Backed out changeset f3e45719fda7 (bug 988616) on a CLOSED TREE
authorGarrett Robinson <grobinson@mozilla.com>
Wed, 04 Jun 2014 17:53:14 -0700
changeset 207032 34bcdcf808fe26b6b1ec2493687875f52b881ccf
parent 207031 6910e2e7e383902d5731651411635467f36ecdb7
child 207033 9a9020972cc49338612f54b908d224cf2f04847a
push id494
push userraliiev@mozilla.com
push dateMon, 25 Aug 2014 18:42:16 +0000
treeherdermozilla-release@a3cc3e46b571 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs988616
milestone32.0a1
backs outf3e45719fda70cbe69285bf4d4fcc539fb6e6cd4
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out changeset f3e45719fda7 (bug 988616) on a CLOSED TREE
content/base/test/xcsp/chrome.ini
content/base/test/xcsp/file_CSP.css
content/base/test/xcsp/file_CSP.sjs
content/base/test/xcsp/file_CSP_evalscript_main.js
content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.html
content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.html^headers^
content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.js
content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.html
content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.html^headers^
content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.js
content/base/test/xcsp/file_csp_bug768029.html
content/base/test/xcsp/file_csp_bug768029.sjs
content/base/test/xcsp/file_csp_bug773891.html
content/base/test/xcsp/file_csp_bug773891.sjs
content/base/test/xcsp/file_csp_redirects_main.html
content/base/test/xcsp/file_csp_redirects_page.sjs
content/base/test/xcsp/file_csp_redirects_resource.sjs
content/base/test/xcsp/file_csp_report.sjs
content/base/test/xcsp/file_multi_policy_injection_bypass.html
content/base/test/xcsp/file_multi_policy_injection_bypass.html^headers^
content/base/test/xcsp/file_multi_policy_injection_bypass_2.html
content/base/test/xcsp/file_multi_policy_injection_bypass_2.html^headers^
content/base/test/xcsp/file_redirect_content.sjs
content/base/test/xcsp/file_redirect_report.sjs
content/base/test/xcsp/file_subframe_run_js_if_allowed.html
content/base/test/xcsp/file_subframe_run_js_if_allowed.html^headers^
content/base/test/xcsp/mochitest.ini
content/base/test/xcsp/moz.build
content/base/test/xcsp/test_301_redirect.html
content/base/test/xcsp/test_302_redirect.html
content/base/test/xcsp/test_303_redirect.html
content/base/test/xcsp/test_307_redirect.html
content/base/test/xcsp/test_CSP.html
content/base/test/xcsp/test_CSP_evalscript.html
content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html
content/base/test/xcsp/test_CSP_frameancestors.html
content/base/test/xcsp/test_CSP_inlinescript.html
content/base/test/xcsp/test_CSP_inlinestyle.html
content/base/test/xcsp/test_csp_bug768029.html
content/base/test/xcsp/test_csp_bug773891.html
content/base/test/xcsp/test_csp_redirects.html
content/base/test/xcsp/test_csp_report.html
content/base/test/xcsp/test_multi_policy_injection_bypass.html
content/base/test/xcsp/test_subframe_run_js_if_allowed.html
deleted file mode 100644
--- a/content/base/test/xcsp/chrome.ini
+++ /dev/null
@@ -1,4 +0,0 @@
-[DEFAULT]
-
-[test_csp_bug768029.html]
-[test_csp_bug773891.html]
deleted file mode 100644
--- a/content/base/test/xcsp/file_CSP.css
+++ /dev/null
@@ -1,20 +0,0 @@
-/*
- * Moved this CSS from an inline stylesheet to an external file when we added
- * inline-style blocking in bug 763879.
- * This test may hang if the load for this .css file is blocked due to a
- * malfunction of CSP, but should pass if the style_good test passes.
- */
-
-/* CSS font embedding tests */
-@font-face {
-  font-family: "arbitrary_good";
-  src: url('file_CSP.sjs?testid=font_good&type=application/octet-stream');
-}
-@font-face {
-  font-family: "arbitrary_bad";
-  src: url('http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
-}
-
-.div_arbitrary_good { font-family: "arbitrary_good"; }
-.div_arbitrary_bad { font-family: "arbitrary_bad"; }
-
deleted file mode 100644
--- a/content/base/test/xcsp/file_CSP.sjs
+++ /dev/null
@@ -1,26 +0,0 @@
-// SJS file for CSP mochitests
-
-function handleRequest(request, response)
-{
-  var query = {};
-  request.queryString.split('&').forEach(function (val) {
-    var [name, value] = val.split('=');
-    query[name] = unescape(value);
-  });
-
-  var isPreflight = request.method == "OPTIONS";
-
-
-  //avoid confusing cache behaviors
-  response.setHeader("Cache-Control", "no-cache", false);
-
-  if ("type" in query) {
-    response.setHeader("Content-Type", unescape(query['type']), false);
-  } else {
-    response.setHeader("Content-Type", "text/html", false);
-  }
-
-  if ("content" in query) {
-    response.write(unescape(query['content']));
-  }
-}
deleted file mode 100644
--- a/content/base/test/xcsp/file_CSP_evalscript_main.js
+++ /dev/null
@@ -1,126 +0,0 @@
-// some javascript for the CSP eval() tests
-
-function logResult(str, passed) {
-  var elt = document.createElement('div');
-  var color = passed ? "#cfc;" : "#fcc";
-  elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
-  elt.innerHTML = str;
-  document.body.appendChild(elt);
-}
-
-window._testResults = {};
-
-// callback for when stuff is allowed by CSP
-var onevalexecuted = (function(window) {
-    return function(shouldrun, what, data) {
-      window._testResults[what] = "ran";
-      window.parent.scriptRan(shouldrun, what, data);
-      logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
-    };})(window);
-
-// callback for when stuff is blocked
-var onevalblocked = (function(window) {
-    return function(shouldrun, what, data) {
-      window._testResults[what] = "blocked";
-      window.parent.scriptBlocked(shouldrun, what, data);
-      logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
-    };})(window);
-
-
-// Defer until document is loaded so that we can write the pretty result boxes
-// out.
