Bug 1418236 - Correct EventTarget for CSP violation events, r=ckerschb
authorAndrea Marchesini <amarchesini@mozilla.com>
Tue, 10 Jul 2018 17:40:21 +0200
changeset 483420 1b3143e4ec831f400df95c1fef8ee87d6f3368d2
parent 483419 8bcdfbe1d0dcf4ce58095da36fd8371fa68f7c3d
child 483421 f017a427c3cbccf397c9bf960a7b84ae5e801cb9
push id1815
push userffxbld-merge
push dateMon, 15 Oct 2018 10:40:45 +0000
treeherdermozilla-release@18d4c09e9378 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1418236
milestone63.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1418236 - Correct EventTarget for CSP violation events, r=ckerschb
caps/nsScriptSecurityManager.cpp
dom/base/nsDocument.cpp
dom/base/nsJSTimeoutHandler.cpp
dom/base/nsStyledElement.cpp
dom/events/EventListenerManager.cpp
dom/html/HTMLFormElement.cpp
dom/html/HTMLSharedElement.cpp
dom/interfaces/security/nsIContentSecurityPolicy.idl
dom/jsurl/nsJSProtocolHandler.cpp
dom/script/ScriptLoader.cpp
dom/security/nsCSPContext.cpp
dom/security/nsCSPContext.h
dom/security/test/unit/test_csp_reports.js
dom/workers/RuntimeService.cpp
dom/workers/ScriptLoader.cpp
layout/style/Loader.cpp
layout/style/nsStyleUtil.cpp
testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini
testing/web-platform/meta/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html.ini
testing/web-platform/meta/content-security-policy/securitypolicyviolation/script-sample.html.ini
testing/web-platform/meta/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html.ini
testing/web-platform/meta/content-security-policy/securitypolicyviolation/style-sample.html.ini
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@@ -504,16 +504,17 @@ nsScriptSecurityManager::ContentSecurity
                                        &columnNum)) {
             if (const char *file = scriptFilename.get()) {
                 CopyUTF8toUTF16(nsDependentCString(file), fileName);
             }
         } else {
             MOZ_ASSERT(!JS_IsExceptionPending(cx));
         }
         csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
+                                 nullptr, // triggering element
                                  fileName,
                                  scriptSample,
                                  lineNum,
                                  columnNum,
                                  EmptyString(),
                                  EmptyString());
     }
 
--- a/dom/base/nsDocument.cpp
+++ b/dom/base/nsDocument.cpp
@@ -11946,17 +11946,18 @@ nsIDocument::InlineScriptAllowedByCSP()
   nsCOMPtr<nsIContentSecurityPolicy> csp;
   nsresult rv = NodePrincipal()->GetCsp(getter_AddRefs(csp));
   NS_ENSURE_SUCCESS(rv, true);
   bool allowsInlineScript = true;
   if (csp) {
     nsresult rv = csp->GetAllowsInline(nsIContentPolicy::TYPE_SCRIPT,
                                        EmptyString(), // aNonce
                                        true,          // aParserCreated
-                                       nullptr, // FIXME get script sample (bug 1314567)
+                                       nullptr,       // aTriggeringElement
+                                       EmptyString(), // FIXME get script sample (bug 1314567)
                                        0,             // aLineNumber
                                        0,             // aColumnNumber
                                        &allowsInlineScript);
     NS_ENSURE_SUCCESS(rv, true);
   }
   return allowsInlineScript;
 }
 
--- a/dom/base/nsJSTimeoutHandler.cpp
+++ b/dom/base/nsJSTimeoutHandler.cpp
@@ -201,16 +201,17 @@ CheckCSPForEval(JSContext* aCx, nsGlobal
     uint32_t columnNum = 0;
     nsAutoString fileNameString;
     if (!nsJSUtils::GetCallingLocation(aCx, fileNameString, &lineNum,
                                        &columnNum)) {
       fileNameString.AssignLiteral("unknown");
     }
 
     csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
+                             nullptr, // triggering element
                              fileNameString, scriptSample, lineNum, columnNum,
                              EmptyString(), EmptyString());
   }
 
   return allowsEval;
 }
 
 nsJSScriptTimeoutHandler::nsJSScriptTimeoutHandler()
--- a/dom/base/nsStyledElement.cpp
+++ b/dom/base/nsStyledElement.cpp
@@ -203,17 +203,17 @@ nsStyledElement::ParseStyleAttribute(con
                                      nsIPrincipal* aMaybeScriptedPrincipal,
                                      nsAttrValue& aResult,
                                      bool aForceInDataDoc)
 {
   nsIDocument* doc = OwnerDoc();
   bool isNativeAnon = IsInNativeAnonymousSubtree();
 
   if (!isNativeAnon &&
-      !nsStyleUtil::CSPAllowsInlineStyle(nullptr, NodePrincipal(),
+      !nsStyleUtil::CSPAllowsInlineStyle(this, NodePrincipal(),
                                          aMaybeScriptedPrincipal,
                                          doc->GetDocumentURI(), 0, 0, aValue,
                                          nullptr))
     return;
 
   if (aForceInDataDoc ||
       !doc->IsLoadedAsData() ||
       GetExistingStyle() ||
--- a/dom/events/EventListenerManager.cpp
+++ b/dom/events/EventListenerManager.cpp
@@ -868,26 +868,23 @@ EventListenerManager::SetEventHandler(ns
       if (domNode) {
         tagName = domNode->NodeName();
       }
       // build a "script sample" based on what we know about this element
       scriptSample.Assign(attr);
       scriptSample.AppendLiteral(" attribute on ");
       scriptSample.Append(tagName);
       scriptSample.AppendLiteral(" element");
-      nsCOMPtr<nsISupportsString> sampleIString(do_CreateInstance(NS_SUPPORTS_STRING_CONTRACTID));
-      if (sampleIString) {
-        sampleIString->SetData(scriptSample);
-      }
 
       bool allowsInlineScript = true;
       rv = csp->GetAllowsInline(nsIContentPolicy::TYPE_SCRIPT,
                                 EmptyString(), // aNonce
                                 true, // aParserCreated (true because attribute event handler)
-                                sampleIString,
+                                aElement,
+                                scriptSample,
                                 0,             // aLineNumber
                                 0,             // aColumnNumber
                                 &allowsInlineScript);
       NS_ENSURE_SUCCESS(rv, rv);
 
