Backed out changeset bf40eebc6543 (bug 988616) on a CLOSED TREE
authorGarrett Robinson <grobinson@mozilla.com>
Wed, 04 Jun 2014 17:52:35 -0700
changeset 205947 6910e2e7e383902d5731651411635467f36ecdb7
parent 205946 d9d27a66ee94fc96e1e3563e9cda24c24b20c0f1
child 205948 34bcdcf808fe26b6b1ec2493687875f52b881ccf
push id3741
push userasasaki@mozilla.com
push dateMon, 21 Jul 2014 20:25:18 +0000
treeherdermozilla-beta@4d6f46f5af68 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs988616
milestone32.0a1
backs outbf40eebc65434dd7030506fb1dd6f1e64f34418f
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out changeset bf40eebc6543 (bug 988616) on a CLOSED TREE
content/base/test/csp/file_csp_redirects_main.html
content/base/test/csp/file_csp_report.sjs
content/base/test/csp/file_multi_policy_injection_bypass.html^headers^
content/base/test/csp/file_multi_policy_injection_bypass_2.html^headers^
content/base/test/csp/file_redirect_content.sjs
content/base/test/csp/file_subframe_run_js_if_allowed.html^headers^
content/base/test/csp/mochitest.ini
content/base/test/csp/test_CSP.html
content/base/test/csp/test_CSP_evalscript.html
content/base/test/csp/test_CSP_evalscript_getCRMFRequest.html
content/base/test/csp/test_CSP_frameancestors.html
content/base/test/csp/test_CSP_inlinescript.html
content/base/test/csp/test_CSP_inlinestyle.html
content/base/test/csp/test_csp_bug768029.html
content/base/test/csp/test_csp_bug773891.html
content/base/test/csp/test_csp_redirects.html
content/base/test/moz.build
content/base/test/xcsp/file_CSP.css
content/base/test/xcsp/file_CSP_frameancestors_main.js
content/base/test/xcsp/file_csp_redirects_main.html
content/base/test/xcsp/mochitest.ini
content/base/test/xcsp/test_CSP.html
content/base/test/xcsp/test_CSP_evalscript.html
content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html
content/base/test/xcsp/test_CSP_frameancestors.html
content/base/test/xcsp/test_CSP_inlinescript.html
content/base/test/xcsp/test_CSP_inlinestyle.html
content/base/test/xcsp/test_csp_redirects.html
content/base/test/xcsp/test_csp_report.html
--- a/content/base/test/csp/file_csp_redirects_main.html
+++ b/content/base/test/csp/file_csp_redirects_main.html
@@ -6,17 +6,26 @@
 <div id="container"></div>
 </body>
 
 <script>
 var thisSite = "http://mochi.test:8888";
 var otherSite = "http://example.com";
 var page = "/tests/content/base/test/csp/file_csp_redirects_page.sjs";
 
-var tests = { "font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
+var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
+              "frame-src": thisSite+page+"?testid=frame-src&csp=1",
+              "img-src":  thisSite+page+"?testid=img-src&csp=1",
+              "media-src":  thisSite+page+"?testid=media-src&csp=1",
+              "object-src":  thisSite+page+"?testid=object-src&csp=1",
+              "script-src":  thisSite+page+"?testid=script-src&csp=1",
+              "style-src":  thisSite+page+"?testid=style-src&csp=1",
+              "worker":  thisSite+page+"?testid=worker&csp=1",
+              "xhr-src":  thisSite+page+"?testid=xhr-src&csp=1",
+              "font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
               "frame-src-spec-compliant": thisSite+page+"?testid=frame-src-spec-compliant&csp=1&spec=1",
               "img-src-spec-compliant":  thisSite+page+"?testid=img-src-spec-compliant&csp=1&spec=1",
               "media-src-spec-compliant":  thisSite+page+"?testid=media-src-spec-compliant&csp=1&spec=1",
               "object-src-spec-compliant":  thisSite+page+"?testid=object-src-spec-compliant&csp=1&spec=1",
               "script-src-spec-compliant":  thisSite+page+"?testid=script-src-spec-compliant&csp=1&spec=1",
               "style-src-spec-compliant":  thisSite+page+"?testid=style-src-spec-compliant&csp=1&spec=1",
               "worker-spec-compliant":  thisSite+page+"?testid=worker-spec-compliant&csp=1&spec=1",
               "xhr-src-spec-compliant":  thisSite+page+"?testid=xhr-src-spec-compliant&csp=1&spec=1",
--- a/content/base/test/csp/file_csp_report.sjs
+++ b/content/base/test/csp/file_csp_report.sjs
@@ -9,17 +9,17 @@ function handleRequest(request, response
   });
 
   response.setHeader("Content-Type", "text/html", false);
 
   // avoid confusing cache behaviors
   response.setHeader("Cache-Control", "no-cache", false);
 
   // set CSP header
-  response.setHeader("Content-Security-Policy",
-                     "default-src 'self'; report-uri http://mochi.test:8888/csp-report.cgi",
+  response.setHeader("X-Content-Security-Policy",
+                     "allow 'self'; report-uri http://mochi.test:8888/csp-report.cgi",
                      false);
 
   // content which will trigger a violation report
   response.write('<html><body>');
   response.write('<img src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png"> </img>');
   response.write('</body></html>');
 }
--- a/content/base/test/csp/file_multi_policy_injection_bypass.html^headers^
+++ b/content/base/test/csp/file_multi_policy_injection_bypass.html^headers^
@@ -1,1 +1,1 @@
-Content-Security-Policy: default-src 'self', default-src *
+X-Content-Security-Policy: default-src 'self', allow *
--- a/content/base/test/csp/file_multi_policy_injection_bypass_2.html^headers^
+++ b/content/base/test/csp/file_multi_policy_injection_bypass_2.html^headers^
@@ -1,1 +1,1 @@
-X-Content-Security-Policy: default-src 'self'   ,    default-src *
+X-Content-Security-Policy: default-src 'self'   ,    allow *
--- a/content/base/test/csp/file_redirect_content.sjs
+++ b/content/base/test/csp/file_redirect_content.sjs
@@ -20,17 +20,17 @@ function handleRequest(request, response
     var loc = "http://example.com/some/fake/path";
     response.setStatusLine("1.1", 302, "Found");
     response.setHeader("Location", loc, false);
     return;
   }
 
   var csp = "default-src \'self\';report-uri http://mochi.test:8888/tests/content/base/test/csp/file_redirect_report.sjs?" + redirect;
 
-  response.setHeader("Content-Security-Policy", csp, false);
+  response.setHeader("X-Content-Security-Policy", csp, false);
 
   // the actual file content.
   // this image load will (intentionally) fail due to the CSP policy of default-src: 'self'
   // specified by the CSP string above.
   var content = "<!DOCTYPE HTML><html><body><img src = \"http://some.other.domain.example.com\"></body></html>";
 
   response.write(content);
 