-addEventListener('load', function() {
-  // setTimeout(String) test -- mutate something in the window._testResults
-  // obj, then check it.
-  {
-    var str_setTimeoutWithStringRan = 'onevalexecuted(false, "setTimeout(String)", "setTimeout with a string was enabled.");';
-    function fcn_setTimeoutWithStringCheck() {
-      if (this._testResults["setTimeout(String)"] !== "ran") {
-        onevalblocked(false, "setTimeout(String)",
-                      "setTimeout with a string was blocked");
-      }
-    }
-    setTimeout(fcn_setTimeoutWithStringCheck.bind(window), 10);
-    setTimeout(str_setTimeoutWithStringRan, 10);
-  }
-
-  // setTimeout(function) test -- mutate something in the window._testResults
-  // obj, then check it.
-  {
-    function fcn_setTimeoutWithFunctionRan() {
-      onevalexecuted(true, "setTimeout(function)",
-                    "setTimeout with a function was enabled.")
-    }
-    function fcn_setTimeoutWithFunctionCheck() {
-      if (this._testResults["setTimeout(function)"] !== "ran") {
-        onevalblocked(true, "setTimeout(function)",
-                      "setTimeout with a function was blocked");
-      }
-    }
-    setTimeout(fcn_setTimeoutWithFunctionRan.bind(window), 10);
-    setTimeout(fcn_setTimeoutWithFunctionCheck.bind(window), 10);
-  }
-
-  // eval() test -- should throw exception as per spec
-  try {
-    eval('onevalexecuted(false, "eval(String)", "eval() was enabled.");');
-  } catch (e) {
-    onevalblocked(false, "eval(String)",
-                  "eval() was blocked");
-  }
-
-  // eval(foo,bar) test -- should throw exception as per spec
-  try {
-    eval('onevalexecuted(false, "eval(String,scope)", "eval() was enabled.");',1);
-  } catch (e) {
-    onevalblocked(false, "eval(String,object)",
-                  "eval() with scope was blocked");
-  }
-
-  // [foo,bar].sort(eval) test -- should throw exception as per spec
-  try {
-    ['onevalexecuted(false, "[String, obj].sort(eval)", "eval() was enabled.");',1].sort(eval);
-  } catch (e) {
-    onevalblocked(false, "[String, obj].sort(eval)",
-                  "eval() with scope via sort was blocked");
-  }
-
-  // [].sort.call([foo,bar], eval) test -- should throw exception as per spec
-  try {
-    [].sort.call(['onevalexecuted(false, "[String, obj].sort(eval)", "eval() was enabled.");',1], eval);
-  } catch (e) {
-    onevalblocked(false, "[].sort.call([String, obj], eval)",
-                  "eval() with scope via sort/call was blocked");
-  }
-
-  // new Function() test -- should throw exception as per spec
-  try {
-    var fcn = new Function('onevalexecuted(false, "new Function(String)", "new Function(String) was enabled.");');
-    fcn();
-  } catch (e) {
-    onevalblocked(false, "new Function(String)",
-                  "new Function(String) was blocked.");
-  }
-
-  // setTimeout(eval, 0, str)
-  {
-    // error is not catchable here, instead, we're going to side-effect
-    // 'worked'.
-    var worked = false;
-
-    setTimeout(eval, 0, 'worked = true');
-    setTimeout(function(worked) {
-                  if (worked) {
-                    onevalexecuted(false, "setTimeout(eval, 0, str)",
-                                    "setTimeout(eval, 0, string) was enabled.");
-                  } else {
-                    onevalblocked(false, "setTimeout(eval, 0, str)",
-                                        "setTimeout(eval, 0, str) was blocked.");
-                  }
-                }, 0, worked);
-  }
-
-}, false);
-
-
-
deleted file mode 100644
--- a/content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.html
+++ /dev/null
@@ -1,12 +0,0 @@
-<html>
-  <head>
-    <title>CSP eval script tests</title>
-    <script type="application/javascript"
-             src="file_CSP_evalscript_main_getCRMFRequest.js"></script>
-  </head>
-  <body>
-
-    Foo.
-
-  </body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.html^headers^
+++ /dev/null
@@ -1,2 +0,0 @@
-Cache-Control: no-cache
-X-Content-Security-Policy: default-src 'self'
deleted file mode 100644
--- a/content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.js
+++ /dev/null
@@ -1,48 +0,0 @@
-// some javascript for the CSP eval() tests
-
-function logResult(str, passed) {
-  var elt = document.createElement('div');
-  var color = passed ? "#cfc;" : "#fcc";
-  elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
-  elt.innerHTML = str;
-  document.body.appendChild(elt);
-}
-
-window._testResults = {};
-
-// callback for when stuff is allowed by CSP
-var onevalexecuted = (function(window) {
-    return function(shouldrun, what, data) {
-      window._testResults[what] = "ran";
-      window.parent.scriptRan(shouldrun, what, data);
-      logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
-    };})(window);
-
-// callback for when stuff is blocked
-var onevalblocked = (function(window) {
-    return function(shouldrun, what, data) {
-      window._testResults[what] = "blocked";
-      window.parent.scriptBlocked(shouldrun, what, data);
-      logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
-    };})(window);
-
-
-// Defer until document is loaded so that we can write the pretty result boxes
-// out.