       // return early if CSP wants us to block inline scripts
       if (!allowsInlineScript) {
         return NS_OK;
--- a/dom/html/HTMLFormElement.cpp
+++ b/dom/html/HTMLFormElement.cpp
@@ -1702,17 +1702,18 @@ HTMLFormElement::GetActionURL(nsIURI** a
   rv = NodePrincipal()->GetCsp(getter_AddRefs(csp));
   NS_ENSURE_SUCCESS(rv, rv);
   if (csp) {
     bool permitsFormAction = true;
 
     // form-action is only enforced if explicitly defined in the
     // policy - do *not* consult default-src, see:
     // http://www.w3.org/TR/CSP2/#directive-default-src
-    rv = csp->Permits(actionURL, nsIContentSecurityPolicy::FORM_ACTION_DIRECTIVE,
+    rv = csp->Permits(this, actionURL,
+                      nsIContentSecurityPolicy::FORM_ACTION_DIRECTIVE,
                       true, &permitsFormAction);
     NS_ENSURE_SUCCESS(rv, rv);
     if (!permitsFormAction) {
       return NS_ERROR_CSP_FORM_ACTION_VIOLATION;
     }
   }
 
   // Potentially the page uses the CSP directive 'upgrade-insecure-requests'. In
--- a/dom/html/HTMLSharedElement.cpp
+++ b/dom/html/HTMLSharedElement.cpp
@@ -149,17 +149,18 @@ SetBaseURIUsingFirstBaseWithHref(nsIDocu
       if (NS_FAILED(rv)) {
         newBaseURI = nullptr;
       }
       if (csp && newBaseURI) {
         // base-uri is only enforced if explicitly defined in the
         // policy - do *not* consult default-src, see:
         // http://www.w3.org/TR/CSP2/#directive-default-src
         bool cspPermitsBaseURI = true;
-        rv = csp->Permits(newBaseURI, nsIContentSecurityPolicy::BASE_URI_DIRECTIVE,
+        rv = csp->Permits(child->AsElement(), newBaseURI,
+                          nsIContentSecurityPolicy::BASE_URI_DIRECTIVE,
                           true, &cspPermitsBaseURI);
         if (NS_FAILED(rv) || !cspPermitsBaseURI) {
           newBaseURI = nullptr;
         }
       }
       aDocument->SetBaseURI(newBaseURI);
       aDocument->SetChromeXHRDocBaseURI(nullptr);
       return;
--- a/dom/interfaces/security/nsIContentSecurityPolicy.idl
+++ b/dom/interfaces/security/nsIContentSecurityPolicy.idl
@@ -5,16 +5,17 @@
 #include "nsISerializable.idl"
 #include "nsIContentPolicy.idl"
 
 interface nsIURI;
 interface nsIDocShell;
 interface nsIEventTarget;
 interface nsIPrincipal;
 
+webidl Element;
 webidl Document;
 
 /**
  * nsIContentSecurityPolicy
  * Describes an XPCOM component used to model and enforce CSPs.  Instances of
  * this class may have multiple policies within them, but there should only be
  * one of these per document/principal.
  */
@@ -117,31 +118,34 @@ interface nsIContentSecurityPolicy : nsI
                     in boolean reportOnly,
                     in boolean deliveredViaMetaTag);
 
   /*
    * Whether this policy allows inline script or style.
    * @param aContentPolicyType Either TYPE_SCRIPT or TYPE_STYLESHEET
    * @param aNonce The nonce string to check against the policy
    * @param aParserCreated If the script element was created by the HTML Parser
-   * @param aElementOrContent The script element of the inline resource to hash
-   *        or the content of the psuedo-script to compare to hash
-   *        (and compare to the hashes listed in the policy)
+   * @param aTriggeringElement The script element of the inline resource to
+   *        hash. It can be null.
+   * @param aContentOfPseudoScript The content of the psuedo-script to compare
+   *                               to hash (and compare to the hashes listed in
+   *                               the policy)
    * @param aLineNumber The line number of the inline resource
    *        (used for reporting)
    * @param aColumnNumber The column number of the inline resource
    *        (used for reporting)
    * @return
    *     Whether or not the effects of the inline style should be allowed
    *     (block the rules if false).
    */
   boolean getAllowsInline(in nsContentPolicyType aContentPolicyType,
                           in AString aNonce,
                           in boolean aParserCreated,
-                          in nsISupports aElementOrContent,
+                          in Element aTriggeringElement,
+                          in AString aContentOfPseudoScript,
                           in unsigned long aLineNumber,
                           in unsigned long aColumnNumber);
 
   /**
    * whether this policy allows eval and eval-like functions
    * such as setTimeout("code string", time).
    * @param shouldReportViolations
    *     Whether or not the use of eval should be reported.
@@ -167,16 +171,18 @@ interface nsIContentSecurityPolicy : nsI
 
   /**
    * For each violated policy (of type violationType), log policy violation on
    * the Error Console and send a report to report-uris present in the violated
    * policies.
    *
    * @param violationType
    *     one of the VIOLATION_TYPE_* constants, e.g. inline-script or eval
+   * @param triggeringElement
+   *     the element that triggers this CSP violation. It can be null.
    * @param sourceFile
    *     name of the source file containing the violation (if available)
    * @param contentSample
    *     sample of the violating content (to aid debugging)
    * @param lineNum
    *     source line number of the violation (if available)
    * @param columnNum
    *     source column number of the violation (if available)
@@ -186,16 +192,17 @@ interface nsIContentSecurityPolicy : nsI
    *     appropriate reports.
    * @param aContent
    *     (optional) If this is a hash violation, include contents of the inline
    *     resource in the question so we can recheck the hash in order to
    *     determine which policies were violated and send the appropriate
    *     reports.
    */
   void logViolationDetails(in unsigned short violationType,
+                           in Element triggeringElement,
                            in AString sourceFile,
                            in AString scriptSample,
                            in int32_t lineNum,
                            in int32_t columnNum,
                            [optional] in AString nonce,
                            [optional] in AString content);
 
   const unsigned short VIOLATION_TYPE_INLINE_SCRIPT          = 1;
@@ -245,32 +252,37 @@ interface nsIContentSecurityPolicy : nsI
 