--- a/content/base/test/csp/file_subframe_run_js_if_allowed.html^headers^
+++ b/content/base/test/csp/file_subframe_run_js_if_allowed.html^headers^
@@ -1,1 +1,1 @@
-Content-Security-Policy: default-src *; script-src 'unsafe-inline'
+X-Content-Security-Policy: default-src *; options inline-script
--- a/content/base/test/csp/mochitest.ini
+++ b/content/base/test/csp/mochitest.ini
@@ -12,45 +12,63 @@ support-files =
   file_CSP_bug802872.js
   file_CSP_bug802872.sjs
   file_CSP_bug885433_allows.html
   file_CSP_bug885433_allows.html^headers^
   file_CSP_bug885433_blocks.html
   file_CSP_bug885433_blocks.html^headers^
   file_CSP_bug888172.html
   file_CSP_bug888172.sjs
+  file_CSP_bug916446.html
+  file_CSP_bug916446.html^headers^
+  file_CSP_evalscript_main.html
+  file_CSP_evalscript_main.html^headers^
   file_CSP_evalscript_main.js
   file_CSP_evalscript_main_allowed.js
   file_CSP_evalscript_main_allowed_getCRMFRequest.js
+  file_CSP_evalscript_main_getCRMFRequest.html
+  file_CSP_evalscript_main_getCRMFRequest.html^headers^
   file_CSP_evalscript_main_getCRMFRequest.js
   file_CSP_evalscript_main_spec_compliant.html
   file_CSP_evalscript_main_spec_compliant.html^headers^
   file_CSP_evalscript_main_spec_compliant_allowed.html
   file_CSP_evalscript_main_spec_compliant_allowed.html^headers^
   file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html
   file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html^headers^
   file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html
   file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html^headers^
   file_CSP_evalscript_no_CSP_at_all.html
   file_CSP_evalscript_no_CSP_at_all.html^headers^
   file_CSP_evalscript_no_CSP_at_all.js
+  file_CSP_frameancestors.sjs
+  file_CSP_frameancestors_main.html
+  file_CSP_frameancestors_main.js
   file_CSP_frameancestors_main_spec_compliant.html
   file_CSP_frameancestors_main_spec_compliant.js
   file_CSP_frameancestors_spec_compliant.sjs
+  file_CSP_inlinescript_main.html
+  file_CSP_inlinescript_main.html^headers^
   file_CSP_inlinescript_main_spec_compliant.html
   file_CSP_inlinescript_main_spec_compliant.html^headers^
   file_CSP_inlinescript_main_spec_compliant_allowed.html
   file_CSP_inlinescript_main_spec_compliant_allowed.html^headers^
+  file_CSP_inlinestyle_main.html
+  file_CSP_inlinestyle_main.html^headers^
   file_CSP_inlinestyle_main_spec_compliant.html
   file_CSP_inlinestyle_main_spec_compliant.html^headers^
   file_CSP_inlinestyle_main_spec_compliant_allowed.html
   file_CSP_inlinestyle_main_spec_compliant_allowed.html^headers^
+  file_CSP_main.html
+  file_CSP_main.html^headers^
+  file_CSP_main.js
   file_CSP_main_spec_compliant.html
   file_CSP_main_spec_compliant.html^headers^
   file_CSP_main_spec_compliant.js
+  file_bothCSPheaders.html
+  file_bothCSPheaders.html^headers^
   file_bug836922_npolicies.html
   file_bug836922_npolicies.html^headers^
   file_bug836922_npolicies_ro_violation.sjs
   file_bug836922_npolicies_violation.sjs
   file_bug886164.html
   file_bug886164.html^headers^
   file_bug886164_2.html
   file_bug886164_2.html^headers^
@@ -81,59 +99,67 @@ support-files =
   file_policyuri_regression_from_multipolicy_policy
   file_nonce_source.html
   file_nonce_source.html^headers^
   file_CSP_bug941404.html
   file_CSP_bug941404_xhr.html
   file_CSP_bug941404_xhr.html^headers^
   file_hash_source.html
   file_hash_source.html^headers^
+  file_dual_headers_warning.html
+  file_dual_headers_warning.html^headers^
   file_self_none_as_hostname_confusion.html
   file_self_none_as_hostname_confusion.html^headers^
   file_csp_testserver.sjs
   file_csp_regexp_parsing.html
   file_csp_regexp_parsing.js
   file_report_uri_missing_in_report_only_header.html
   file_report_uri_missing_in_report_only_header.html^headers^
   file_csp_report.sjs
+  file_policyuri_async_fetch.html
+  file_policyuri_async_fetch.html^headers^
   file_redirect_content.sjs
   file_redirect_report.sjs
   file_subframe_run_js_if_allowed.html
   file_subframe_run_js_if_allowed.html^headers^
   file_multi_policy_injection_bypass.html
   file_multi_policy_injection_bypass.html^headers^
   file_multi_policy_injection_bypass_2.html
   file_multi_policy_injection_bypass_2.html^headers^
 
 [test_CSP.html]
 [test_CSP_bug663567.html]
 [test_CSP_bug802872.html]
 [test_CSP_bug885433.html]
 [test_CSP_bug888172.html]
+[test_CSP_bug916446.html]
 [test_CSP_evalscript.html]
 [test_CSP_evalscript_getCRMFRequest.html]
 skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s # no (deprecated) window.crypto support in multiprocess (bug 824652)
 [test_CSP_frameancestors.html]
 skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'android' # Times out, not sure why (bug 1008445)
 [test_CSP_inlinescript.html]
 [test_CSP_inlinestyle.html]
+[test_bothCSPheaders.html]
 [test_bug836922_npolicies.html]
 [test_bug886164.html]
 [test_csp_redirects.html]
 [test_CSP_bug910139.html]
 [test_CSP_bug909029.html]
 [test_policyuri_regression_from_multipolicy.html]
 [test_nonce_source.html]
 [test_CSP_bug941404.html]
 [test_hash_source.html]
 skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
+[test_dual_headers_warning.html]
 [test_self_none_as_hostname_confusion.html]
 [test_bug949549.html]
 [test_csp_regexp_parsing.html]
 [test_report_uri_missing_in_report_only_header.html]
 [test_csp_report.html]
 skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
+[test_policyuri_async_fetch.html]
 [test_301_redirect.html]
 [test_302_redirect.html]
 [test_303_redirect.html]
 [test_307_redirect.html]
 [test_subframe_run_js_if_allowed.html]
 [test_multi_policy_injection_bypass.html]
--- a/content/base/test/csp/test_CSP.html
+++ b/content/base/test/csp/test_CSP.html
@@ -5,21 +5,40 @@
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <iframe style="width:200px;height:200px;" id='cspframe'></iframe>
+<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
 <script class="testbody" type="text/javascript">
 