-addEventListener('load', function() {
-  // generateCRMFRequest test -- make sure we cannot eval the callback if CSP is in effect
-  try {
-    var script = 'console.log("dynamic script eval\'d in crypto.generateCRMFRequest should be disallowed")';
-    crypto.generateCRMFRequest('CN=0', 0, 0, null, script, 384, null, 'rsa-dual-use');
-    onevalexecuted(false, "crypto.generateCRMFRequest()",
-                   "crypto.generateCRMFRequest() should not run!");
-  } catch (e) {
-    onevalblocked(false, "eval(script) inside crypto.generateCRMFRequest",
-                  "eval was blocked during crypto.generateCRMFRequest");
-  }
-
-
-}, false);
-
-
-
deleted file mode 100644
--- a/content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.html
+++ /dev/null
@@ -1,12 +0,0 @@
-<html>
-  <head>
-    <title>CSP eval script tests: no CSP specified</title>
-    <script type="application/javascript"
-             src="file_CSP_evalscript_no_CSP_at_all.js"></script>
-  </head>
-  <body>
-
-    Foo. See bug 824652
-
-  </body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.html^headers^
+++ /dev/null
@@ -1,1 +0,0 @@
-Cache-Control: no-cache
deleted file mode 100644
--- a/content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.js
+++ /dev/null
@@ -1,42 +0,0 @@
-// some javascript for the CSP eval() tests
-// all of these evals should succeed, as the document loading this script
-// has script-src 'self' 'unsafe-eval'
-
-function logResult(str, passed) {
-  var elt = document.createElement('div');
-  var color = passed ? "#cfc;" : "#fcc";
-  elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
-  elt.innerHTML = str;
-  document.body.appendChild(elt);
-}
-
-// callback for when stuff is allowed by CSP
-var onevalexecuted = (function(window) {
-    return function(shouldrun, what, data) {
-      window.parent.scriptRan(shouldrun, what, data);
-      logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
-    };})(window);
-
-// callback for when stuff is blocked
-var onevalblocked = (function(window) {
-    return function(shouldrun, what, data) {
-      window.parent.scriptBlocked(shouldrun, what, data);
-      logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
-    };})(window);
-
-
-// Defer until document is loaded so that we can write the pretty result boxes
-// out.
-addEventListener('load', function() {
-  // test that allows crypto.generateCRMFRequest eval to run when there is no CSP at all in place
-  try {
-      var script =
-        'console.log("dynamic script passed to crypto.generateCRMFRequest should execute")';
-      crypto.generateCRMFRequest('CN=0', 0, 0, null, script, 384, null, 'rsa-dual-use');
-      onevalexecuted(true, "eval(script) inside crypto.generateCRMFRequest: no CSP at all",
-                     "eval executed during crypto.generateCRMFRequest where no CSP is set at all");
-  } catch (e) {
-    onevalblocked(true, "eval(script) inside crypto.generateCRMFRequest",
-                  "eval was blocked during crypto.generateCRMFRequest");
-  }
-}, false);
deleted file mode 100644
--- a/content/base/test/xcsp/file_csp_bug768029.html
+++ /dev/null
@@ -1,25 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-  https://bugzilla.mozilla.org/show_bug.cgi?id=768029
--->
-<head>
-  <meta charset="utf-8">
-    <title>This is an app for testing</title>
-
-    <link rel="stylesheet" type="text/css"
-          href="file_csp_bug768029.sjs?type=style&origin=same_origin" />
-    <link rel="stylesheet" type="text/css"
-          href="http://example.com/tests/content/base/test/csp/file_csp_bug768029.sjs?type=style&origin=cross_origin" />
-  </head>
-  <body>
-
-    <script src="file_csp_bug768029.sjs?type=script&origin=same_origin"></script>
-    <script src="http://example.com/tests/content/base/test/csp/file_csp_bug768029.sjs?type=script&origin=cross_origin"></script>
-    <img src="file_csp_bug768029.sjs?type=img&origin=same_origin" />
-    <img src="http://example.com/tests/content/base/test/csp/file_csp_bug768029.sjs?type=img&origin=cross_origin" />
-
-    Test for CSP applied to (simulated) app.
-
-  </body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/file_csp_bug768029.sjs
+++ /dev/null
@@ -1,29 +0,0 @@
-function handleRequest(request, response) {
-
-  var query = {};
-
-  request.queryString.split('&').forEach(function(val) {
-    var [name, value] = val.split('=');
-    query[name] = unescape(value);
-  });
-  response.setHeader("Cache-Control", "no-cache", false);
-
-  if ("type" in query) {
-    switch (query.type) {
-      case "script":
-        response.setHeader("Content-Type", "application/javascript");
-        response.write("\n\ndocument.write('<pre>script loaded\\n</pre>');\n\n");
-        return;
-      case "style":
-        response.setHeader("Content-Type", "text/css");
-        response.write("\n\n.cspfoo { color:red; }\n\n");
-        return;
-      case "img":
-        response.setHeader("Content-Type", "image/png");
-        return;
-    }
-  }
-
-  response.setHeader("Content-Type", "text/plain");
-  response.write("ohnoes!");
-}
deleted file mode 100644
--- a/content/base/test/xcsp/file_csp_bug773891.html
+++ /dev/null
@@ -1,25 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-  https://bugzilla.mozilla.org/show_bug.cgi?id=773891
--->
-<head>
-  <meta charset="utf-8">
-    <title>This is an app for csp testing</title>
-
-    <link rel="stylesheet" type="text/css"
-          href="file_csp_bug773891.sjs?type=style&origin=same_origin" />
-    <link rel="stylesheet" type="text/css"
-          href="http://example.com/tests/content/base/test/csp/file_csp_bug773891.sjs?type=style&origin=cross_origin" />
-  </head>
-  <body>
-
-    <script src="file_csp_bug773891.sjs?type=script&origin=same_origin"></script>
-    <script src="http://example.com/tests/content/base/test/csp/file_csp_bug773891.sjs?type=script&origin=cross_origin"></script>
-    <img src="file_csp_bug773891.sjs?type=img&origin=same_origin" />
-    <img src="http://example.com/tests/content/base/test/csp/file_csp_bug773891.sjs?type=img&origin=cross_origin" />
-
-    Test for CSP applied to (simulated) app.
