPolicy> csp;
     rv = principal->GetCsp(getter_AddRefs(csp));
     NS_ENSURE_SUCCESS(rv, rv);
     if (csp) {
         bool allowsInlineScript = true;
         rv = csp->GetAllowsInline(nsIContentPolicy::TYPE_SCRIPT,
                                   EmptyString(), // aNonce
-                                  true,         // aParserCreated
-                                  nullptr, // aContent
+                                  true,          // aParserCreated
+                                  nullptr,       // aElement,
+                                  EmptyString(), // aContent
                                   0,             // aLineNumber
                                   0,             // aColumnNumber
                                   &allowsInlineScript);
 
         //return early if inline scripts are not allowed
         if (!allowsInlineScript) {
           return NS_ERROR_DOM_RETVAL_UNDEFINED;
         }
--- a/dom/script/ScriptLoader.cpp
+++ b/dom/script/ScriptLoader.cpp
@@ -1218,17 +1218,17 @@ CSPAllowsInlineScript(nsIScriptElement* 
   // query the nonce
   nsCOMPtr<Element> scriptContent = do_QueryInterface(aElement);
   nsAutoString nonce;
   scriptContent->GetAttr(kNameSpaceID_None, nsGkAtoms::nonce, nonce);
   bool parserCreated = aElement->GetParserCreated() != mozilla::dom::NOT_FROM_PARSER;
 
   bool allowInlineScript = false;
   rv = csp->GetAllowsInline(nsIContentPolicy::TYPE_SCRIPT,
-                            nonce, parserCreated, aElement,
+                            nonce, parserCreated, scriptContent, EmptyString(),
                             aElement->GetScriptLineNumber(),
                             aElement->GetScriptColumnNumber(),
                             &allowInlineScript);
   return allowInlineScript;
 }
 
 ScriptLoadRequest*
 ScriptLoader::CreateLoadRequest(ScriptKind aKind,
@@ -2867,16 +2867,17 @@ ScriptLoader::VerifySRI(ScriptLoadReques
       nsCOMPtr<nsIContentSecurityPolicy> csp;
       loadInfo->LoadingPrincipal()->GetCsp(getter_AddRefs(csp));
       nsAutoCString violationURISpec;
       mDocument->GetDocumentURI()->GetAsciiSpec(violationURISpec);
       uint32_t lineNo = aRequest->mElement ? aRequest->mElement->GetScriptLineNumber() : 0;
       uint32_t columnNo = aRequest->mElement ? aRequest->mElement->GetScriptColumnNumber() : 0;
       csp->LogViolationDetails(
         nsIContentSecurityPolicy::VIOLATION_TYPE_REQUIRE_SRI_FOR_SCRIPT,
+        nullptr, // triggering element
         NS_ConvertUTF8toUTF16(violationURISpec),
         EmptyString(), lineNo, columnNo, EmptyString(), EmptyString());
       rv = NS_ERROR_SRI_CORRUPT;
     }
   }
 
   return rv;
 }
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -49,16 +49,17 @@
 #include "nsSandboxFlags.h"
 #include "nsIScriptElement.h"
 #include "nsIEventTarget.h"
 #include "mozilla/dom/DocGroup.h"
 #include "mozilla/dom/Element.h"
 #include "nsXULAppAPI.h"
 
 using namespace mozilla;
+using namespace mozilla::dom;
 
 static LogModule*
 GetCspContextLog()
 {
   static LazyLogModule gCspContextPRLog("CSPContext");
   return gCspContextPRLog;
 }
 
@@ -203,16 +204,17 @@ nsCSPContext::ShouldLoad(nsContentPolicy
   }
 
   // aExtra holds the original URI of the channel if the
   // channel got redirected (until we fix Bug 1332422).
   nsCOMPtr<nsIURI> originalURI = do_QueryInterface(aExtra);
   bool wasRedirected = originalURI;
 
   bool permitted = permitsInternal(dir,
+                                   nullptr, // aTriggeringElement
                                    aContentLocation,
                                    originalURI,
                                    nonce,
                                    wasRedirected,
                                    isPreload,
                                    false,     // allow fallback to default-src
                                    true,      // send violation reports
                                    true,     // send blocked URI in violation reports
@@ -232,16 +234,17 @@ nsCSPContext::ShouldLoad(nsContentPolicy
                    *outDecision > 0 ? "load" : "deny",
                    aContentLocation->GetSpecOrDefault().get()));
   }
   return NS_OK;
 }
 