 
   /**
    * Checks if a specific directive permits loading of a URI.
    *
    * NOTE: Calls to this may trigger violation reports when queried, so the
    * return value should not be cached.
    *
+   * @param aTriggeringElement
+   *        The element that triggers this CSP check. It can be null.
    * @param aURI
    *    The URI about to be loaded or used.
    * @param aDir
    *    The CSPDirective to query (see above constants *_DIRECTIVE).
    * @param aSpecific
    *    If "true" and the directive is specified to fall back to "default-src"
    *    when it's not explicitly provided, directivePermits will NOT try
    *    default-src when the specific directive is not used.  Setting this to
    *    "false" allows CSP to fall back to default-src.  This function
    *    behaves the same for both values of canUseDefault when querying
    *    directives that don't fall-back.
    * @return
    *    Whether or not the provided URI is allowed by CSP under the given
    *    directive. (block the pending operation if false).
    */
-  boolean permits(in nsIURI aURI, in CSPDirective aDir, in boolean aSpecific);
+  boolean permits(in Element aTriggeringElement,
+                  in nsIURI aURI,
+                  in CSPDirective aDir,
+                  in boolean aSpecific);
 
   /**
    * Delegate method called by the service when sub-elements of the protected
    * document are being loaded.  Given a bit of information about the request,
    * decides whether or not the policy is satisfied.
    *
    * Calls to this may trigger violation reports when queried, so
    * this value should not be cached.
--- a/dom/jsurl/nsJSProtocolHandler.cpp
+++ b/dom/jsurl/nsJSProtocolHandler.cpp
@@ -174,18 +174,19 @@ nsresult nsJSThunk::EvaluateScript(nsICh
     // allowed.
     nsCOMPtr<nsIContentSecurityPolicy> csp;
     rv = principal->GetCsp(getter_AddRefs(csp));
     NS_ENSURE_SUCCESS(rv, rv);
     if (csp) {
         bool allowsInlineScript = true;
         rv = csp->GetAllowsInline(nsIContentPolicy::TYPE_SCRIPT,
                                   EmptyString(), // aNonce
-                                  true,         // aParserCreated
-                                  nullptr, // aContent
+                                  true,          // aParserCreated
+                                  nullptr,       // aElement,
+                                  EmptyString(), // aContent
                                   0,             // aLineNumber
                                   0,             // aColumnNumber
                                   &allowsInlineScript);
 
         //return early if inline scripts are not allowed
         if (!allowsInlineScript) {
           return NS_ERROR_DOM_RETVAL_UNDEFINED;
         }
--- a/dom/script/ScriptLoader.cpp
+++ b/dom/script/ScriptLoader.cpp
@@ -1218,17 +1218,17 @@ CSPAllowsInlineScript(nsIScriptElement* 
   // query the nonce
   nsCOMPtr<Element> scriptContent = do_QueryInterface(aElement);
   nsAutoString nonce;
   scriptContent->GetAttr(kNameSpaceID_None, nsGkAtoms::nonce, nonce);
   bool parserCreated = aElement->GetParserCreated() != mozilla::dom::NOT_FROM_PARSER;
 
   bool allowInlineScript = false;
   rv = csp->GetAllowsInline(nsIContentPolicy::TYPE_SCRIPT,
-                            nonce, parserCreated, aElement,
+                            nonce, parserCreated, scriptContent, EmptyString(),
                             aElement->GetScriptLineNumber(),
                             aElement->GetScriptColumnNumber(),
                             &allowInlineScript);
   return allowInlineScript;
 }
 
 ScriptLoadRequest*
 ScriptLoader::CreateLoadRequest(ScriptKind aKind,
@@ -2867,16 +2867,17 @@ ScriptLoader::VerifySRI(ScriptLoadReques
       nsCOMPtr<nsIContentSecurityPolicy> csp;
       loadInfo->LoadingPrincipal()->GetCsp(getter_AddRefs(csp));
       nsAutoCString violationURISpec;
       mDocument->GetDocumentURI()->GetAsciiSpec(violationURISpec);
       uint32_t lineNo = aRequest->mElement ? aRequest->mElement->GetScriptLineNumber() : 0;
       uint32_t columnNo = aRequest->mElement ? aRequest->mElement->GetScriptColumnNumber() : 0;
       csp->LogViolationDetails(
         nsIContentSecurityPolicy::VIOLATION_TYPE_REQUIRE_SRI_FOR_SCRIPT,
+        nullptr, // triggering element
         NS_ConvertUTF8toUTF16(violationURISpec),
         EmptyString(), lineNo, columnNo, EmptyString(), EmptyString());
       rv = NS_ERROR_SRI_CORRUPT;
     }
   }
 
   return rv;
 }
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -49,16 +49,17 @@
 #include "nsSandboxFlags.h"
 #include "nsIScriptElement.h"
 #include "nsIEventTarget.h"
 #include "mozilla/dom/DocGroup.h"
 #include "mozilla/dom/Element.h"
 #include "nsXULAppAPI.h"
 
 using namespace mozilla;
+using namespace mozilla::dom;
 
 static LogModule*
 GetCspContextLog()
 {
   static LazyLogModule gCspContextPRLog("CSPContext");
   return gCspContextPRLog;
 }
 