-
-  </body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/file_csp_bug773891.sjs
+++ /dev/null
@@ -1,29 +0,0 @@
-function handleRequest(request, response) {
-
-  var query = {};
-
-  request.queryString.split('&').forEach(function(val) {
-    var [name, value] = val.split('=');
-    query[name] = unescape(value);
-  });
-  response.setHeader("Cache-Control", "no-cache", false);
-
-  if ("type" in query) {
-    switch (query.type) {
-      case "script":
-        response.setHeader("Content-Type", "application/javascript");
-        response.write("\n\ndocument.write('<pre>script loaded\\n</pre>');\n\n");
-        return;
-      case "style":
-        response.setHeader("Content-Type", "text/css");
-        response.write("\n\n.cspfoo { color:red; }\n\n");
-        return;
-      case "img":
-        response.setHeader("Content-Type", "image/png");
-        return;
-    }
-  }
-
-  response.setHeader("Content-Type", "text/plain");
-  response.write("ohnoes!");
-}
deleted file mode 100644
--- a/content/base/test/xcsp/file_csp_redirects_main.html
+++ /dev/null
@@ -1,44 +0,0 @@
-<html>
-<head>
-<title>CSP redirect tests</title>
-</head>
-<body>
-<div id="container"></div>
-</body>
-
-<script>
-var thisSite = "http://mochi.test:8888";
-var otherSite = "http://example.com";
-var page = "/tests/content/base/test/csp/file_csp_redirects_page.sjs";
-
-var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
-              "frame-src": thisSite+page+"?testid=frame-src&csp=1",
-              "img-src":  thisSite+page+"?testid=img-src&csp=1",
-              "media-src":  thisSite+page+"?testid=media-src&csp=1",
-              "object-src":  thisSite+page+"?testid=object-src&csp=1",
-              "script-src":  thisSite+page+"?testid=script-src&csp=1",
-              "style-src":  thisSite+page+"?testid=style-src&csp=1",
-              "worker":  thisSite+page+"?testid=worker&csp=1",
-              "xhr-src":  thisSite+page+"?testid=xhr-src&csp=1",
-              "font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
-              "frame-src-spec-compliant": thisSite+page+"?testid=frame-src-spec-compliant&csp=1&spec=1",
-              "img-src-spec-compliant":  thisSite+page+"?testid=img-src-spec-compliant&csp=1&spec=1",
-              "media-src-spec-compliant":  thisSite+page+"?testid=media-src-spec-compliant&csp=1&spec=1",
-              "object-src-spec-compliant":  thisSite+page+"?testid=object-src-spec-compliant&csp=1&spec=1",
-              "script-src-spec-compliant":  thisSite+page+"?testid=script-src-spec-compliant&csp=1&spec=1",
-              "style-src-spec-compliant":  thisSite+page+"?testid=style-src-spec-compliant&csp=1&spec=1",
-              "worker-spec-compliant":  thisSite+page+"?testid=worker-spec-compliant&csp=1&spec=1",
-              "xhr-src-spec-compliant":  thisSite+page+"?testid=xhr-src-spec-compliant&csp=1&spec=1",
-            };
-
-var container = document.getElementById("container");
-
-// load each test in its own iframe
-for (tid in tests) {
-  var i = document.createElement("iframe");
-  i.id = tid;
-  i.src = tests[tid];
-  container.appendChild(i);
-}
-</script>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/file_csp_redirects_page.sjs
+++ /dev/null
@@ -1,133 +0,0 @@
-// SJS file for CSP redirect mochitests
-// This file serves pages which can optionally specify a Content Security Policy
-function handleRequest(request, response)
-{
-  var query = {};
-  request.queryString.split('&').forEach(function (val) {
-    var [name, value] = val.split('=');
-    query[name] = unescape(value);
-  });
-
-  response.setHeader("Cache-Control", "no-cache", false);
-  response.setHeader("Content-Type", "text/html", false);
-
-  var resource = "/tests/content/base/test/csp/file_csp_redirects_resource.sjs";
-
-  // CSP header value
-  if (query["csp"] == 1) {
-    if (query["spec"] == 1) {
-      response.setHeader("Content-Security-Policy", "default-src 'self' ; style-src 'self' 'unsafe-inline'", false);
-    } else {
-      response.setHeader("X-Content-Security-Policy", "allow 'self'", false);
-    }
-  }
-
-  // downloadable font that redirects to another site
-  if (query["testid"] == "font-src") {
-    var resp = '<style type="text/css"> @font-face { font-family:' +
-               '"Redirecting Font"; src: url("' + resource +
-               '?res=font&redir=other&id=font-src-redir")} #test{font-family:' +
-               '"Redirecting Font"}</style></head><body>' +
-               '<div id="test">test</div></body>';
-    response.write(resp);
-    return;
-  }
-
-  if (query["testid"] == "font-src-spec-compliant") {
-    var resp = '<style type="text/css"> @font-face { font-family:' +
-               '"Redirecting Font Spec Compliant"; src: url("' + resource +
-               '?res=font-spec-compliant&redir=other&id=font-src-redir-spec-compliant")} #test{font-family:' +