 bool
 nsCSPContext::permitsInternal(CSPDirective aDir,
+                              Element* aTriggeringElement,
                               nsIURI* aContentLocation,
                               nsIURI* aOriginalURI,
                               const nsAString& aNonce,
                               bool aWasRedirected,
                               bool aIsPreload,
                               bool aSpecific,
                               bool aSendViolationReports,
                               bool aSendContentLocationInViolationReports,
@@ -264,26 +267,27 @@ nsCSPContext::permitsInternal(CSPDirecti
         CSPCONTEXTLOG(("nsCSPContext::permitsInternal, false"));
         permits = false;
       }
 
       // Do not send a report or notify observers if this is a preload - the
       // decision may be wrong due to the inability to get the nonce, and will
       // incorrectly fail the unit tests.
       if (!aIsPreload && aSendViolationReports) {
-        this->AsyncReportViolation((aSendContentLocationInViolationReports ?
-                                    aContentLocation : nullptr),
-                                   aOriginalURI,  /* in case of redirect originalURI is not null */
-                                   violatedDirective,
-                                   p,             /* policy index        */
-                                   EmptyString(), /* no observer subject */
-                                   EmptyString(), /* no source file      */
-                                   EmptyString(), /* no script sample    */
-                                   0,             /* no line number      */
-                                   0);            /* no column number    */
+        AsyncReportViolation(aTriggeringElement,
+                             (aSendContentLocationInViolationReports ?
+                              aContentLocation : nullptr),
+                             aOriginalURI,  /* in case of redirect originalURI is not null */
+                             violatedDirective,
+                             p,             /* policy index        */
+                             EmptyString(), /* no observer subject */
+                             EmptyString(), /* no source file      */
+                             EmptyString(), /* no script sample    */
+                             0,             /* no line number      */
+                             0);            /* no column number    */
       }
     }
   }
 
   return permits;
 }
 
 
@@ -449,16 +453,17 @@ nsCSPContext::GetAllowsEval(bool* outSho
     }
   }
   return NS_OK;
 }
 
 // Helper function to report inline violations
 void
 nsCSPContext::reportInlineViolation(nsContentPolicyType aContentType,
+                                    Element* aTriggeringElement,
                                     const nsAString& aNonce,
                                     const nsAString& aContent,
                                     const nsAString& aViolatedDirective,
                                     uint32_t aViolatedPolicyIndex, // TODO, use report only flag for that
                                     uint32_t aLineNumber,
                                     uint32_t aColumnNumber)
 {
   nsString observerSubject;
@@ -489,32 +494,35 @@ nsCSPContext::reportInlineViolation(nsCo
   }
 
   nsAutoString codeSample(aContent);
   // cap the length of the script sample
   if (codeSample.Length() > ScriptSampleMaxLength()) {
     codeSample.Truncate(ScriptSampleMaxLength());
     codeSample.AppendLiteral("...");
   }
-  AsyncReportViolation(selfISupports,                      // aBlockedContentSource
+
+  AsyncReportViolation(aTriggeringElement,
+                       selfISupports,                      // aBlockedContentSource
                        mSelfURI,                           // aOriginalURI
                        aViolatedDirective,                 // aViolatedDirective
                        aViolatedPolicyIndex,               // aViolatedPolicyIndex
                        observerSubject,                    // aObserverSubject
                        NS_ConvertUTF8toUTF16(sourceFile),  // aSourceFile
                        codeSample,                         // aScriptSample
                        aLineNumber,                        // aLineNum
                        aColumnNumber);                     // aColumnNum
 }
 
 NS_IMETHODIMP
 nsCSPContext::GetAllowsInline(nsContentPolicyType aContentType,
                               const nsAString& aNonce,
                               bool aParserCreated,
-                              nsISupports* aElementOrContent,
+                              Element* aTriggeringElement,
+                              const nsAString& aContentOfPseudoScript,
                               uint32_t aLineNumber,
                               uint32_t aColumnNumber,
                               bool* outAllowsInline)
 {
   *outAllowsInline = true;
 
   MOZ_ASSERT(aContentType == nsContentUtils::InternalContentPolicyTypeToExternal(aContentType),
              "We should only see external content policy types here.");
@@ -538,41 +546,42 @@ nsCSPContext::GetAllowsInline(nsContentP
     // unecessary strings
     if (allowed) {
       continue;
     }
 