+var path = "/tests/content/base/test/csp/";
+
 // These are test results: -1 means it hasn't run,
 // true/false is the pass/fail result.
 window.tests = {
+  img_good: -1,
+  img_bad: -1,
+  style_good: -1,
+  style_bad: -1,
+  frame_good: -1,
+  frame_bad: -1,
+  script_good: -1,
+  script_bad: -1,
+  xhr_good: -1,
+  xhr_bad: -1,
+  media_good: -1,
+  media_bad: -1,
+  font_good: -1,
+  font_bad: -1,
+  object_good: -1,
+  object_bad: -1,
   img_spec_compliant_good: -1,
   img_spec_compliant_bad: -1,
   style_spec_compliant_good: -1,
   style_spec_compliant_bad: -1,
   frame_spec_compliant_good: -1,
   frame_spec_compliant_bad: -1,
   script_spec_compliant_good: -1,
   script_spec_compliant_bad: -1,
@@ -106,14 +125,15 @@ SpecialPowers.pushPrefEnv(
           // blocks loading the resource until the user interacts with a
           // corresponding widget, which breaks the media_* tests. We set it
           // back to the default used by desktop Firefox to get consistent
           // behavior.
           ["media.preload.default", 2]]},
     function() {
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
-      document.getElementById('cspframe').src = 'file_CSP_main_spec_compliant.html';
+      document.getElementById('cspframe').src = 'file_CSP_main.html';
+      document.getElementById('cspframe2').src = 'file_CSP_main_spec_compliant.html';
     });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_CSP_evalscript.html
+++ b/content/base/test/csp/test_CSP_evalscript.html
@@ -6,21 +6,24 @@
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
+var path = "/tests/content/base/test/csp/";
+
 var evalScriptsThatRan = 0;
 var evalScriptsBlocked = 0;
-var evalScriptsTotal = 16;
+var evalScriptsTotal = 24;
 
 // called by scripts that run
 var scriptRan = function(shouldrun, testname, data) {
   evalScriptsThatRan++;
   ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
   checkTestResults();
 }
 
@@ -46,15 +49,17 @@ var checkTestResults = function() {
 // set up and go
 SimpleTest.waitForExplicitFinish();
 
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
     function() {
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
-      document.getElementById('cspframe').src = 'file_CSP_evalscript_main_spec_compliant.html';
-      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
+      document.getElementById('cspframe').src = 'file_CSP_evalscript_main.html';
+      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant.html';
+      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
+      // document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
     });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_CSP_evalscript_getCRMFRequest.html
+++ b/content/base/test/csp/test_CSP_evalscript_getCRMFRequest.html
@@ -7,23 +7,24 @@
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe4'></iframe>
 <script class="testbody" type="text/javascript">
 
 var path = "/tests/content/base/test/csp/";
 
 var evalScriptsThatRan = 0;
 var evalScriptsBlocked = 0;
-var evalScriptsTotal = 3;
+var evalScriptsTotal = 4;
 
 // called by scripts that run
 var scriptRan = function(shouldrun, testname, data) {
   evalScriptsThatRan++;
   ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
   checkTestResults();
 }
 
@@ -48,16 +49,17 @@ var checkTestResults = function() {
 // set up and go
 SimpleTest.waitForExplicitFinish();
 
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
     function() {
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
-      document.getElementById('cspframe').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
-      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
-      document.getElementById('cspframe3').src = 'file_CSP_evalscript_no_CSP_at_all.html';
+      document.getElementById('cspframe').src = 'file_CSP_evalscript_main_getCRMFRequest.html';
+      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
+      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
+      document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
     });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_CSP_frameancestors.html
+++ b/content/base/test/csp/test_CSP_frameancestors.html
@@ -5,34 +5,47 @@
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
 <script class="testbody" type="text/javascript">
 
+var path = "/tests/content/base/test/csp/";
+
 // These are test results: -1 means it hasn't run,
 // true/false is the pass/fail result.
 var framesThatShouldLoad = {
+  aa_allow: -1,    /* innermost frame allows a */
+  //aa_block: -1,    /* innermost frame denies a */
+  ab_allow: -1,    /* innermost frame allows a */
+  //ab_block: -1,    /* innermost frame denies a */
+  aba_allow: -1,   /* innermost frame allows b,a */
+  //aba_block: -1,   /* innermost frame denies b */
+  //aba2_block: -1,  /* innermost frame denies a */
+  abb_allow: -1,   /* innermost frame allows b,a */
+  //abb_block: -1,   /* innermost frame denies b */
+  //abb2_block: -1,  /* innermost frame denies a */
   aa_allow_spec_compliant: -1,    /* innermost frame allows a *
   //aa_block_spec_compliant: -1,    /* innermost frame denies a */
   ab_allow_spec_compliant: -1,    /* innermost frame allows a */
   //ab_block_spec_compliant: -1,    /* innermost frame denies a */
   aba_allow_spec_compliant: -1,   /* innermost frame allows b,a */
   //aba_block_spec_compliant: -1,   /* innermost frame denies b */
   //aba2_block_spec_compliant: -1,  /* innermost frame denies a */
   abb_allow_spec_compliant: -1,   /* innermost frame allows b,a */
   //abb_block_spec_compliant: -1,   /* innermost frame denies b */
   //abb2_block_spec_compliant: -1,  /* innermost frame denies a */
 };
 
-var expectedViolationsLeft = 6;
+var expectedViolationsLeft = 12;
 
 // This is used to watch the blocked data bounce off CSP and allowed data
 // get sent out to the wire.
 function examiner() {
   SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
 }
 examiner.prototype  = {
   observe: function(subject, topic, data) {
@@ -108,15 +121,16 @@ window.examiner = new examiner();
 SimpleTest.waitForExplicitFinish();
 
 // added this so the tests run even if we don't flip the pref on by default.
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
   function() {
     // save this for last so that our listeners are registered.
     // ... this loads the testbed of good and bad requests.
-    document.getElementById('cspframe').src = 'file_CSP_frameancestors_main_spec_compliant.html';
+    document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
+    document.getElementById('cspframe2').src = 'file_CSP_frameancestors_main_spec_compliant.html';
   });
 
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_CSP_inlinescript.html
+++ b/content/base/test/csp/test_CSP_inlinescript.html
@@ -6,23 +6,26 @@
   <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 
-<iframe style="width:100%;height:300px;" id='cspframe1'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
+var path = "/tests/content/base/test/csp/";
+
 var inlineScriptsThatRan = 0;
 var inlineScriptsBlocked = 0;
-var inlineScriptsTotal = 8;
+var inlineScriptsTotal = 12;
 
 // This is used to watch the blocked data bounce off CSP and allowed data
 // get sent out to the wire.
 function examiner() {
   SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
 }
 examiner.prototype  = {
   observe: function(subject, topic, data) {
@@ -71,47 +74,55 @@ var scriptBlocked = function(testname, d
 var checkTestResults = function() {
   // if any test is incomplete, keep waiting
   if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal)
     return;
 
   // The four scripts in the page with 'unsafe-inline' should run.
   is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
 
-  // The four scripts in the other page should be blocked.
-  is(inlineScriptsBlocked, 4, "there should be 4 inline scripts that were blocked");
+  // The other eight scripts in the other two pages should be blocked.
+  is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked");
 
   // ... otherwise, finish
   window.examiner.remove();
   SimpleTest.finish();
 }
 
 //////////////////////////////////////////////////////////////////////
 // set up and go
 window.examiner = new examiner();
 SimpleTest.waitForExplicitFinish();
 