-               '"Redirecting Font Spec Compliant"}</style></head><body>' +
-               '<div id="test">test</div></body>';
-    response.write(resp);
-    return;
-  }
-
-  // iframe that redirects to another site
-  if (query["testid"] == "frame-src") {
-    response.write('<iframe src="'+resource+'?res=iframe&redir=other&id=frame-src-redir"></iframe>');
-    return;
-  }
-
-  if (query["testid"] == "frame-src-spec-compliant") {
-    response.write('<iframe src="'+resource+'?res=iframe&redir=other&id=frame-src-redir-spec-compliant"></iframe>');
-    return;
-  }
-
-  // image that redirects to another site
-  if (query["testid"] == "img-src") {
-    response.write('<img src="'+resource+'?res=image&redir=other&id=img-src-redir" />');
-    return;
-  }
-
-  if (query["testid"] == "img-src-spec-compliant") {
-    response.write('<img src="'+resource+'?res=image&redir=other&id=img-src-redir-spec-compliant" />');
-    return;
-  }
-
-  // video content that redirects to another site
-  if (query["testid"] == "media-src") {
-    response.write('<video src="'+resource+'?res=media&redir=other&id=media-src-redir"></video>');
-    return;
-  }
-
-  if (query["testid"] == "media-src-spec-compliant") {
-    response.write('<video src="'+resource+'?res=media&redir=other&id=media-src-redir-spec-compliant"></video>');
-    return;
-  }
-
-  // object content that redirects to another site
-  if (query["testid"] == "object-src") {
-    response.write('<object type="text/html" data="'+resource+'?res=object&redir=other&id=object-src-redir"></object>');
-    return;
-  }
-
-  if (query["testid"] == "object-src-spec-compliant") {
-    response.write('<object type="text/html" data="'+resource+'?res=object&redir=other&id=object-src-redir-spec-compliant"></object>');
-    return;
-  }
-
-  // external script that redirects to another site
-  if (query["testid"] == "script-src") {
-    response.write('<script src="'+resource+'?res=script&redir=other&id=script-src-redir"></script>');
-    return;
-  }
-
-  if (query["testid"] == "script-src-spec-compliant") {
-    response.write('<script src="'+resource+'?res=script&redir=other&id=script-src-redir-spec-compliant"></script>');
-    return;
-  }
-
-  // external stylesheet that redirects to another site
-  if (query["testid"] == "style-src") {
-    response.write('<link rel="stylesheet" type="text/css" href="'+resource+'?res=style&redir=other&id=style-src-redir"></script>');
-    return;
-  }
-
-  if (query["testid"] == "style-src-spec-compliant") {
-    response.write('<link rel="stylesheet" type="text/css" href="'+resource+'?res=style&redir=other&id=style-src-redir-spec-compliant"></script>');
-    return;
-  }
-
-  // worker script resource that redirects to another site
-  if (query["testid"] == "worker") {
-    response.write('<script src="'+resource+'?res=worker&redir=other&id=worker-redir"></script>');
-    return;
-  }
-
-  if (query["testid"] == "worker-spec-compliant") {
-    response.write('<script src="'+resource+'?res=worker&redir=other&id=worker-redir-spec-compliant"></script>');
-    return;
-  }
-
-  // script that XHR's to a resource that redirects to another site
-  if (query["testid"] == "xhr-src") {
-    response.write('<script src="'+resource+'?res=xhr"></script>');
-    return;
-  }
-
-  if (query["testid"] == "xhr-src-spec-compliant") {
-    response.write('<script src="'+resource+'?res=xhr-spec-compliant"></script>');
-    return;
-  }
-}
deleted file mode 100644
--- a/content/base/test/xcsp/file_csp_redirects_resource.sjs
+++ /dev/null
@@ -1,128 +0,0 @@
-// SJS file to serve resources for CSP redirect tests
-// This file mimics serving resources, e.g. fonts, images, etc., which a CSP
-// can include. The resource may redirect to a different resource, if specified.
-function handleRequest(request, response)
-{
-  var query = {};
-  request.queryString.split('&').forEach(function (val) {
-    var [name, value] = val.split('=');
-    query[name] = unescape(value);
-  });
-
-  var thisSite = "http://mochi.test:8888";
-  var otherSite = "http://example.com";
-  var resource = "/tests/content/base/test/csp/file_csp_redirects_resource.sjs";
-
-  response.setHeader("Cache-Control", "no-cache", false);
-
-  // redirect to a resource on this site
-  if (query["redir"] == "same") {
-    var loc = thisSite+resource+"?res="+query["res"]+"&testid="+query["id"];
-    response.setStatusLine("1.1", 302, "Found");
-    response.setHeader("Location", loc, false);
-    return;
-  }
-
-  // redirect to a resource on a different site
-  else if (query["redir"] == "other") {
-    var loc = otherSite+resource+"?res="+query["res"]+"&testid="+query["id"];
-    response.setStatusLine("1.1", 302, "Found");
-    response.setHeader("Location", loc, false);
-    return;
-  }
-
-  // not a redirect.  serve some content.
-  // the content doesn't have to be valid, since we're only checking whether
-  // the request for the content was sent or not.