     // Check the content length to ensure the content is not allocated more than
     // once. Even though we are in a for loop, it is probable that there is only one
     // policy, so this check may be unnecessary.
-    if (content.Length() == 0) {
-      // postpone the allocation until absolutely necessary.
-      nsCOMPtr<nsISupportsString> stringContent = do_QueryInterface(aElementOrContent);
-      nsCOMPtr<nsIScriptElement> element = do_QueryInterface(aElementOrContent);
-      if (stringContent) {
-        Unused << stringContent->GetData(content);
-      } else if (element) {
+    if (content.IsEmpty() && aTriggeringElement) {
+      nsCOMPtr<nsIScriptElement> element = do_QueryInterface(aTriggeringElement);
+      if (element) {
         element->GetScriptText(content);
       }
     }
 
+    if (content.IsEmpty()) {
+      content = aContentOfPseudoScript;
+    }
+
     allowed = mPolicies[i]->allows(aContentType, CSP_HASH, content, aParserCreated);
 
     if (!allowed) {
       // policy is violoated: deny the load unless policy is report only and
       // report the violation.
       if (!mPolicies[i]->getReportOnlyFlag()) {
         *outAllowsInline = false;
       }
       nsAutoString violatedDirective;
       bool reportSample = false;
       mPolicies[i]->getDirectiveStringAndReportSampleForContentType(aContentType,
                                                                     violatedDirective,
                                                                     &reportSample);
       reportInlineViolation(aContentType,
+                            aTriggeringElement,
                             aNonce,
                             reportSample ? content : EmptyString(),
                             violatedDirective,
                             i,
                             aLineNumber,
                             aColumnNumber);
     }
   }
@@ -615,22 +624,23 @@ nsCSPContext::GetAllowsInline(nsContentP
     if (!mPolicies[p]->allows(nsIContentPolicy::TYPE_ ## contentPolicyType,    \
                               keyword, nonceOrHash, false))                    \
     {                                                                          \
       nsAutoString violatedDirective;                                          \
       bool reportSample = false;                                               \
       mPolicies[p]->getDirectiveStringAndReportSampleForContentType(           \
                         nsIContentPolicy::TYPE_ ## contentPolicyType,          \
                         violatedDirective, &reportSample);                     \
-      this->AsyncReportViolation(selfISupports, nullptr, violatedDirective, p, \
-                                 NS_LITERAL_STRING(observerTopic),             \
-                                 aSourceFile,                                  \
-                                 reportSample                                  \
-                                   ? aScriptSample : EmptyString(),            \
-                                 aLineNum, aColumnNum);                        \
+      AsyncReportViolation(aTriggeringElement, selfISupports, nullptr,         \
+                           violatedDirective, p,                               \
+                           NS_LITERAL_STRING(observerTopic),                   \
+                           aSourceFile,                                        \
+                           reportSample                                        \
+                             ? aScriptSample : EmptyString(),                  \
+                           aLineNum, aColumnNum);                              \
     }                                                                          \
     PR_END_MACRO;                                                              \
     break
 
 /**
  * For each policy, log any violation on the Error Console and send a report
  * if a report-uri is present in the policy
  *
@@ -651,16 +661,17 @@ nsCSPContext::GetAllowsInline(nsContentP
  * @param aContent
  *     (optional) If this is a hash violation, include contents of the inline
  *     resource in the question so we can recheck the hash in order to
  *     determine which policies were violated and send the appropriate
  *     reports.
  */
 NS_IMETHODIMP
 nsCSPContext::LogViolationDetails(uint16_t aViolationType,
+                                  Element* aTriggeringElement,
                                   const nsAString& aSourceFile,
                                   const nsAString& aScriptSample,
                                   int32_t aLineNum,
                                   int32_t aColumnNum,
                                   const nsAString& aNonce,
                                   const nsAString& aContent)
 {
   for (uint32_t p = 0; p < mPolicies.Length(); p++) {
@@ -1158,57 +1169,77 @@ nsCSPContext::SendReports(
       CSPCONTEXTLOG(("Sent violation report to URI %s", reportURICstring.get()));
     }
   }
   return NS_OK;
 }
 
 nsresult
 nsCSPContext::FireViolationEvent(
+  Element* aTriggeringElement,
   const mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit)
 {
   if (!sViolationEventsEnabled) {
     return NS_OK;
   }
 