-function clickit1() {
-  var cspframe1 = document.getElementById('cspframe1');
-  var a = cspframe1.contentDocument.getElementById('anchortoclick');
-  sendMouseEvent({type:'click'}, a, cspframe1.contentWindow);
+function clickit() {
+  var cspframe = document.getElementById('cspframe');
+  var a = cspframe.contentDocument.getElementById('anchortoclick');
+  sendMouseEvent({type:'click'}, a, cspframe.contentWindow);
 }
 
 function clickit2() {
   var cspframe2 = document.getElementById('cspframe2');
   var a = cspframe2.contentDocument.getElementById('anchortoclick');
   sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
 }
 
+function clickit3() {
+  var cspframe3 = document.getElementById('cspframe3');
+  var a = cspframe3.contentDocument.getElementById('anchortoclick');
+  sendMouseEvent({type:'click'}, a, cspframe3.contentWindow);
+}
+
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
   function() {
     // save this for last so that our listeners are registered.
     // ... this loads the testbed of good and bad requests.
-    document.getElementById('cspframe1').src = 'file_CSP_inlinescript_main_spec_compliant.html';
-    document.getElementById('cspframe1').addEventListener('load', clickit1, false);
-    document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
+    document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';
+    document.getElementById('cspframe').addEventListener('load', clickit, false);
+    document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html';
     document.getElementById('cspframe2').addEventListener('load', clickit2, false);
+    document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
+    document.getElementById('cspframe3').addEventListener('load', clickit3, false);
   });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_CSP_inlinestyle.html
+++ b/content/base/test/csp/test_CSP_inlinestyle.html
@@ -5,107 +5,138 @@
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 
-<iframe style="width:100%;height:300px;" id='cspframe1'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
+var path = "/tests/content/base/test/csp/";
+
+
 //////////////////////////////////////////////////////////////////////
 // set up and go
 SimpleTest.waitForExplicitFinish();
 
 var done = 0;
 
-// When a CSP 1.0 compliant policy is specified we should block inline
-// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
-// (when it's not explicitly allowed.)
-function checkStylesSpecCompliant(evt) {
-  var cspframe = document.getElementById('cspframe1');
+// Our original CSP implementation does not block inline styles.
+function checkStyles(evt) {
+  var cspframe = document.getElementById('cspframe');
   var color;
 
   // black means the style wasn't applied.  green colors are used for styles
   //expected to be applied.  A color is red if a style is erroneously applied
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
+  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (original CSP implementation) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv'),null)['color'];
-  ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
+  ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (original CSP implementation) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv'),null)['color'];
-  ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('csstextstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
-  // SMIL tests
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTest',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
-
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
-
-  checkIfDone();
-}
-
-// When a CSP 1.0 compliant policy is specified we should allow inline
-// styles when it is explicitly allowed.
-function checkStylesSpecCompliantAllowed(evt) {
-  var cspframe = document.getElementById('cspframe2');
-  var color;
-
-  // black means the style wasn't applied.  green colors are used for styles
-  // expected to be applied.  A color is red if a style is erroneously applied
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
-
-  // Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
-  // since it relies on executing script to set .cssText
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('csstextstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
+  ok('rgb(0, 255, 0)' === color, 'Style Attribute (original CSP implementation) (' + color + ')');
   // SMIL tests
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null))['fill'];
   ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTest',null))['fill'];
   ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
   ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];
   ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
+  checkIfDone();
+}
 
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
+// When a CSP 1.0 compliant policy is specified we should block inline
+// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
+// (when it's not explicitly allowed.)
+function checkStylesSpecCompliant(evt) {
+  var cspframe = document.getElementById('cspframe2');
+  var color;
+
+  // black means the style wasn't applied.  green colors are used for styles
+  //expected to be applied.  A color is red if a style is erroneously applied
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('linkstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('inlinestylediv'),null)['color'];
+  ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('attrstylediv'),null)['color'];
+  ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('csstextstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
+  // SMIL tests
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('xmlTest',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTest',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssSetTestById',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
+
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
+
+  checkIfDone();
+}
+
+// When a CSP 1.0 compliant policy is specified we should allow inline
+// styles when it is explicitly allowed.
+function checkStylesSpecCompliantAllowed(evt) {
+  var cspframe = document.getElementById('cspframe3');
+  var color;
+
+  // black means the style wasn't applied.  green colors are used for styles
+  // expected to be applied.  A color is red if a style is erroneously applied
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('linkstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('inlinestylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('attrstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
+
+  // Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
+  // since it relies on executing script to set .cssText
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('csstextstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
+  // SMIL tests
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('xmlTest',null))['fill'];
+  ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTest',null))['fill'];
+  ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
+  ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssSetTestById',null))['fill'];
+  ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
+
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
   ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
 
   checkIfDone();
 }
 
 function checkIfDone() {
   done++;
-  if (done == 2)
+  if (done == 3)
     SimpleTest.finish();
 }
 
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
   function() {
     // save this for last so that our listeners are registered.
     // ... this loads the testbed of good and bad requests.
-    document.getElementById('cspframe1').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
-    document.getElementById('cspframe1').addEventListener('load', checkStylesSpecCompliant, false);
-    document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
-    document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliantAllowed, false);
+    document.getElementById('cspframe').src = 'file_CSP_inlinestyle_main.html';
+    document.getElementById('cspframe').addEventListener('load', checkStyles, false);
+    document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
+    document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliant, false);
+    document.getElementById('cspframe3').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
+    document.getElementById('cspframe3').addEventListener('load', checkStylesSpecCompliantAllowed, false);
   }
 );
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_csp_bug768029.html
+++ b/content/base/test/csp/test_csp_bug768029.html
@@ -208,17 +208,16 @@ function runTest() {
 var gTestRunner = runTest();
 
 // load the default CSP and pref it on
 SpecialPowers.addPermission("browser", true, "https://example.com");
 SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
                                    ["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
                                    ["security.apps.certified.CSP.default", DEFAULT_CSP_CERT],
                                    ["security.mixed_content.block_active_content", false],
-                                   ["security.mixed_content.block_display_content", false],
-                                   ["security.csp.speccompliant", true]]},
+                                   ["security.mixed_content.block_display_content", false]]},
                           function() {  gTestRunner.next(); });
 
 
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_csp_bug773891.html
+++ b/content/base/test/csp/test_csp_bug773891.html
@@ -1,12 +1,12 @@
 <!DOCTYPE HTML>
 <html>
 <!--
-  https://bugzilla.mozilla.org/show_bug.cgi?id=773891
+  https://bugzilla.mozilla.org/show_bug.cgi?id=768029
 -->
 <head>
   <meta charset="utf-8">
   <title>Test for CSP on trusted/certified and installed apps -- bug 773891</title>
   <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
 </head>
 <body>
@@ -213,17 +213,16 @@ function runTest() {
 
 var gTestRunner = runTest();
 
 // load the default CSP and pref it on
 SpecialPowers.addPermission("browser", true, "https://example.com");
 
 SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
                                    ["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
-                                   ["security.apps.certified.CSP.default", DEFAULT_CSP_CERT],
-                                   ["security.csp.speccompliant", true]]},
+                                   ["security.apps.certified.CSP.default", DEFAULT_CSP_CERT]]},
                           function() {  gTestRunner.next(); });
 