-
-  // downloadable font
-  if (query["res"] == "font") {
-    response.setHeader("Access-Control-Allow-Origin", "*", false);
-    response.setHeader("Content-Type", "text/plain", false);
-    response.write("font data...");
-    return;
-  }
-
-  if (query["res"] == "font-spec-compliant") {
-    response.setHeader("Access-Control-Allow-Origin", "*", false);
-    response.setHeader("Content-Type", "text/plain", false);
-    response.write("font data...");
-    return;
-  }
-
-  // iframe with arbitrary content
-  if (query["res"] == "iframe") {
-    response.setHeader("Content-Type", "text/html", false);
-    response.write("iframe content...");
-    return;
-  }
-
-  // image
-  if (query["res"] == "image") {
-    response.setHeader("Content-Type", "image/gif", false);
-    response.write("image data...");
-    return;
-  }
-
-  // media content, e.g. Ogg video
-  if (query["res"] == "media") {
-    response.setHeader("Content-Type", "video/ogg", false);
-    response.write("video data...");
-    return;
-  }
-
-  // plugin content, e.g. <object>
-  if (query["res"] == "object") {
-    response.setHeader("Content-Type", "text/html", false);
-    response.write("object data...");
-    return;
-  }
-
-  // script
-  if (query["res"] == "script") {
-    response.setHeader("Content-Type", "application/javascript", false);
-    response.write("some script...");
-    return;
-  }
-
-  // external stylesheet
-  if (query["res"] == "style") {
-    response.setHeader("Content-Type", "text/css", false);
-    response.write("css data...");
-    return;
-  }
-
-  // web worker resource
-  if (query["res"] == "worker") {
-    response.setHeader("Content-Type", "application/javascript", false);
-    response.write("worker script data...");
-    return;
-  }
-
-  // script that invokes XHR
-  if (query["res"] == "xhr") {
-    response.setHeader("Content-Type", "text/html", false);
-    var resp = 'var x = new XMLHttpRequest(); x.open("GET", "' + otherSite +
-               resource+'?res=xhr-resp&testid=xhr-src-redir", false); ' +
-               'x.send(null);';
-    response.write(resp);
-    return;
-  }
-
-  if (query["res"] == "xhr-spec-compliant") {
-    response.setHeader("Content-Type", "text/html", false);
-    var resp = 'var x = new XMLHttpRequest(); x.open("GET", "' + otherSite +
-               resource+'?res=xhr-resp-spec-compliant&testid=xhr-src-redir-spec-compliant", false); ' +
-               'x.send(null);';
-    response.write(resp);
-    return;
-  }
-
-  // response to XHR
-  if (query["res"] == "xhr-resp-spec-compliant") {
-    response.setHeader("Access-Control-Allow-Origin", "*", false);
-    response.setHeader("Content-Type", "text/html", false);
-    response.write('XHR response...');
-    return;
-  }
-}
deleted file mode 100644
--- a/content/base/test/xcsp/file_csp_report.sjs
+++ /dev/null
@@ -1,25 +0,0 @@
-// SJS file for CSP violation report test
-// https://bugzilla.mozilla.org/show_bug.cgi?id=548193
-function handleRequest(request, response)
-{
-  var query = {};
-  request.queryString.split('&').forEach(function (val) {
-    var [name, value] = val.split('=');
-    query[name] = unescape(value);
-  });
-
-  response.setHeader("Content-Type", "text/html", false);
-
-  // avoid confusing cache behaviors
-  response.setHeader("Cache-Control", "no-cache", false);
-
-  // set CSP header
-  response.setHeader("X-Content-Security-Policy",
-                     "allow 'self'; report-uri http://mochi.test:8888/csp-report.cgi",
-                     false);
-
-  // content which will trigger a violation report
-  response.write('<html><body>');
-  response.write('<img src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png"> </img>');
-  response.write('</body></html>');
-}
deleted file mode 100644
--- a/content/base/test/xcsp/file_multi_policy_injection_bypass.html
+++ /dev/null
@@ -1,15 +0,0 @@
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=717511
--->
-  <body>
-    <!-- these should be stopped by CSP after fixing bug 717511.  :) -->
-    <img src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png"> </img>
-    <script src='http://example.org/tests/content/base/test/file_CSP.sjs?testid=script_bad&type=text/javascript'></script>
-
-    <!-- these should load ok after fixing bug 717511.  :) -->
-    <img src="file_CSP.sjs?testid=img_good&type=img/png" />
-    <script src='file_CSP.sjs?testid=script_good&type=text/javascript'></script>
-
-  </body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/file_multi_policy_injection_bypass.html^headers^
+++ /dev/null
@@ -1,1 +0,0 @@
-X-Content-Security-Policy: default-src 'self', allow *
deleted file mode 100644
--- a/content/base/test/xcsp/file_multi_policy_injection_bypass_2.html
+++ /dev/null
@@ -1,15 +0,0 @@
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=717511
--->
-  <body>
-    <!-- these should be stopped by CSP after fixing bug 717511.  :) -->
-    <img src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=img2_bad&type=img/png"> </img>
-    <script src='http://example.org/tests/content/base/test/file_CSP.sjs?testid=script2_bad&type=text/javascript'></script>
-
-    <!-- these should load ok after fixing bug 717511.  :) -->
-    <img src="file_CSP.sjs?testid=img2_good&type=img/png" />
-    <script src='file_CSP.sjs?testid=script2_good&type=text/javascript'></script>
-
-  </body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/file_multi_policy_injection_bypass_2.html^headers^
+++ /dev/null
@@ -1,1 +0,0 @@
-X-Content-Security-Policy: default-src 'self'   ,    allow *
deleted file mode 100644
--- a/content/base/test/xcsp/file_redirect_content.sjs
+++ /dev/null
@@ -1,38 +0,0 @@
-// https://bugzilla.mozilla.org/show_bug.cgi?id=650386
-// This SJS file serves file_redirect_content.html
-// with a CSP that will trigger a violation and that will report it
-// to file_redirect_report.sjs
-//
-// This handles 301, 302, 303 and 307 redirects. The HTTP status code
-// returned/type of redirect to do comes from the query string
-// parameter passed in from the test_bug650386_* files and then also
-// uses that value in the report-uri parameter of the CSP
-function handleRequest(request, response) {
-  response.setHeader("Cache-Control", "no-cache", false);
-
-  // this gets used in the CSP as part of the report URI.
-  var redirect = request.queryString;
-
-  if (redirect < 301 || (redirect > 303 && redirect <= 306) || redirect > 307) {
-    // if we somehow got some bogus redirect code here,
-    // do a 302 redirect to the same URL as the report URI
-    // redirects to - this will fail the test.