@@ -203,16 +204,17 @@ nsCSPContext::ShouldLoad(nsContentPolicy
   }
 
   // aExtra holds the original URI of the channel if the
   // channel got redirected (until we fix Bug 1332422).
   nsCOMPtr<nsIURI> originalURI = do_QueryInterface(aExtra);
   bool wasRedirected = originalURI;
 
   bool permitted = permitsInternal(dir,
+                                   nullptr, // aTriggeringElement
                                    aContentLocation,
                                    originalURI,
                                    nonce,
                                    wasRedirected,
                                    isPreload,
                                    false,     // allow fallback to default-src
                                    true,      // send violation reports
                                    true,     // send blocked URI in violation reports
@@ -232,16 +234,17 @@ nsCSPContext::ShouldLoad(nsContentPolicy
                    *outDecision > 0 ? "load" : "deny",
                    aContentLocation->GetSpecOrDefault().get()));
   }
   return NS_OK;
 }
 
 bool
 nsCSPContext::permitsInternal(CSPDirective aDir,
+                              Element* aTriggeringElement,
                               nsIURI* aContentLocation,
                               nsIURI* aOriginalURI,
                               const nsAString& aNonce,
                               bool aWasRedirected,
                               bool aIsPreload,
                               bool aSpecific,
                               bool aSendViolationReports,
                               bool aSendContentLocationInViolationReports,
@@ -264,26 +267,27 @@ nsCSPContext::permitsInternal(CSPDirecti
         CSPCONTEXTLOG(("nsCSPContext::permitsInternal, false"));
         permits = false;
       }
 
       // Do not send a report or notify observers if this is a preload - the
       // decision may be wrong due to the inability to get the nonce, and will
       // incorrectly fail the unit tests.
       if (!aIsPreload && aSendViolationReports) {
-        this->AsyncReportViolation((aSendContentLocationInViolationReports ?
-                                    aContentLocation : nullptr),
-                                   aOriginalURI,  /* in case of redirect originalURI is not null */
-                                   violatedDirective,
-                                   p,             /* policy index        */
-                                   EmptyString(), /* no observer subject */
-                                   EmptyString(), /* no source file      */
-                                   EmptyString(), /* no script sample    */
-                                   0,             /* no line number      */
-                                   0);            /* no column number    */
+        AsyncReportViolation(aTriggeringElement,
+                             (aSendContentLocationInViolationReports ?
+                              aContentLocation : nullptr),
+                             aOriginalURI,  /* in case of redirect originalURI is not null */
+                             violatedDirective,
+                             p,             /* policy index        */
+                             EmptyString(), /* no observer subject */
+                             EmptyString(), /* no source file      */
+                             EmptyString(), /* no script sample    */
+                             0,             /* no line number      */
+                             0);            /* no column number    */
       }
     }
   }
 
   return permits;
 }
 
 
@@ -449,16 +453,17 @@ nsCSPContext::GetAllowsEval(bool* outSho
     }
   }
   return NS_OK;
 }
 
 // Helper function to report inline violations
 void
 nsCSPContext::reportInlineViolation(nsContentPolicyType aContentType,
+                                    Element* aTriggeringElement,
                                     const nsAString& aNonce,
                                     const nsAString& aContent,
                                     const nsAString& aViolatedDirective,
                                     uint32_t aViolatedPolicyIndex, // TODO, use report only flag for that
                                     uint32_t aLineNumber,
                                     uint32_t aColumnNumber)
 {
   nsString observerSubject;
@@ -489,32 +494,35 @@ nsCSPContext::reportInlineViolation(nsCo
   }
 
   nsAutoString codeSample(aContent);
   // cap the length of the script sample
   if (codeSample.Length() > ScriptSampleMaxLength()) {
     codeSample.Truncate(ScriptSampleMaxLength());
     codeSample.AppendLiteral("...");
   }
-  AsyncReportViolation(selfISupports,                      // aBlockedContentSource
+
+  AsyncReportViolation(aTriggeringElement,
+                       selfISupports,                      // aBlockedContentSource
                        mSelfURI,                           // aOriginalURI
                        aViolatedDirective,                 // aViolatedDirective
                        aViolatedPolicyIndex,               // aViolatedPolicyIndex
                        observerSubject,                    // aObserverSubject
                        NS_ConvertUTF8toUTF16(sourceFile),  // aSourceFile
                        codeSample,                         // aScriptSample
                        aLineNumber,                        // aLineNum
                        aColumnNumber);                     // aColumnNum
 }
 
 NS_IMETHODIMP
 nsCSPContext::GetAllowsInline(nsContentPolicyType aContentType,
                               const nsAString& aNonce,
                               bool aParserCreated,
-                              nsISupports* aElementOrContent,
+                              Element* aTriggeringElement,
+                              const nsAString& aContentOfPseudoScript,
                               uint32_t aLineNumber,
                               uint32_t aColumnNumber,
                               bool* outAllowsInline)
 {
   *outAllowsInline = true;
 
   MOZ_ASSERT(aContentType == nsContentUtils::InternalContentPolicyTypeToExternal(aContentType),
              "We should only see external content policy types here.");
@@ -538,41 +546,42 @@ nsCSPContext::GetAllowsInline(nsContentP
     // unecessary strings
     if (allowed) {
       continue;
     }
 
     // Check the content length to ensure the content is not allocated more than
     // once. Even though we are in a for loop, it is probable that there is only one
     // policy, so this check may be unnecessary.
-    if (content.Length() == 0) {
-      // postpone the allocation until absolutely necessary.
-      nsCOMPtr<nsISupportsString> stringContent = do_QueryInterface(aElementOrContent);
-      nsCOMPtr<nsIScriptElement> element = do_QueryInterface(aElementOrContent);
-      if (stringContent) {
-        Unused << stringContent->GetData(content);
-      } else if (element) {
+    if (content.IsEmpty() && aTriggeringElement) {
+      nsCOMPtr<nsIScriptElement> element = do_QueryInterface(aTriggeringElement);
+      if (element) {
         element->GetScriptText(content);
       }
     }
 