 
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/csp/test_csp_redirects.html
+++ b/content/base/test/csp/test_csp_redirects.html
@@ -63,17 +63,35 @@ examiner.prototype  = {
   remove: function() {
     SpecialPowers.removeObserver(this, "csp-on-violate-policy");
     SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
   }
 }
 window.examiner = new examiner();
 
 // contains { test_frame_id : expected_result }
-var testExpectedResults = { "font-src-spec-compliant": true,
+var testExpectedResults = { "font-src": true,
+                            "font-src-redir": false,
+                            "frame-src": true,
+                            "frame-src-redir": false,
+                            "img-src": true,
+                            "img-src-redir": false,
+                            "media-src": true,
+                            "media-src-redir": false,
+                            "object-src": true,
+                            "object-src-redir": false,
+                            "script-src": true,
+                            "script-src-redir": false,
+                            "style-src": true,
+                            "style-src-redir": false,
+                            "worker": true,
+                            "worker-redir": false,
+                            "xhr-src": true,
+                            "xhr-src-redir": false,
+                            "font-src-spec-compliant": true,
                             "font-src-redir-spec-compliant": false,
                             "frame-src-spec-compliant": true,
                             "frame-src-redir-spec-compliant": false,
                             "img-src-spec-compliant": true,
                             "img-src-redir-spec-compliant": false,
                             "media-src-spec-compliant": true,
                             "media-src-redir-spec-compliant": false,
                             "object-src-spec-compliant": true,
--- a/content/base/test/moz.build
+++ b/content/base/test/moz.build
@@ -1,17 +1,16 @@
 # -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 TEST_TOOL_DIRS += [
     'csp',
-    'xcsp',
     'websocket_hybi',
 ]
 
 XPCSHELL_TESTS_MANIFESTS += ['unit/xpcshell.ini']
 
 # FIXME/bug 575918: out-of-process xpcshell is broken on OS X
 if CONFIG['OS_ARCH'] != 'Darwin':
     XPCSHELL_TESTS_MANIFESTS += ['unit_ipc/xpcshell.ini']
--- a/content/base/test/xcsp/file_CSP.css
+++ b/content/base/test/xcsp/file_CSP.css
@@ -7,14 +7,14 @@
 
 /* CSS font embedding tests */
 @font-face {
   font-family: "arbitrary_good";
   src: url('file_CSP.sjs?testid=font_good&type=application/octet-stream');
 }
 @font-face {
   font-family: "arbitrary_bad";
-  src: url('http://example.org/tests/content/base/test/xcsp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
+  src: url('http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
 }
 
 .div_arbitrary_good { font-family: "arbitrary_good"; }
 .div_arbitrary_bad { font-family: "arbitrary_bad"; }
 
--- a/content/base/test/xcsp/file_CSP_frameancestors_main.js
+++ b/content/base/test/xcsp/file_CSP_frameancestors_main.js
@@ -1,17 +1,17 @@
 // Script to populate the test frames in the frame ancestors mochitest.
 //
 function setupFrames() {
 
   var $ = function(v) { return document.getElementById(v); }
   var base = {
-        self: '/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs',
-        a: 'http://mochi.test:8888/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs',
-        b: 'http://example.com/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs'
+        self: '/tests/content/base/test/csp/file_CSP_frameancestors.sjs',
+        a: 'http://mochi.test:8888/tests/content/base/test/csp/file_CSP_frameancestors.sjs',
+        b: 'http://example.com/tests/content/base/test/csp/file_CSP_frameancestors.sjs'
   };
 
   var host = { a: 'http://mochi.test:8888', b: 'http://example.com:80' };
 
   var innerframeuri = null;
   var elt = null;
 
   elt = $('aa_allow');
--- a/content/base/test/xcsp/file_csp_redirects_main.html
+++ b/content/base/test/xcsp/file_csp_redirects_main.html
@@ -4,27 +4,36 @@
 </head>
 <body>
 <div id="container"></div>
 </body>
 
 <script>
 var thisSite = "http://mochi.test:8888";
 var otherSite = "http://example.com";
-var page = "/tests/content/base/test/xcsp/file_csp_redirects_page.sjs";
+var page = "/tests/content/base/test/csp/file_csp_redirects_page.sjs";
 
 var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
               "frame-src": thisSite+page+"?testid=frame-src&csp=1",
               "img-src":  thisSite+page+"?testid=img-src&csp=1",
               "media-src":  thisSite+page+"?testid=media-src&csp=1",
               "object-src":  thisSite+page+"?testid=object-src&csp=1",
               "script-src":  thisSite+page+"?testid=script-src&csp=1",
               "style-src":  thisSite+page+"?testid=style-src&csp=1",
               "worker":  thisSite+page+"?testid=worker&csp=1",
               "xhr-src":  thisSite+page+"?testid=xhr-src&csp=1",
+              "font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
+              "frame-src-spec-compliant": thisSite+page+"?testid=frame-src-spec-compliant&csp=1&spec=1",
+              "img-src-spec-compliant":  thisSite+page+"?testid=img-src-spec-compliant&csp=1&spec=1",
+              "media-src-spec-compliant":  thisSite+page+"?testid=media-src-spec-compliant&csp=1&spec=1",
+              "object-src-spec-compliant":  thisSite+page+"?testid=object-src-spec-compliant&csp=1&spec=1",
+              "script-src-spec-compliant":  thisSite+page+"?testid=script-src-spec-compliant&csp=1&spec=1",
+              "style-src-spec-compliant":  thisSite+page+"?testid=style-src-spec-compliant&csp=1&spec=1",
+              "worker-spec-compliant":  thisSite+page+"?testid=worker-spec-compliant&csp=1&spec=1",
+              "xhr-src-spec-compliant":  thisSite+page+"?testid=xhr-src-spec-compliant&csp=1&spec=1",
             };
 
 var container = document.getElementById("container");
 