-    var loc = "http://example.com/some/fake/path";
-    response.setStatusLine("1.1", 302, "Found");
-    response.setHeader("Location", loc, false);
-    return;
-  }
-
-  var csp = "default-src \'self\';report-uri http://mochi.test:8888/tests/content/base/test/csp/file_redirect_report.sjs?" + redirect;
-
-  response.setHeader("X-Content-Security-Policy", csp, false);
-
-  // the actual file content.
-  // this image load will (intentionally) fail due to the CSP policy of default-src: 'self'
-  // specified by the CSP string above.
-  var content = "<!DOCTYPE HTML><html><body><img src = \"http://some.other.domain.example.com\"></body></html>";
-
-  response.write(content);
-
-  return;
-}
deleted file mode 100644
--- a/content/base/test/xcsp/file_redirect_report.sjs
+++ /dev/null
@@ -1,17 +0,0 @@
-// https://bugzilla.mozilla.org/show_bug.cgi?id=650386
-// This SJS file serves as CSP violation report target
-// and issues a redirect, to make sure the browser does not post to the target
-// of the redirect, per CSP spec.
-// This handles 301, 302, 303 and 307 redirects. The HTTP status code
-// returned/type of redirect to do comes from the query string
-// parameter
-function handleRequest(request, response) {
-  response.setHeader("Cache-Control", "no-cache", false);
-
-  var redirect = request.queryString;
-
-  var loc = "http://example.com/some/fake/path";
-  response.setStatusLine("1.1", redirect, "Found");
-  response.setHeader("Location", loc, false);
-  return;
-}
deleted file mode 100644
--- a/content/base/test/xcsp/file_subframe_run_js_if_allowed.html
+++ /dev/null
@@ -1,13 +0,0 @@
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=702439
-
-This document is a child frame of a CSP document and the
-test verifies that it is permitted to run javascript: URLs
-if the parent has a policy that allows them.
--->
-<body onload="document.getElementById('a').click()">
-<a id="a" href="javascript:parent.javascript_link_ran = true;
-                parent.checkResult();">click</a>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/file_subframe_run_js_if_allowed.html^headers^
+++ /dev/null
@@ -1,1 +0,0 @@
-X-Content-Security-Policy: default-src *; options inline-script
deleted file mode 100644
--- a/content/base/test/xcsp/mochitest.ini
+++ /dev/null
@@ -1,165 +0,0 @@
-[DEFAULT]
-support-files =
-  file_CSP.css
-  file_CSP.sjs
-  file_CSP_bug663567.xsl
-  file_CSP_bug663567_allows.xml
-  file_CSP_bug663567_allows.xml^headers^
-  file_CSP_bug663567_blocks.xml
-  file_CSP_bug663567_blocks.xml^headers^
-  file_CSP_bug802872.html
-  file_CSP_bug802872.html^headers^
-  file_CSP_bug802872.js
-  file_CSP_bug802872.sjs
-  file_CSP_bug885433_allows.html
-  file_CSP_bug885433_allows.html^headers^
-  file_CSP_bug885433_blocks.html
-  file_CSP_bug885433_blocks.html^headers^
-  file_CSP_bug888172.html
-  file_CSP_bug888172.sjs
-  file_CSP_bug916446.html
-  file_CSP_bug916446.html^headers^
-  file_CSP_evalscript_main.html
-  file_CSP_evalscript_main.html^headers^
-  file_CSP_evalscript_main.js
-  file_CSP_evalscript_main_allowed.js
-  file_CSP_evalscript_main_allowed_getCRMFRequest.js
-  file_CSP_evalscript_main_getCRMFRequest.html
-  file_CSP_evalscript_main_getCRMFRequest.html^headers^
-  file_CSP_evalscript_main_getCRMFRequest.js
-  file_CSP_evalscript_main_spec_compliant.html
-  file_CSP_evalscript_main_spec_compliant.html^headers^
-  file_CSP_evalscript_main_spec_compliant_allowed.html
-  file_CSP_evalscript_main_spec_compliant_allowed.html^headers^
-  file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html
-  file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html^headers^
-  file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html
-  file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html^headers^
-  file_CSP_evalscript_no_CSP_at_all.html
-  file_CSP_evalscript_no_CSP_at_all.html^headers^
-  file_CSP_evalscript_no_CSP_at_all.js
-  file_CSP_frameancestors.sjs
-  file_CSP_frameancestors_main.html
-  file_CSP_frameancestors_main.js
-  file_CSP_frameancestors_main_spec_compliant.html
-  file_CSP_frameancestors_main_spec_compliant.js
-  file_CSP_frameancestors_spec_compliant.sjs
-  file_CSP_inlinescript_main.html
-  file_CSP_inlinescript_main.html^headers^
-  file_CSP_inlinescript_main_spec_compliant.html
-  file_CSP_inlinescript_main_spec_compliant.html^headers^
-  file_CSP_inlinescript_main_spec_compliant_allowed.html
-  file_CSP_inlinescript_main_spec_compliant_allowed.html^headers^
-  file_CSP_inlinestyle_main.html
-  file_CSP_inlinestyle_main.html^headers^
-  file_CSP_inlinestyle_main_spec_compliant.html
-  file_CSP_inlinestyle_main_spec_compliant.html^headers^
-  file_CSP_inlinestyle_main_spec_compliant_allowed.html
-  file_CSP_inlinestyle_main_spec_compliant_allowed.html^headers^
-  file_CSP_main.html
-  file_CSP_main.html^headers^
-  file_CSP_main.js
-  file_CSP_main_spec_compliant.html
-  file_CSP_main_spec_compliant.html^headers^
-  file_CSP_main_spec_compliant.js
-  file_bothCSPheaders.html
-  file_bothCSPheaders.html^headers^
-  file_bug836922_npolicies.html
-  file_bug836922_npolicies.html^headers^
-  file_bug836922_npolicies_ro_violation.sjs
-  file_bug836922_npolicies_violation.sjs
-  file_bug886164.html
-  file_bug886164.html^headers^
-  file_bug886164_2.html
-  file_bug886164_2.html^headers^
-  file_bug886164_3.html