+  // 1. If target is not null, and global is a Window, and target’s
+  // shadow-including root is not global’s associated Document, set target to
+  // null.
+  RefPtr<EventTarget> eventTarget = aTriggeringElement;
+
   nsCOMPtr<nsIDocument> doc = do_QueryReferent(mLoadingContext);
-  if (!doc) {
+  if (doc && aTriggeringElement &&
+      aTriggeringElement->GetComposedDoc() != doc) {
+    eventTarget = nullptr;
+  }
+
+  if (!eventTarget) {
+    // If target is a Window, set target to target’s associated Document.
+    eventTarget = doc;
+  }
+
+  if (!eventTarget) {
+    // TODO: Set target be violation’s global object. If we are here, we are
+    // probably dealing with workers. See bug 1472927.
     return NS_OK;
   }
 
   RefPtr<mozilla::dom::Event> event =
     mozilla::dom::SecurityPolicyViolationEvent::Constructor(
-      doc,
+      eventTarget,
       NS_LITERAL_STRING("securitypolicyviolation"),
       aViolationEventInit);
   event->SetTrusted(true);
 
   ErrorResult rv;
-  doc->DispatchEvent(*event, rv);
+  eventTarget->DispatchEvent(*event, rv);
   return rv.StealNSResult();
 }
 
 /**
  * Dispatched from the main thread to send reports for one CSP violation.
  */
 class CSPReportSenderRunnable final : public Runnable
 {
   public:
-    CSPReportSenderRunnable(nsISupports* aBlockedContentSource,
+    CSPReportSenderRunnable(Element* aTriggeringElement,
+                            nsISupports* aBlockedContentSource,
                             nsIURI* aOriginalURI,
                             uint32_t aViolatedPolicyIndex,
                             bool aReportOnlyFlag,
                             const nsAString& aViolatedDirective,
                             const nsAString& aObserverSubject,
                             const nsAString& aSourceFile,
                             const nsAString& aScriptSample,
                             uint32_t aLineNum,
                             uint32_t aColumnNum,
                             nsCSPContext* aCSPContext)
       : mozilla::Runnable("CSPReportSenderRunnable")
+      , mTriggeringElement(aTriggeringElement)
       , mBlockedContentSource(aBlockedContentSource)
       , mOriginalURI(aOriginalURI)
       , mViolatedPolicyIndex(aViolatedPolicyIndex)
       , mReportOnlyFlag(aReportOnlyFlag)
       , mViolatedDirective(aViolatedDirective)
       , mSourceFile(aSourceFile)
       , mScriptSample(aScriptSample)
       , mLineNum(aLineNum)
@@ -1284,22 +1315,23 @@ class CSPReportSenderRunnable final : pu
                                      blockedDataChar16.get() };
         mCSPContext->logToConsole(mReportOnlyFlag ? "CSPROViolationWithURI" :
                                                     "CSPViolationWithURI",
                                   params, ArrayLength(params), mSourceFile, mScriptSample,
                                   mLineNum, mColumnNum, nsIScriptError::errorFlag);
       }
 
       // 4) fire violation event
-      mCSPContext->FireViolationEvent(init);
+      mCSPContext->FireViolationEvent(mTriggeringElement, init);
 
       return NS_OK;
     }
 
   private:
+    RefPtr<Element>         mTriggeringElement;
     nsCOMPtr<nsISupports>   mBlockedContentSource;
     nsCOMPtr<nsIURI>        mOriginalURI;
     uint32_t                mViolatedPolicyIndex;
     bool                    mReportOnlyFlag;
     nsString                mViolatedDirective;
     nsCOMPtr<nsISupports>   mObserverSubject;
     nsString                mSourceFile;
     nsString                mScriptSample;
@@ -1308,16 +1340,18 @@ class CSPReportSenderRunnable final : pu
     RefPtr<nsCSPContext>    mCSPContext;
 };
 