 // load each test in its own iframe
 for (tid in tests) {
   var i = document.createElement("iframe");
   i.id = tid;
--- a/content/base/test/xcsp/mochitest.ini
+++ b/content/base/test/xcsp/mochitest.ini
@@ -1,68 +1,164 @@
 [DEFAULT]
 support-files =
   file_CSP.css
   file_CSP.sjs
+  file_CSP_bug663567.xsl
+  file_CSP_bug663567_allows.xml
+  file_CSP_bug663567_allows.xml^headers^
+  file_CSP_bug663567_blocks.xml
+  file_CSP_bug663567_blocks.xml^headers^
+  file_CSP_bug802872.html
+  file_CSP_bug802872.html^headers^
+  file_CSP_bug802872.js
+  file_CSP_bug802872.sjs
+  file_CSP_bug885433_allows.html
+  file_CSP_bug885433_allows.html^headers^
+  file_CSP_bug885433_blocks.html
+  file_CSP_bug885433_blocks.html^headers^
+  file_CSP_bug888172.html
+  file_CSP_bug888172.sjs
   file_CSP_bug916446.html
   file_CSP_bug916446.html^headers^
   file_CSP_evalscript_main.html
   file_CSP_evalscript_main.html^headers^
   file_CSP_evalscript_main.js
+  file_CSP_evalscript_main_allowed.js
+  file_CSP_evalscript_main_allowed_getCRMFRequest.js
   file_CSP_evalscript_main_getCRMFRequest.html
   file_CSP_evalscript_main_getCRMFRequest.html^headers^
   file_CSP_evalscript_main_getCRMFRequest.js
+  file_CSP_evalscript_main_spec_compliant.html
+  file_CSP_evalscript_main_spec_compliant.html^headers^
+  file_CSP_evalscript_main_spec_compliant_allowed.html
+  file_CSP_evalscript_main_spec_compliant_allowed.html^headers^
+  file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html
+  file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html^headers^
+  file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html
+  file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html^headers^
   file_CSP_evalscript_no_CSP_at_all.html
   file_CSP_evalscript_no_CSP_at_all.html^headers^
   file_CSP_evalscript_no_CSP_at_all.js
   file_CSP_frameancestors.sjs
   file_CSP_frameancestors_main.html
   file_CSP_frameancestors_main.js
+  file_CSP_frameancestors_main_spec_compliant.html
+  file_CSP_frameancestors_main_spec_compliant.js
+  file_CSP_frameancestors_spec_compliant.sjs
   file_CSP_inlinescript_main.html
   file_CSP_inlinescript_main.html^headers^
+  file_CSP_inlinescript_main_spec_compliant.html
+  file_CSP_inlinescript_main_spec_compliant.html^headers^
+  file_CSP_inlinescript_main_spec_compliant_allowed.html
+  file_CSP_inlinescript_main_spec_compliant_allowed.html^headers^
   file_CSP_inlinestyle_main.html
   file_CSP_inlinestyle_main.html^headers^
+  file_CSP_inlinestyle_main_spec_compliant.html
+  file_CSP_inlinestyle_main_spec_compliant.html^headers^
+  file_CSP_inlinestyle_main_spec_compliant_allowed.html
+  file_CSP_inlinestyle_main_spec_compliant_allowed.html^headers^
   file_CSP_main.html
   file_CSP_main.html^headers^
   file_CSP_main.js
+  file_CSP_main_spec_compliant.html
+  file_CSP_main_spec_compliant.html^headers^
+  file_CSP_main_spec_compliant.js
   file_bothCSPheaders.html
   file_bothCSPheaders.html^headers^
+  file_bug836922_npolicies.html
+  file_bug836922_npolicies.html^headers^
+  file_bug836922_npolicies_ro_violation.sjs
+  file_bug836922_npolicies_violation.sjs
+  file_bug886164.html
+  file_bug886164.html^headers^
+  file_bug886164_2.html
+  file_bug886164_2.html^headers^
+  file_bug886164_3.html
+  file_bug886164_3.html^headers^
+  file_bug886164_4.html
+  file_bug886164_4.html^headers^
+  file_bug886164_5.html
+  file_bug886164_5.html^headers^
+  file_bug886164_6.html
+  file_bug886164_6.html^headers^
   file_csp_bug768029.html
   file_csp_bug768029.sjs
   file_csp_bug773891.html
   file_csp_bug773891.sjs
   file_csp_redirects_main.html
   file_csp_redirects_page.sjs
   file_csp_redirects_resource.sjs
+  file_CSP_bug910139.sjs
+  file_CSP_bug910139.xml
+  file_CSP_bug910139.xsl
+  file_CSP_bug909029_star.html
+  file_CSP_bug909029_star.html^headers^
+  file_CSP_bug909029_none.html
+  file_CSP_bug909029_none.html^headers^
+  file_policyuri_regression_from_multipolicy.html
+  file_policyuri_regression_from_multipolicy.html^headers^
+  file_policyuri_regression_from_multipolicy_policy
+  file_nonce_source.html
+  file_nonce_source.html^headers^
+  file_CSP_bug941404.html
+  file_CSP_bug941404_xhr.html
+  file_CSP_bug941404_xhr.html^headers^
+  file_hash_source.html
+  file_hash_source.html^headers^
   file_dual_headers_warning.html
   file_dual_headers_warning.html^headers^
+  file_self_none_as_hostname_confusion.html
+  file_self_none_as_hostname_confusion.html^headers^
+  file_csp_testserver.sjs
+  file_csp_regexp_parsing.html
+  file_csp_regexp_parsing.js
+  file_report_uri_missing_in_report_only_header.html
+  file_report_uri_missing_in_report_only_header.html^headers^
   file_csp_report.sjs
   file_policyuri_async_fetch.html
   file_policyuri_async_fetch.html^headers^
   file_redirect_content.sjs
   file_redirect_report.sjs
   file_subframe_run_js_if_allowed.html
   file_subframe_run_js_if_allowed.html^headers^
   file_multi_policy_injection_bypass.html
   file_multi_policy_injection_bypass.html^headers^
   file_multi_policy_injection_bypass_2.html
   file_multi_policy_injection_bypass_2.html^headers^
 
 [test_CSP.html]
+[test_CSP_bug663567.html]
+[test_CSP_bug802872.html]
+[test_CSP_bug885433.html]
+[test_CSP_bug888172.html]
 [test_CSP_bug916446.html]
 [test_CSP_evalscript.html]
 [test_CSP_evalscript_getCRMFRequest.html]
 skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s # no (deprecated) window.crypto support in multiprocess (bug 824652)
 [test_CSP_frameancestors.html]
 skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'android' # Times out, not sure why (bug 1008445)
 [test_CSP_inlinescript.html]
 [test_CSP_inlinestyle.html]
 [test_bothCSPheaders.html]
+[test_bug836922_npolicies.html]
+[test_bug886164.html]
 [test_csp_redirects.html]
+[test_CSP_bug910139.html]
+[test_CSP_bug909029.html]
+[test_policyuri_regression_from_multipolicy.html]
+[test_nonce_source.html]
+[test_CSP_bug941404.html]
+[test_hash_source.html]
+skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
 [test_dual_headers_warning.html]
+[test_self_none_as_hostname_confusion.html]
+[test_bug949549.html]
+[test_csp_regexp_parsing.html]
+[test_report_uri_missing_in_report_only_header.html]
 [test_csp_report.html]
 skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
 [test_policyuri_async_fetch.html]
 [test_301_redirect.html]
 [test_302_redirect.html]
 [test_303_redirect.html]
 [test_307_redirect.html]
 [test_subframe_run_js_if_allowed.html]
--- a/content/base/test/xcsp/test_CSP.html
+++ b/content/base/test/xcsp/test_CSP.html
@@ -5,18 +5,21 @@
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <iframe style="width:200px;height:200px;" id='cspframe'></iframe>
+<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
 <script class="testbody" type="text/javascript">
 