+    if (content.IsEmpty()) {
+      content = aContentOfPseudoScript;
+    }
+
     allowed = mPolicies[i]->allows(aContentType, CSP_HASH, content, aParserCreated);
 
     if (!allowed) {
       // policy is violoated: deny the load unless policy is report only and
       // report the violation.
       if (!mPolicies[i]->getReportOnlyFlag()) {
         *outAllowsInline = false;
       }
       nsAutoString violatedDirective;
       bool reportSample = false;
       mPolicies[i]->getDirectiveStringAndReportSampleForContentType(aContentType,
                                                                     violatedDirective,
                                                                     &reportSample);
       reportInlineViolation(aContentType,
+                            aTriggeringElement,
                             aNonce,
                             reportSample ? content : EmptyString(),
                             violatedDirective,
                             i,
                             aLineNumber,
                             aColumnNumber);
     }
   }
@@ -615,22 +624,23 @@ nsCSPContext::GetAllowsInline(nsContentP
     if (!mPolicies[p]->allows(nsIContentPolicy::TYPE_ ## contentPolicyType,    \
                               keyword, nonceOrHash, false))                    \
     {                                                                          \
       nsAutoString violatedDirective;                                          \
       bool reportSample = false;                                               \
       mPolicies[p]->getDirectiveStringAndReportSampleForContentType(           \
                         nsIContentPolicy::TYPE_ ## contentPolicyType,          \
                         violatedDirective, &reportSample);                     \
-      this->AsyncReportViolation(selfISupports, nullptr, violatedDirective, p, \
-                                 NS_LITERAL_STRING(observerTopic),             \
-                                 aSourceFile,                                  \
-                                 reportSample                                  \
-                                   ? aScriptSample : EmptyString(),            \
-                                 aLineNum, aColumnNum);                        \
+      AsyncReportViolation(aTriggeringElement, selfISupports, nullptr,         \
+                           violatedDirective, p,                               \
+                           NS_LITERAL_STRING(observerTopic),                   \
+                           aSourceFile,                                        \
+                           reportSample                                        \
+                             ? aScriptSample : EmptyString(),                  \
+                           aLineNum, aColumnNum);                              \
     }                                                                          \
     PR_END_MACRO;                                                              \
     break
 
 /**
  * For each policy, log any violation on the Error Console and send a report
  * if a report-uri is present in the policy
  *
@@ -651,16 +661,17 @@ nsCSPContext::GetAllowsInline(nsContentP
  * @param aContent
  *     (optional) If this is a hash violation, include contents of the inline
  *     resource in the question so we can recheck the hash in order to
  *     determine which policies were violated and send the appropriate
  *     reports.
  */
 NS_IMETHODIMP
 nsCSPContext::LogViolationDetails(uint16_t aViolationType,
+                                  Element* aTriggeringElement,
                                   const nsAString& aSourceFile,
                                   const nsAString& aScriptSample,
                                   int32_t aLineNum,
                                   int32_t aColumnNum,
                                   const nsAString& aNonce,
                                   const nsAString& aContent)
 {
   for (uint32_t p = 0; p < mPolicies.Length(); p++) {
@@ -1158,57 +1169,77 @@ nsCSPContext::SendReports(
       CSPCONTEXTLOG(("Sent violation report to URI %s", reportURICstring.get()));
     }
   }
   return NS_OK;
 }
 
 nsresult
 nsCSPContext::FireViolationEvent(
+  Element* aTriggeringElement,
   const mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit)
 {
   if (!sViolationEventsEnabled) {
     return NS_OK;
   }
 
+  // 1. If target is not null, and global is a Window, and target’s
+  // shadow-including root is not global’s associated Document, set target to
+  // null.
+  RefPtr<EventTarget> eventTarget = aTriggeringElement;
+
   nsCOMPtr<nsIDocument> doc = do_QueryReferent(mLoadingContext);
-  if (!doc) {
+  if (doc && aTriggeringElement &&
+      aTriggeringElement->GetComposedDoc() != doc) {
+    eventTarget = nullptr;
+  }
+
+  if (!eventTarget) {
+    // If target is a Window, set target to target’s associated Document.
+    eventTarget = doc;
+  }
+
+  if (!eventTarget) {
+    // TODO: Set target be violation’s global object. If we are here, we are
+    // probably dealing with workers. See bug 1472927.
     return NS_OK;
   }
 
   RefPtr<mozilla::dom::Event> event =
     mozilla::dom::SecurityPolicyViolationEvent::Constructor(
-      doc,
+      eventTarget,
       NS_LITERAL_STRING("securitypolicyviolation"),
       aViolationEventInit);
   event->SetTrusted(true);
 
   ErrorResult rv;
-  doc->DispatchEvent(*event, rv);
+  eventTarget->DispatchEvent(*event, rv);
   return rv.StealNSResult();
 }
 
 /**
  * Dispatched from the main thread to send reports for one CSP violation.
  */
 class CSPReportSenderRunnable final : public Runnable
 {
   public:
-    CSPReportSenderRunnable(nsISupports* aBlockedContentSource,
+    CSPReportSenderRunnable(Element* aTriggeringElement,
+                            nsISupports* aBlockedContentSource,
                             nsIURI* aOriginalURI,
                             uint32_t aViolatedPolicyIndex,
                             bool aReportOnlyFlag,
                             const nsAString& aViolatedDirective,
                             const nsAString& aObserverSubject,
                             const nsAString& aSourceFile,
                             const nsAString& aScriptSample,
                             uint32_t aLineNum,
                             uint32_t aColumnNum,
                             nsCSPContext* aCSPContext)
       : mozilla::Runnable("CSPReportSenderRunnable")
+      , mTriggeringElement(aTriggeringElement)
       , mBlockedContentSource(aBlockedContentSource)
       , mOriginalURI(aOriginalURI)
       , mViolatedPolicyIndex(aViolatedPolicyIndex)
       , mReportOnlyFlag(aReportOnlyFlag)
       , mViolatedDirective(aViolatedDirective)
       , mSourceFile(aSourceFile)
       , mScriptSample(aScriptSample)
       , mLineNum(aLineNum)
@@ -1284,22 +1315,23 @@ class CSPReportSenderRunnable final : pu
                                      blockedDataChar16.get() };
         mCSPContext->logToConsole(mReportOnlyFlag ? "CSPROViolationWithURI" :
                                                     "CSPViolationWithURI",
                                   params, ArrayLength(params), mSourceFile, mScriptSample,
                                   mLineNum, mColumnNum, nsIScriptError::errorFlag);
       }
 