 /**
  * Asynchronously notifies any nsIObservers listening to the CSP violation
  * topic that a violation occurred.  Also triggers report sending and console
  * logging.  All asynchronous on the main thread.
  *
+ * @param aTriggeringElement
+ *        The element that triggered this report violation. It can be null.
  * @param aBlockedContentSource
  *        Either a CSP Source (like 'self', as string) or nsIURI: the source
  *        of the violation.
  * @param aOriginalUri
  *        The original URI if the blocked content is a redirect, else null
  * @param aViolatedDirective
  *        the directive that was violated (string).
  * @param aViolatedPolicyIndex
@@ -1331,30 +1365,32 @@ class CSPReportSenderRunnable final : pu
  * @param aScriptSample
  *        a sample of the violating inline script
  * @param aLineNum
  *        source line number of the violation (if available)
  * @param aColumnNum
  *        source column number of the violation (if available)
  */
 nsresult
-nsCSPContext::AsyncReportViolation(nsISupports* aBlockedContentSource,
+nsCSPContext::AsyncReportViolation(Element* aTriggeringElement,
+                                   nsISupports* aBlockedContentSource,
                                    nsIURI* aOriginalURI,
                                    const nsAString& aViolatedDirective,
                                    uint32_t aViolatedPolicyIndex,
                                    const nsAString& aObserverSubject,
                                    const nsAString& aSourceFile,
                                    const nsAString& aScriptSample,
                                    uint32_t aLineNum,
                                    uint32_t aColumnNum)
 {
   NS_ENSURE_ARG_MAX(aViolatedPolicyIndex, mPolicies.Length() - 1);
 
   nsCOMPtr<nsIRunnable> task =
-    new CSPReportSenderRunnable(aBlockedContentSource,
+    new CSPReportSenderRunnable(aTriggeringElement,
+                                aBlockedContentSource,
                                 aOriginalURI,
                                 aViolatedPolicyIndex,
                                 mPolicies[aViolatedPolicyIndex]->getReportOnlyFlag(),
                                 aViolatedDirective,
                                 aObserverSubject,
                                 aSourceFile,
                                 aScriptSample,
                                 aLineNum,
@@ -1473,16 +1509,17 @@ nsCSPContext::PermitsAncestry(nsIDocShel
                      ancestorsArray[a]->GetSpecOrDefault().get()));
     }
     // omit the ancestor URI in violation reports if cross-origin as per spec
     // (it is a violation of the same-origin policy).
     bool okToSendAncestor = NS_SecurityCompareURIs(ancestorsArray[a], mSelfURI, true);
 
 
     bool permits = permitsInternal(nsIContentSecurityPolicy::FRAME_ANCESTORS_DIRECTIVE,
+                                   nullptr,
                                    ancestorsArray[a],
                                    nullptr, // no redirect here.
                                    EmptyString(), // no nonce
                                    false,   // no redirect here.
                                    false,   // not a preload.
                                    true,    // specific, do not use default-src
                                    true,    // send violation reports
                                    okToSendAncestor,
@@ -1490,27 +1527,29 @@ nsCSPContext::PermitsAncestry(nsIDocShel
     if (!permits) {
       *outPermitsAncestry = false;
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
-nsCSPContext::Permits(nsIURI* aURI,
+nsCSPContext::Permits(Element* aTriggeringElement,
+                      nsIURI* aURI,
                       CSPDirective aDir,
                       bool aSpecific,
                       bool* outPermits)
 {
   // Can't perform check without aURI
   if (aURI == nullptr) {
     return NS_ERROR_FAILURE;
   }
 
   *outPermits = permitsInternal(aDir,
+                                aTriggeringElement,
                                 aURI,
                                 nullptr,  // no original (pre-redirect) URI
                                 EmptyString(),  // no nonce
                                 false,    // not redirected.
                                 false,    // not a preload.
                                 aSpecific,
                                 true,     // send violation reports
                                 true,     // send blocked URI in violation reports
--- a/dom/security/nsCSPContext.h
+++ b/dom/security/nsCSPContext.h
@@ -25,16 +25,22 @@
 #define NS_CSPCONTEXT_CID \
 { 0x09d9ed1a, 0xe5d4, 0x4004, \
   { 0xbf, 0xe0, 0x27, 0xce, 0xb9, 0x23, 0xd9, 0xac } }
 
 class nsINetworkInterceptController;
 class nsIEventTarget;
 struct ConsoleMsgQueueElem;
 
+namespace mozilla {
+namespace dom {
+class Element;
+}
+}
+
 class nsCSPContext : public nsIContentSecurityPolicy
 {
   public:
     NS_DECL_ISUPPORTS
     NS_DECL_NSICONTENTSECURITYPOLICY
     NS_DECL_NSISERIALIZABLE
 
   protected:
@@ -92,19 +98,21 @@ class nsCSPContext : public nsIContentSe
       uint32_t aColumnNum,
       mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit);
 
     nsresult SendReports(
       const mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit,
       uint32_t aViolatedPolicyIndex);
 
     nsresult FireViolationEvent(
+      mozilla::dom::Element* aTriggeringElement,
       const mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit);
 