+var path = "/tests/content/base/test/csp/";
+
 // These are test results: -1 means it hasn't run,
 // true/false is the pass/fail result.
 window.tests = {
   img_good: -1,
   img_bad: -1,
   style_good: -1,
   style_bad: -1,
   frame_good: -1,
@@ -26,16 +29,32 @@ window.tests = {
   xhr_good: -1,
   xhr_bad: -1,
   media_good: -1,
   media_bad: -1,
   font_good: -1,
   font_bad: -1,
   object_good: -1,
   object_bad: -1,
+  img_spec_compliant_good: -1,
+  img_spec_compliant_bad: -1,
+  style_spec_compliant_good: -1,
+  style_spec_compliant_bad: -1,
+  frame_spec_compliant_good: -1,
+  frame_spec_compliant_bad: -1,
+  script_spec_compliant_good: -1,
+  script_spec_compliant_bad: -1,
+  xhr_spec_compliant_good: -1,
+  xhr_spec_compliant_bad: -1,
+  media_spec_compliant_good: -1,
+  media_spec_compliant_bad: -1,
+  font_spec_compliant_good: -1,
+  font_spec_compliant_bad: -1,
+  object_spec_compliant_good: -1,
+  object_spec_compliant_bad: -1,
 };
 
 // This is used to watch the blocked data bounce off CSP and allowed data
 // get sent out to the wire.
 function examiner() {
   SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
   SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
 }
@@ -107,13 +126,14 @@ SpecialPowers.pushPrefEnv(
           // corresponding widget, which breaks the media_* tests. We set it
           // back to the default used by desktop Firefox to get consistent
           // behavior.
           ["media.preload.default", 2]]},
     function() {
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
       document.getElementById('cspframe').src = 'file_CSP_main.html';
+      document.getElementById('cspframe2').src = 'file_CSP_main_spec_compliant.html';
     });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/xcsp/test_CSP_evalscript.html
+++ b/content/base/test/xcsp/test_CSP_evalscript.html
@@ -5,21 +5,25 @@
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
+var path = "/tests/content/base/test/csp/";
+
 var evalScriptsThatRan = 0;
 var evalScriptsBlocked = 0;
-var evalScriptsTotal = 8;
+var evalScriptsTotal = 24;
 
 // called by scripts that run
 var scriptRan = function(shouldrun, testname, data) {
   evalScriptsThatRan++;
   ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
   checkTestResults();
 }
 
@@ -46,13 +50,16 @@ var checkTestResults = function() {
 SimpleTest.waitForExplicitFinish();
 
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
     function() {
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
       document.getElementById('cspframe').src = 'file_CSP_evalscript_main.html';
+      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant.html';
+      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
+      // document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
     });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html
+++ b/content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html
@@ -6,23 +6,25 @@
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe4'></iframe>
 <script class="testbody" type="text/javascript">
 
 var path = "/tests/content/base/test/csp/";
 
 var evalScriptsThatRan = 0;
 var evalScriptsBlocked = 0;
-var evalScriptsTotal = 2;
+var evalScriptsTotal = 4;
 
 // called by scripts that run
 var scriptRan = function(shouldrun, testname, data) {
   evalScriptsThatRan++;
   ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
   checkTestResults();
 }
 
@@ -48,14 +50,16 @@ var checkTestResults = function() {
 SimpleTest.waitForExplicitFinish();
 
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
     function() {
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
       document.getElementById('cspframe').src = 'file_CSP_evalscript_main_getCRMFRequest.html';
-      document.getElementById('cspframe2').src = 'file_CSP_evalscript_no_CSP_at_all.html';
+      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
+      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
+      document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
     });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/xcsp/test_CSP_frameancestors.html
+++ b/content/base/test/xcsp/test_CSP_frameancestors.html
@@ -5,34 +5,47 @@
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
 <script class="testbody" type="text/javascript">
 
+var path = "/tests/content/base/test/csp/";
+
 // These are test results: -1 means it hasn't run,
 // true/false is the pass/fail result.
 var framesThatShouldLoad = {
   aa_allow: -1,    /* innermost frame allows a */
   //aa_block: -1,    /* innermost frame denies a */
   ab_allow: -1,    /* innermost frame allows a */
   //ab_block: -1,    /* innermost frame denies a */
   aba_allow: -1,   /* innermost frame allows b,a */
   //aba_block: -1,   /* innermost frame denies b */
   //aba2_block: -1,  /* innermost frame denies a */
   abb_allow: -1,   /* innermost frame allows b,a */
   //abb_block: -1,   /* innermost frame denies b */
   //abb2_block: -1,  /* innermost frame denies a */
+  aa_allow_spec_compliant: -1,    /* innermost frame allows a *
+  //aa_block_spec_compliant: -1,    /* innermost frame denies a */
+  ab_allow_spec_compliant: -1,    /* innermost frame allows a */
+  //ab_block_spec_compliant: -1,    /* innermost frame denies a */
+  aba_allow_spec_compliant: -1,   /* innermost frame allows b,a */
+  //aba_block_spec_compliant: -1,   /* innermost frame denies b */
+  //aba2_block_spec_compliant: -1,  /* innermost frame denies a */
+  abb_allow_spec_compliant: -1,   /* innermost frame allows b,a */
+  //abb_block_spec_compliant: -1,   /* innermost frame denies b */
+  //abb2_block_spec_compliant: -1,  /* innermost frame denies a */
 };
 
-var expectedViolationsLeft = 6;
+var expectedViolationsLeft = 12;
 
 // This is used to watch the blocked data bounce off CSP and allowed data
 // get sent out to the wire.
 function examiner() {
   SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
 }
 examiner.prototype  = {
   observe: function(subject, topic, data) {
@@ -109,14 +122,15 @@ SimpleTest.waitForExplicitFinish();
 
 // added this so the tests run even if we don't flip the pref on by default.
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
   function() {
     // save this for last so that our listeners are registered.
     // ... this loads the testbed of good and bad requests.
     document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
+    document.getElementById('cspframe2').src = 'file_CSP_frameancestors_main_spec_compliant.html';
   });
 
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/xcsp/test_CSP_inlinescript.html
+++ b/content/base/test/xcsp/test_CSP_inlinescript.html
@@ -7,20 +7,25 @@
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
+var path = "/tests/content/base/test/csp/";
+
+var inlineScriptsThatRan = 0;
 var inlineScriptsBlocked = 0;
-var inlineScriptsTotal = 4;
+var inlineScriptsTotal = 12;
 
 // This is used to watch the blocked data bounce off CSP and allowed data
 // get sent out to the wire.
 function examiner() {
   SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
 }
 examiner.prototype  = {
   observe: function(subject, topic, data) {
@@ -43,32 +48,44 @@ examiner.prototype  = {
 
   // must eventually call this to remove the listener,
   // or mochitests might get borked.
   remove: function() {
     SpecialPowers.removeObserver(this, "csp-on-violate-policy");
   }
 }
 
+// called by scripts that run
+// the first argument is whether the script expects to be allowed or not.
+var scriptRan = function(result, testname, data) {
+  inlineScriptsThatRan++;
+  ok(result, 'INLINE SCRIPT RAN: ' + testname + '(' + data + ')');
+  checkTestResults();
+}
+
 // called when a script is blocked
 // -- we can't determine *which* frame was blocked, but at least we can count them
 var scriptBlocked = function(testname, data) {
   inlineScriptsBlocked++;
   ok(true, 'INLINE SCRIPT BLOCKED: ' + testname + '(' + data + ')');
   checkTestResults();
 }
 