       // 4) fire violation event
-      mCSPContext->FireViolationEvent(init);
+      mCSPContext->FireViolationEvent(mTriggeringElement, init);
 
       return NS_OK;
     }
 
   private:
+    RefPtr<Element>         mTriggeringElement;
     nsCOMPtr<nsISupports>   mBlockedContentSource;
     nsCOMPtr<nsIURI>        mOriginalURI;
     uint32_t                mViolatedPolicyIndex;
     bool                    mReportOnlyFlag;
     nsString                mViolatedDirective;
     nsCOMPtr<nsISupports>   mObserverSubject;
     nsString                mSourceFile;
     nsString                mScriptSample;
@@ -1308,16 +1340,18 @@ class CSPReportSenderRunnable final : pu
     RefPtr<nsCSPContext>    mCSPContext;
 };
 
 /**
  * Asynchronously notifies any nsIObservers listening to the CSP violation
  * topic that a violation occurred.  Also triggers report sending and console
  * logging.  All asynchronous on the main thread.
  *
+ * @param aTriggeringElement
+ *        The element that triggered this report violation. It can be null.
  * @param aBlockedContentSource
  *        Either a CSP Source (like 'self', as string) or nsIURI: the source
  *        of the violation.
  * @param aOriginalUri
  *        The original URI if the blocked content is a redirect, else null
  * @param aViolatedDirective
  *        the directive that was violated (string).
  * @param aViolatedPolicyIndex
@@ -1331,30 +1365,32 @@ class CSPReportSenderRunnable final : pu
  * @param aScriptSample
  *        a sample of the violating inline script
  * @param aLineNum
  *        source line number of the violation (if available)
  * @param aColumnNum
  *        source column number of the violation (if available)
  */
 nsresult
-nsCSPContext::AsyncReportViolation(nsISupports* aBlockedContentSource,
+nsCSPContext::AsyncReportViolation(Element* aTriggeringElement,
+                                   nsISupports* aBlockedContentSource,
                                    nsIURI* aOriginalURI,
                                    const nsAString& aViolatedDirective,
                                    uint32_t aViolatedPolicyIndex,
                                    const nsAString& aObserverSubject,
                                    const nsAString& aSourceFile,
                                    const nsAString& aScriptSample,
                                    uint32_t aLineNum,
                                    uint32_t aColumnNum)
 {
   NS_ENSURE_ARG_MAX(aViolatedPolicyIndex, mPolicies.Length() - 1);
 
   nsCOMPtr<nsIRunnable> task =
-    new CSPReportSenderRunnable(aBlockedContentSource,
+    new CSPReportSenderRunnable(aTriggeringElement,
+                                aBlockedContentSource,
                                 aOriginalURI,
                                 aViolatedPolicyIndex,
                                 mPolicies[aViolatedPolicyIndex]->getReportOnlyFlag(),
                                 aViolatedDirective,
                                 aObserverSubject,
                                 aSourceFile,
                                 aScriptSample,
                                 aLineNum,
@@ -1473,16 +1509,17 @@ nsCSPContext::PermitsAncestry(nsIDocShel
                      ancestorsArray[a]->GetSpecOrDefault().get()));
     }
     // omit the ancestor URI in violation reports if cross-origin as per spec
     // (it is a violation of the same-origin policy).
     bool okToSendAncestor = NS_SecurityCompareURIs(ancestorsArray[a], mSelfURI, true);
 
 
     bool permits = permitsInternal(nsIContentSecurityPolicy::FRAME_ANCESTORS_DIRECTIVE,
+                                   nullptr,
                                    ancestorsArray[a],
                                    nullptr, // no redirect here.
                                    EmptyString(), // no nonce
                                    false,   // no redirect here.
                                    false,   // not a preload.
                                    true,    // specific, do not use default-src
                                    true,    // send violation reports
                                    okToSendAncestor,
@@ -1490,27 +1527,29 @@ nsCSPContext::PermitsAncestry(nsIDocShel
     if (!permits) {
       *outPermitsAncestry = false;
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
-nsCSPContext::Permits(nsIURI* aURI,
+nsCSPContext::Permits(Element* aTriggeringElement,
+                      nsIURI* aURI,
                       CSPDirective aDir,
                       bool aSpecific,
                       bool* outPermits)
 {
   // Can't perform check without aURI
   if (aURI == nullptr) {
     return NS_ERROR_FAILURE;
   }
 
   *outPermits = permitsInternal(aDir,
+                                aTriggeringElement,
                                 aURI,
                                 nullptr,  // no original (pre-redirect) URI
                                 EmptyString(),  // no nonce
                                 false,    // not redirected.
                                 false,    // not a preload.
                                 aSpecific,
                                 true,     // send violation reports
                                 true,     // send blocked URI in violation reports
--- a/dom/security/nsCSPContext.h
+++ b/dom/security/nsCSPContext.h
@@ -25,16 +25,22 @@
 #define NS_CSPCONTEXT_CID \
 { 0x09d9ed1a, 0xe5d4, 0x4004, \
   { 0xbf, 0xe0, 0x27, 0xce, 0xb9, 0x23, 0xd9, 0xac } }
 
 class nsINetworkInterceptController;
 class nsIEventTarget;
 struct ConsoleMsgQueueElem;
 
+namespace mozilla {
+namespace dom {
+class Element;
+}
+}
+
 class nsCSPContext : public nsIContentSecurityPolicy
 {
   public:
     NS_DECL_ISUPPORTS
     NS_DECL_NSICONTENTSECURITYPOLICY
     NS_DECL_NSISERIALIZABLE
 
   protected:
@@ -92,19 +98,21 @@ class nsCSPContext : public nsIContentSe
       uint32_t aColumnNum,
       mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit);
 
     nsresult SendReports(
       const mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit,
       uint32_t aViolatedPolicyIndex);
 
     nsresult FireViolationEvent(
+      mozilla::dom::Element* aTriggeringElement,
       const mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit);
 