-    nsresult AsyncReportViolation(nsISupports* aBlockedContentSource,
+    nsresult AsyncReportViolation(mozilla::dom::Element* aTriggeringElement,
+                                  nsISupports* aBlockedContentSource,
                                   nsIURI* aOriginalURI,
                                   const nsAString& aViolatedDirective,
                                   uint32_t aViolatedPolicyIndex,
                                   const nsAString& aObserverSubject,
                                   const nsAString& aSourceFile,
                                   const nsAString& aScriptSample,
                                   uint32_t aLineNum,
                                   uint32_t aColumnNum);
@@ -117,28 +125,30 @@ class nsCSPContext : public nsIContentSe
     }
 
     nsWeakPtr GetLoadingContext(){
       return mLoadingContext;
     }
 
   private:
     bool permitsInternal(CSPDirective aDir,
+                         mozilla::dom::Element* aTriggeringElement,
                          nsIURI* aContentLocation,
                          nsIURI* aOriginalURI,
                          const nsAString& aNonce,
                          bool aWasRedirected,
                          bool aIsPreload,
                          bool aSpecific,
                          bool aSendViolationReports,
                          bool aSendContentLocationInViolationReports,
                          bool aParserCreated);
 
     // helper to report inline script/style violations
     void reportInlineViolation(nsContentPolicyType aContentType,
+                               mozilla::dom::Element* aTriggeringElement,
                                const nsAString& aNonce,
                                const nsAString& aContent,
                                const nsAString& aViolatedDirective,
                                uint32_t aViolatedPolicyIndex,
                                uint32_t aLineNumber,
                                uint32_t aColumnNumber);
 
     static int32_t sScriptSampleMaxLength;
--- a/dom/security/test/unit/test_csp_reports.js
+++ b/dom/security/test/unit/test_csp_reports.js
@@ -97,27 +97,25 @@ function makeTest(id, expectedJSON, useR
   callback(csp);
 }
 
 function run_test() {
   var selfuri = NetUtil.newURI(REPORT_SERVER_URI +
                                ":" + REPORT_SERVER_PORT +
                                "/foo/self");
 
-  let content = Cc["@mozilla.org/supports-string;1"].
-                   createInstance(Ci.nsISupportsString);
-  content.data = "";
   // test that inline script violations cause a report.
   makeTest(0, {"blocked-uri": ""}, false,
       function(csp) {
         let inlineOK = true;
         inlineOK = csp.getAllowsInline(Ci.nsIContentPolicy.TYPE_SCRIPT,
                                        "", // aNonce
                                        false, // aParserCreated
-                                       content, // aContent
+                                       null, // aTriggeringElement
+                                       "", // aContentOfPseudoScript
                                        0, // aLineNumber
                                        0); // aColumnNumber
 
         // this is not a report only policy, so it better block inline scripts
         Assert.ok(!inlineOK);
       });
 
   // test that eval violations cause a report.
@@ -133,16 +131,17 @@ function run_test() {
         // this is not a report only policy, so it better block eval
         Assert.ok(!evalOK);
         // ... and cause reports to go out
         Assert.ok(oReportViolation.value);
 
         if (oReportViolation.value) {
           // force the logging, since the getter doesn't.
           csp.logViolationDetails(Ci.nsIContentSecurityPolicy.VIOLATION_TYPE_EVAL,
+                                  null, // aTriggeringElement
                                   selfuri.asciiSpec,
                                   // sending UTF-16 script sample to make sure
                                   // csp report in JSON is not cut-off, please
                                   // note that JSON is UTF8 encoded.
                                   "\u00a3\u00a5\u00b5\u5317\ud841\udf79",
                                   1, // line number
                                   2); // column number
         }
@@ -155,23 +154,21 @@ function run_test() {
                       NetUtil.newURI("http://blocked.test/foo.js"),
                       null, null, null, null);
       });
 