+
 // Check to see if all the tests have run
 var checkTestResults = function() {
   // if any test is incomplete, keep waiting
-  if (inlineScriptsBlocked < inlineScriptsTotal)
+  if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal)
     return;
 
-  // The other four scripts in the other two pages should be blocked.
-  is(inlineScriptsBlocked, 4, "there should be 4 inline scripts that were blocked");
+  // The four scripts in the page with 'unsafe-inline' should run.
+  is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
+
+  // The other eight scripts in the other two pages should be blocked.
+  is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked");
 
   // ... otherwise, finish
   window.examiner.remove();
   SimpleTest.finish();
 }
 
 //////////////////////////////////////////////////////////////////////
 // set up and go
@@ -76,20 +93,36 @@ window.examiner = new examiner();
 SimpleTest.waitForExplicitFinish();
 
 function clickit() {
   var cspframe = document.getElementById('cspframe');
   var a = cspframe.contentDocument.getElementById('anchortoclick');
   sendMouseEvent({type:'click'}, a, cspframe.contentWindow);
 }
 
+function clickit2() {
+  var cspframe2 = document.getElementById('cspframe2');
+  var a = cspframe2.contentDocument.getElementById('anchortoclick');
+  sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
+}
+
+function clickit3() {
+  var cspframe3 = document.getElementById('cspframe3');
+  var a = cspframe3.contentDocument.getElementById('anchortoclick');
+  sendMouseEvent({type:'click'}, a, cspframe3.contentWindow);
+}
+
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
   function() {
     // save this for last so that our listeners are registered.
     // ... this loads the testbed of good and bad requests.
     document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';
     document.getElementById('cspframe').addEventListener('load', clickit, false);
+    document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html';
+    document.getElementById('cspframe2').addEventListener('load', clickit2, false);
+    document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
+    document.getElementById('cspframe3').addEventListener('load', clickit3, false);
   });
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/xcsp/test_CSP_inlinestyle.html
+++ b/content/base/test/xcsp/test_CSP_inlinestyle.html
@@ -6,18 +6,23 @@
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
+var path = "/tests/content/base/test/csp/";
+
+
 //////////////////////////////////////////////////////////////////////
 // set up and go
 SimpleTest.waitForExplicitFinish();
 
 var done = 0;
 
 // Our original CSP implementation does not block inline styles.
 function checkStyles(evt) {
@@ -39,27 +44,99 @@ function checkStyles(evt) {
   ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
   ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];
   ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
   checkIfDone();
 }
 
+// When a CSP 1.0 compliant policy is specified we should block inline
+// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
+// (when it's not explicitly allowed.)
+function checkStylesSpecCompliant(evt) {
+  var cspframe = document.getElementById('cspframe2');
+  var color;
+
+  // black means the style wasn't applied.  green colors are used for styles
+  //expected to be applied.  A color is red if a style is erroneously applied
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('linkstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('inlinestylediv'),null)['color'];
+  ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('attrstylediv'),null)['color'];
+  ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('csstextstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
+  // SMIL tests
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('xmlTest',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTest',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssSetTestById',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
+
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
+
+  checkIfDone();
+}
+
+// When a CSP 1.0 compliant policy is specified we should allow inline
+// styles when it is explicitly allowed.
+function checkStylesSpecCompliantAllowed(evt) {
+  var cspframe = document.getElementById('cspframe3');
+  var color;
+
+  // black means the style wasn't applied.  green colors are used for styles
+  // expected to be applied.  A color is red if a style is erroneously applied
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('linkstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('inlinestylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('attrstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
+
+  // Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
+  // since it relies on executing script to set .cssText
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('csstextstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
+  // SMIL tests
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('xmlTest',null))['fill'];
+  ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTest',null))['fill'];
+  ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
+  ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssSetTestById',null))['fill'];
+  ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
+
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
+
+  checkIfDone();
+}
+
 function checkIfDone() {
   done++;
-  if (done == 1)
+  if (done == 3)
     SimpleTest.finish();
 }
 
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
   function() {
     // save this for last so that our listeners are registered.
     // ... this loads the testbed of good and bad requests.
     document.getElementById('cspframe').src = 'file_CSP_inlinestyle_main.html';
     document.getElementById('cspframe').addEventListener('load', checkStyles, false);
+    document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
+    document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliant, false);
+    document.getElementById('cspframe3').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
+    document.getElementById('cspframe3').addEventListener('load', checkStylesSpecCompliantAllowed, false);
   }
 );
 </script>
 </pre>
 </body>
 </html>
--- a/content/base/test/xcsp/test_csp_redirects.html
+++ b/content/base/test/xcsp/test_csp_redirects.html
@@ -81,16 +81,34 @@ var testExpectedResults = { "font-src": 
                             "script-src": true,
                             "script-src-redir": false,
                             "style-src": true,
                             "style-src-redir": false,
                             "worker": true,
                             "worker-redir": false,
                             "xhr-src": true,
                             "xhr-src-redir": false,
+                            "font-src-spec-compliant": true,
+                            "font-src-redir-spec-compliant": false,
+                            "frame-src-spec-compliant": true,
+                            "frame-src-redir-spec-compliant": false,
+                            "img-src-spec-compliant": true,
+                            "img-src-redir-spec-compliant": false,
+                            "media-src-spec-compliant": true,
+                            "media-src-redir-spec-compliant": false,
+                            "object-src-spec-compliant": true,
+                            "object-src-redir-spec-compliant": false,
+                            "script-src-spec-compliant": true,
+                            "script-src-redir-spec-compliant": false,
+                            "style-src-spec-compliant": true,
+                            "style-src-redir-spec-compliant": false,
+                            "worker-spec-compliant": true,
+                            "worker-redir-spec-compliant": false,
+                            "xhr-src-spec-compliant": true,
+                            "xhr-src-redir-spec-compliant": false,
                           };
 
 // takes the name of the test, the URL that was tested, and whether the
 // load occurred
 var testResult = function(testName, url, result) {
   log("  testName: "+testName+", result: "+result+", expected: "+testExpectedResults[testName]+"\n");
   is(result, testExpectedResults[testName], testName+" test: "+url);
 
--- a/content/base/test/xcsp/test_csp_report.html
+++ b/content/base/test/xcsp/test_csp_report.html
@@ -77,17 +77,17 @@ examiner.prototype  = {
 
 // content file that triggers a violation report
 var testFile = "file_csp_report.sjs";
 
 window.checkResults = function(reportObj) {
   var cspReport = reportObj["csp-report"];
   // correct violating request
   is(cspReport["document-uri"],
-     "http://mochi.test:8888/tests/content/base/test/xcsp/" + testFile,
+     "http://mochi.test:8888/tests/content/base/test/csp/" + testFile,
      "Incorrect violating request");
   // correct blocked-uri
   is(cspReport["blocked-uri"],
      "http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png",
      "Incorrect blocked uri");
   // correct violated-directive
   is(cspReport["violated-directive"], "default-src http://mochi.test:8888",
      "Incorrect violated directive");