-    nsresult AsyncReportViolation(nsISupports* aBlockedContentSource,
+    nsresult AsyncReportViolation(mozilla::dom::Element* aTriggeringElement,
+                                  nsISupports* aBlockedContentSource,
                                   nsIURI* aOriginalURI,
                                   const nsAString& aViolatedDirective,
                                   uint32_t aViolatedPolicyIndex,
                                   const nsAString& aObserverSubject,
                                   const nsAString& aSourceFile,
                                   const nsAString& aScriptSample,
                                   uint32_t aLineNum,
                                   uint32_t aColumnNum);
@@ -117,28 +125,30 @@ class nsCSPContext : public nsIContentSe
     }
 
     nsWeakPtr GetLoadingContext(){
       return mLoadingContext;
     }
 
   private:
     bool permitsInternal(CSPDirective aDir,
+                         mozilla::dom::Element* aTriggeringElement,
                          nsIURI* aContentLocation,
                          nsIURI* aOriginalURI,
                          const nsAString& aNonce,
                          bool aWasRedirected,
                          bool aIsPreload,
                          bool aSpecific,
                          bool aSendViolationReports,
                          bool aSendContentLocationInViolationReports,
                          bool aParserCreated);
 
     // helper to report inline script/style violations
     void reportInlineViolation(nsContentPolicyType aContentType,
+                               mozilla::dom::Element* aTriggeringElement,
                                const nsAString& aNonce,
                                const nsAString& aContent,
                                const nsAString& aViolatedDirective,
                                uint32_t aViolatedPolicyIndex,
                                uint32_t aLineNumber,
                                uint32_t aColumnNumber);
 
     static int32_t sScriptSampleMaxLength;
--- a/dom/security/test/unit/test_csp_reports.js
+++ b/dom/security/test/unit/test_csp_reports.js
@@ -97,27 +97,25 @@ function makeTest(id, expectedJSON, useR
   callback(csp);
 }
 
 function run_test() {
   var selfuri = NetUtil.newURI(REPORT_SERVER_URI +
                                ":" + REPORT_SERVER_PORT +
                                "/foo/self");
 
-  let content = Cc["@mozilla.org/supports-string;1"].
-                   createInstance(Ci.nsISupportsString);
-  content.data = "";
   // test that inline script violations cause a report.
   makeTest(0, {"blocked-uri": ""}, false,
       function(csp) {
         let inlineOK = true;
         inlineOK = csp.getAllowsInline(Ci.nsIContentPolicy.TYPE_SCRIPT,
                                        "", // aNonce
                                        false, // aParserCreated
-                                       content, // aContent
+                                       null, // aTriggeringElement
+                                       "", // aContentOfPseudoScript
                                        0, // aLineNumber
                                        0); // aColumnNumber
 
         // this is not a report only policy, so it better block inline scripts
         Assert.ok(!inlineOK);
       });
 
   // test that eval violations cause a report.
@@ -133,16 +131,17 @@ function run_test() {
         // this is not a report only policy, so it better block eval
         Assert.ok(!evalOK);
         // ... and cause reports to go out
         Assert.ok(oReportViolation.value);
 
         if (oReportViolation.value) {
           // force the logging, since the getter doesn't.
           csp.logViolationDetails(Ci.nsIContentSecurityPolicy.VIOLATION_TYPE_EVAL,
+                                  null, // aTriggeringElement
                                   selfuri.asciiSpec,
                                   // sending UTF-16 script sample to make sure
                                   // csp report in JSON is not cut-off, please
                                   // note that JSON is UTF8 encoded.
                                   "\u00a3\u00a5\u00b5\u5317\ud841\udf79",
                                   1, // line number
                                   2); // column number
         }
@@ -155,23 +154,21 @@ function run_test() {
                       NetUtil.newURI("http://blocked.test/foo.js"),
                       null, null, null, null);
       });
 
   // test that inline script violations cause a report in report-only policy
   makeTest(3, {"blocked-uri": ""}, true,
       function(csp) {
         let inlineOK = true;
-        let content = Cc["@mozilla.org/supports-string;1"].
-                         createInstance(Ci.nsISupportsString);
-        content.data = "";
         inlineOK = csp.getAllowsInline(Ci.nsIContentPolicy.TYPE_SCRIPT,
                                        "", // aNonce
                                        false, // aParserCreated
-                                       content, // aContent
+                                       null, // aTriggeringElement
+                                       "", // aContentOfPseudoScript
                                        0, // aLineNumber
                                        0); // aColumnNumber
 
         // this is a report only policy, so it better allow inline scripts
         Assert.ok(inlineOK);
       });
 
   // test that eval violations cause a report in report-only policy
@@ -183,16 +180,17 @@ function run_test() {
         // this is a report only policy, so it better allow eval
         Assert.ok(evalOK);
         // ... but still cause reports to go out
         Assert.ok(oReportViolation.value);
 
         if (oReportViolation.value) {
           // force the logging, since the getter doesn't.
           csp.logViolationDetails(Ci.nsIContentSecurityPolicy.VIOLATION_TYPE_INLINE_SCRIPT,
+                                  null, // aTriggeringElement
                                   selfuri.asciiSpec,
                                   "script sample",
                                   4, // line number
                                   5); // column number
         }
       });
 
   // test that only the uri's scheme is reported for globally unique identifiers
--- a/dom/workers/RuntimeService.cpp
+++ b/dom/workers/RuntimeService.cpp
@@ -2637,16 +2637,17 @@ LogViolationDetailsRunnable::MainThreadR
   AssertIsOnMainThread();
 
   nsIContentSecurityPolicy* csp = mWorkerPrivate->GetCSP();
   if (csp) {
     NS_NAMED_LITERAL_STRING(scriptSample,
         "Call to eval() or related function blocked by CSP.");
     if (mWorkerPrivate->GetReportCSPViolations()) {
       csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
+                               nullptr, // triggering element
                                mFileName, scriptSample, mLineNum, mColumnNum,
                                EmptyString(), EmptyString());
     }
   }
 
   return true;
 }
 
--- a/dom/workers/ScriptLoader.cpp
+++ b/dom/workers/ScriptLoader.cpp
@@ -1221,16 +1221,17 @@ private:
       MOZ_LOG(SRILogHelper::GetSriLog(), mozilla::LogLevel::Debug,
             ("Scriptloader::Load, SRI required but not supported in workers"));
       nsCOMPtr<nsIContentSecurityPolicy> wcsp;
       chanLoadInfo->LoadingPrincipal()->GetCsp(getter_AddRefs(wcsp));
       MOZ_ASSERT(wcsp, "We sould have a CSP for the worker here");
       if (wcsp) {
         wcsp->LogViolationDetails(
             nsIContentSecurityPolicy::VIOLATION_TYPE_REQUIRE_SRI_FOR_SCRIPT,
+            nullptr, // triggering element
             aLoadInfo.mURL, EmptyString(), 0, 0, EmptyString(), EmptyString());
       }
       return NS_ERROR_SRI_CORRUPT;
     }
 