   // test that inline script violations cause a report in report-only policy
   makeTest(3, {"blocked-uri": ""}, true,
       function(csp) {
         let inlineOK = true;
-        let content = Cc["@mozilla.org/supports-string;1"].
-                         createInstance(Ci.nsISupportsString);
-        content.data = "";
         inlineOK = csp.getAllowsInline(Ci.nsIContentPolicy.TYPE_SCRIPT,
                                        "", // aNonce
                                        false, // aParserCreated
-                                       content, // aContent
+                                       null, // aTriggeringElement
+                                       "", // aContentOfPseudoScript
                                        0, // aLineNumber
                                        0); // aColumnNumber
 
         // this is a report only policy, so it better allow inline scripts
         Assert.ok(inlineOK);
       });
 
   // test that eval violations cause a report in report-only policy
@@ -183,16 +180,17 @@ function run_test() {
         // this is a report only policy, so it better allow eval
         Assert.ok(evalOK);
         // ... but still cause reports to go out
         Assert.ok(oReportViolation.value);
 
         if (oReportViolation.value) {
           // force the logging, since the getter doesn't.
           csp.logViolationDetails(Ci.nsIContentSecurityPolicy.VIOLATION_TYPE_INLINE_SCRIPT,
+                                  null, // aTriggeringElement
                                   selfuri.asciiSpec,
                                   "script sample",
                                   4, // line number
                                   5); // column number
         }
       });
 
   // test that only the uri's scheme is reported for globally unique identifiers
--- a/dom/workers/RuntimeService.cpp
+++ b/dom/workers/RuntimeService.cpp
@@ -2637,16 +2637,17 @@ LogViolationDetailsRunnable::MainThreadR
   AssertIsOnMainThread();
 
   nsIContentSecurityPolicy* csp = mWorkerPrivate->GetCSP();
   if (csp) {
     NS_NAMED_LITERAL_STRING(scriptSample,
         "Call to eval() or related function blocked by CSP.");
     if (mWorkerPrivate->GetReportCSPViolations()) {
       csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
+                               nullptr, // triggering element
                                mFileName, scriptSample, mLineNum, mColumnNum,
                                EmptyString(), EmptyString());
     }
   }
 
   return true;
 }
 
--- a/dom/workers/ScriptLoader.cpp
+++ b/dom/workers/ScriptLoader.cpp
@@ -1221,16 +1221,17 @@ private:
       MOZ_LOG(SRILogHelper::GetSriLog(), mozilla::LogLevel::Debug,
             ("Scriptloader::Load, SRI required but not supported in workers"));
       nsCOMPtr<nsIContentSecurityPolicy> wcsp;
       chanLoadInfo->LoadingPrincipal()->GetCsp(getter_AddRefs(wcsp));
       MOZ_ASSERT(wcsp, "We sould have a CSP for the worker here");
       if (wcsp) {
         wcsp->LogViolationDetails(
             nsIContentSecurityPolicy::VIOLATION_TYPE_REQUIRE_SRI_FOR_SCRIPT,
+            nullptr, // triggering element
             aLoadInfo.mURL, EmptyString(), 0, 0, EmptyString(), EmptyString());
       }
       return NS_ERROR_SRI_CORRUPT;
     }
 
     // Update the principal of the worker and its base URI if we just loaded the
     // worker's primary script.
     if (IsMainWorkerScript()) {
--- a/layout/style/Loader.cpp
+++ b/layout/style/Loader.cpp
@@ -779,16 +779,17 @@ SheetLoadData::VerifySheetReadyToParse(n
       // log the failed load to web console
       nsCOMPtr<nsIContentSecurityPolicy> csp;
       loadInfo->LoadingPrincipal()->GetCsp(getter_AddRefs(csp));
       nsAutoCString spec;
       mLoader->mDocument->GetDocumentURI()->GetAsciiSpec(spec);
       // line number unknown. mRequestingNode doesn't bear this info.
       csp->LogViolationDetails(
         nsIContentSecurityPolicy::VIOLATION_TYPE_REQUIRE_SRI_FOR_STYLE,
+        nullptr, // triggering element
         NS_ConvertUTF8toUTF16(spec), EmptyString(),
         0, 0, EmptyString(), EmptyString());
       return NS_OK;
     }
   } else {
     nsAutoCString sourceUri;
     if (mLoader->mDocument && mLoader->mDocument->GetDocumentURI()) {
       mLoader->mDocument->GetDocumentURI()->GetAsciiSpec(sourceUri);
--- a/layout/style/nsStyleUtil.cpp
+++ b/layout/style/nsStyleUtil.cpp
@@ -778,20 +778,16 @@ nsStyleUtil::CSPAllowsInlineStyle(Elemen
                                   nsresult* aRv)
 {
   nsresult rv;
 