     // Update the principal of the worker and its base URI if we just loaded the
     // worker's primary script.
     if (IsMainWorkerScript()) {
--- a/layout/style/Loader.cpp
+++ b/layout/style/Loader.cpp
@@ -779,16 +779,17 @@ SheetLoadData::VerifySheetReadyToParse(n
       // log the failed load to web console
       nsCOMPtr<nsIContentSecurityPolicy> csp;
       loadInfo->LoadingPrincipal()->GetCsp(getter_AddRefs(csp));
       nsAutoCString spec;
       mLoader->mDocument->GetDocumentURI()->GetAsciiSpec(spec);
       // line number unknown. mRequestingNode doesn't bear this info.
       csp->LogViolationDetails(
         nsIContentSecurityPolicy::VIOLATION_TYPE_REQUIRE_SRI_FOR_STYLE,
+        nullptr, // triggering element
         NS_ConvertUTF8toUTF16(spec), EmptyString(),
         0, 0, EmptyString(), EmptyString());
       return NS_OK;
     }
   } else {
     nsAutoCString sourceUri;
     if (mLoader->mDocument && mLoader->mDocument->GetDocumentURI()) {
       mLoader->mDocument->GetDocumentURI()->GetAsciiSpec(sourceUri);
--- a/layout/style/nsStyleUtil.cpp
+++ b/layout/style/nsStyleUtil.cpp
@@ -778,20 +778,16 @@ nsStyleUtil::CSPAllowsInlineStyle(Elemen
                                   nsresult* aRv)
 {
   nsresult rv;
 
   if (aRv) {
     *aRv = NS_OK;
   }
 
-  MOZ_ASSERT(!aElement || aElement->NodeInfo()->NameAtom() == nsGkAtoms::style,
-      "aElement passed to CSPAllowsInlineStyle "
-      "for an element that is not <style>");
-
   nsIPrincipal* principal = aPrincipal;
   if (aTriggeringPrincipal &&
       BasePrincipal::Cast(aTriggeringPrincipal)->OverridesCSP(aPrincipal)) {
     principal = aTriggeringPrincipal;
   }
 
   nsCOMPtr<nsIContentSecurityPolicy> csp;
   rv = principal->GetCsp(getter_AddRefs(csp));
@@ -804,30 +800,25 @@ nsStyleUtil::CSPAllowsInlineStyle(Elemen
 
   if (!csp) {
     // No CSP --> the style is allowed
     return true;
   }
 
   // query the nonce
   nsAutoString nonce;
-  if (aElement) {
+  if (aElement && aElement->NodeInfo()->NameAtom() == nsGkAtoms::style) {
     aElement->GetAttr(kNameSpaceID_None, nsGkAtoms::nonce, nonce);
   }
 
-  nsCOMPtr<nsISupportsString> styleText(do_CreateInstance(NS_SUPPORTS_STRING_CONTRACTID));
-  if (styleText) {
-    styleText->SetData(aStyleText);
-  }
-
   bool allowInlineStyle = true;
   rv = csp->GetAllowsInline(nsIContentPolicy::TYPE_STYLESHEET,
                             nonce,
                             false, // aParserCreated only applies to scripts
-                            styleText, aLineNumber, aColumnNumber,
+                            aElement, aStyleText, aLineNumber, aColumnNumber,
                             &allowInlineStyle);
   NS_ENSURE_SUCCESS(rv, false);
 
   return allowInlineStyle;
 }
 
 void
 nsStyleUtil::AppendFontSlantStyle(const FontSlantStyle& aStyle, nsAString& aOut)
deleted file mode 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini
+++ /dev/null
@@ -1,8 +0,0 @@
-[script-src-strict_dynamic_parser_inserted.html]
-  expected: TIMEOUT
-  [Script injected via `innerHTML` is not allowed with `strict-dynamic`.]
-    expected: TIMEOUT
-
-  [Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`.]
-    expected: TIMEOUT
-
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html.ini
@@ -1,17 +1,14 @@
 [script-sample-no-opt-in.html]
   expected: TIMEOUT
   [Inline script should not have a sample.]
-    expected: TIMEOUT
+    expected: FAIL
 
   [Inline event handlers should not have a sample.]
-    expected: TIMEOUT
+    expected: FAIL
 
   [JavaScript URLs in iframes should not have a sample.]
     expected: TIMEOUT
 
-  [eval() should not have a sample.]
-    expected: TIMEOUT
-
   [eval()-alikes should not have a sample.]
     expected: TIMEOUT
 
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/script-sample.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/script-sample.html.ini
@@ -1,15 +1,15 @@
 [script-sample.html]
   expected: TIMEOUT
   [Inline script should have a sample.]
-    expected: TIMEOUT
+    expected: FAIL
 
   [Inline event handlers should have a sample.]
-    expected: TIMEOUT
+    expected: FAIL
 
   [JavaScript URLs in iframes should have a sample.]
     expected: TIMEOUT
 
   [eval() should not have a sample.]
     expected: TIMEOUT
 
   [eval() should have a sample.]
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html.ini
@@ -1,8 +1,7 @@
 [style-sample-no-opt-in.html]
-  expected: TIMEOUT
   [Inline style blocks should not have a sample.]
-    expected: TIMEOUT
+    expected: FAIL
 
   [Inline style attributes should not have a sample.]
-    expected: TIMEOUT
+    expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/style-sample.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/style-sample.html.ini
@@ -1,8 +1,7 @@
 [style-sample.html]
-  expected: TIMEOUT
   [Inline style blocks should have a sample.]
-    expected: TIMEOUT
+    expected: FAIL
 
   [Inline style attributes should have a sample.]
-    expected: TIMEOUT
+    expected: FAIL