   if (aRv) {
     *aRv = NS_OK;
   }
 
-  MOZ_ASSERT(!aElement || aElement->NodeInfo()->NameAtom() == nsGkAtoms::style,
-      "aElement passed to CSPAllowsInlineStyle "
-      "for an element that is not <style>");
-
   nsIPrincipal* principal = aPrincipal;
   if (aTriggeringPrincipal &&
       BasePrincipal::Cast(aTriggeringPrincipal)->OverridesCSP(aPrincipal)) {
     principal = aTriggeringPrincipal;
   }
 
   nsCOMPtr<nsIContentSecurityPolicy> csp;
   rv = principal->GetCsp(getter_AddRefs(csp));
@@ -804,30 +800,25 @@ nsStyleUtil::CSPAllowsInlineStyle(Elemen
 
   if (!csp) {
     // No CSP --> the style is allowed
     return true;
   }
 
   // query the nonce
   nsAutoString nonce;
-  if (aElement) {
+  if (aElement && aElement->NodeInfo()->NameAtom() == nsGkAtoms::style) {
     aElement->GetAttr(kNameSpaceID_None, nsGkAtoms::nonce, nonce);
   }
 
-  nsCOMPtr<nsISupportsString> styleText(do_CreateInstance(NS_SUPPORTS_STRING_CONTRACTID));
-  if (styleText) {
-    styleText->SetData(aStyleText);
-  }
-
   bool allowInlineStyle = true;
   rv = csp->GetAllowsInline(nsIContentPolicy::TYPE_STYLESHEET,
                             nonce,
                             false, // aParserCreated only applies to scripts
-                            styleText, aLineNumber, aColumnNumber,
+                            aElement, aStyleText, aLineNumber, aColumnNumber,
                             &allowInlineStyle);
   NS_ENSURE_SUCCESS(rv, false);
 
   return allowInlineStyle;
 }
 
 void
 nsStyleUtil::AppendFontSlantStyle(const FontSlantStyle& aStyle, nsAString& aOut)
deleted file mode 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini
+++ /dev/null
@@ -1,8 +0,0 @@
-[script-src-strict_dynamic_parser_inserted.html]
-  expected: TIMEOUT
-  [Script injected via `innerHTML` is not allowed with `strict-dynamic`.]
-    expected: TIMEOUT
-
-  [Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`.]
-    expected: TIMEOUT
-
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html.ini
@@ -1,17 +1,14 @@
 [script-sample-no-opt-in.html]
   expected: TIMEOUT
   [Inline script should not have a sample.]
-    expected: TIMEOUT
+    expected: FAIL
 
   [Inline event handlers should not have a sample.]
-    expected: TIMEOUT
+    expected: FAIL
 
   [JavaScript URLs in iframes should not have a sample.]
     expected: TIMEOUT
 
-  [eval() should not have a sample.]
-    expected: TIMEOUT
-
   [eval()-alikes should not have a sample.]
     expected: TIMEOUT
 
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/script-sample.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/script-sample.html.ini
@@ -1,15 +1,15 @@
 [script-sample.html]
   expected: TIMEOUT
   [Inline script should have a sample.]
-    expected: TIMEOUT
+    expected: FAIL
 
   [Inline event handlers should have a sample.]
-    expected: TIMEOUT
+    expected: FAIL
 
   [JavaScript URLs in iframes should have a sample.]
     expected: TIMEOUT
 
   [eval() should not have a sample.]
     expected: TIMEOUT
 
   [eval() should have a sample.]
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html.ini
@@ -1,8 +1,7 @@
 [style-sample-no-opt-in.html]
-  expected: TIMEOUT
   [Inline style blocks should not have a sample.]
-    expected: TIMEOUT
+    expected: FAIL
 
   [Inline style attributes should not have a sample.]
-    expected: TIMEOUT
+    expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/style-sample.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/style-sample.html.ini
@@ -1,8 +1,7 @@
 [style-sample.html]
-  expected: TIMEOUT
   [Inline style blocks should have a sample.]
-    expected: TIMEOUT
+    expected: FAIL
 
   [Inline style attributes should have a sample.]
-    expected: TIMEOUT
+    expected: FAIL