-  file_bug886164_3.html^headers^
-  file_bug886164_4.html
-  file_bug886164_4.html^headers^
-  file_bug886164_5.html
-  file_bug886164_5.html^headers^
-  file_bug886164_6.html
-  file_bug886164_6.html^headers^
-  file_csp_bug768029.html
-  file_csp_bug768029.sjs
-  file_csp_bug773891.html
-  file_csp_bug773891.sjs
-  file_csp_redirects_main.html
-  file_csp_redirects_page.sjs
-  file_csp_redirects_resource.sjs
-  file_CSP_bug910139.sjs
-  file_CSP_bug910139.xml
-  file_CSP_bug910139.xsl
-  file_CSP_bug909029_star.html
-  file_CSP_bug909029_star.html^headers^
-  file_CSP_bug909029_none.html
-  file_CSP_bug909029_none.html^headers^
-  file_policyuri_regression_from_multipolicy.html
-  file_policyuri_regression_from_multipolicy.html^headers^
-  file_policyuri_regression_from_multipolicy_policy
-  file_nonce_source.html
-  file_nonce_source.html^headers^
-  file_CSP_bug941404.html
-  file_CSP_bug941404_xhr.html
-  file_CSP_bug941404_xhr.html^headers^
-  file_hash_source.html
-  file_hash_source.html^headers^
-  file_dual_headers_warning.html
-  file_dual_headers_warning.html^headers^
-  file_self_none_as_hostname_confusion.html
-  file_self_none_as_hostname_confusion.html^headers^
-  file_csp_testserver.sjs
-  file_csp_regexp_parsing.html
-  file_csp_regexp_parsing.js
-  file_report_uri_missing_in_report_only_header.html
-  file_report_uri_missing_in_report_only_header.html^headers^
-  file_csp_report.sjs
-  file_policyuri_async_fetch.html
-  file_policyuri_async_fetch.html^headers^
-  file_redirect_content.sjs
-  file_redirect_report.sjs
-  file_subframe_run_js_if_allowed.html
-  file_subframe_run_js_if_allowed.html^headers^
-  file_multi_policy_injection_bypass.html
-  file_multi_policy_injection_bypass.html^headers^
-  file_multi_policy_injection_bypass_2.html
-  file_multi_policy_injection_bypass_2.html^headers^
-
-[test_CSP.html]
-[test_CSP_bug663567.html]
-[test_CSP_bug802872.html]
-[test_CSP_bug885433.html]
-[test_CSP_bug888172.html]
-[test_CSP_bug916446.html]
-[test_CSP_evalscript.html]
-[test_CSP_evalscript_getCRMFRequest.html]
-skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s # no (deprecated) window.crypto support in multiprocess (bug 824652)
-[test_CSP_frameancestors.html]
-skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'android' # Times out, not sure why (bug 1008445)
-[test_CSP_inlinescript.html]
-[test_CSP_inlinestyle.html]
-[test_bothCSPheaders.html]
-[test_bug836922_npolicies.html]
-[test_bug886164.html]
-[test_csp_redirects.html]
-[test_CSP_bug910139.html]
-[test_CSP_bug909029.html]
-[test_policyuri_regression_from_multipolicy.html]
-[test_nonce_source.html]
-[test_CSP_bug941404.html]
-[test_hash_source.html]
-skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
-[test_dual_headers_warning.html]
-[test_self_none_as_hostname_confusion.html]
-[test_bug949549.html]
-[test_csp_regexp_parsing.html]
-[test_report_uri_missing_in_report_only_header.html]
-[test_csp_report.html]
-skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
-[test_policyuri_async_fetch.html]
-[test_301_redirect.html]
-[test_302_redirect.html]
-[test_303_redirect.html]
-[test_307_redirect.html]
-[test_subframe_run_js_if_allowed.html]
-[test_multi_policy_injection_bypass.html]
deleted file mode 100644
--- a/content/base/test/xcsp/moz.build
+++ /dev/null
@@ -1,10 +0,0 @@
-# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-MOCHITEST_MANIFESTS += ['mochitest.ini']
-
-MOCHITEST_CHROME_MANIFESTS += ['chrome.ini']
-
deleted file mode 100644
--- a/content/base/test/xcsp/test_301_redirect.html
+++ /dev/null
@@ -1,77 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=650386
-Test that CSP violation reports are not sent when a 301 redirect is encountered
--->
-<head>
-  <title>Test for Bug 650386</title>
-  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<body>
-<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=650386">Mozilla Bug 650386</a>
-<p id="display"></p>
-<div id="content" style="display: none">
-<iframe id = "content_iframe"></iframe>
-</div>
-<pre id="test">
-<script type="application/javascript">
-
-/** Test for Bug 650386 **/
-
-// This is used to watch the redirect of the report POST get blocked
-function examiner() {
-  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
-  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
-}
-
-examiner.prototype  = {
-  observe: function(subject, topic, data) {
-    // subject should be an nsURI
-    if(!SpecialPowers.can_QI(subject))
-       return;
-
-    if (topic === "specialpowers-http-notify-request") {
-      // this is used to fail the test - if we see the POST to the target of the redirect
-      // we know this is a fail
-      var uri = data;
-      if (uri == "http://example.com/some/fake/path")
-        window.done(false);
-    }
-
-    if(topic === "csp-on-violate-policy") {
-      // something was blocked, but we are looking specifically for the redirect being blocked
-      if (data == "denied redirect while sending violation report")
-        window.done(true);
-    }
-  },
-
-  // must eventually call this to remove the listener,
-  // or mochitests might get borked.
-  remove: function() {
-    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
-    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
-  }
-}
-
-window.examiner = new examiner();
-
-// result == true if we saw the redirect blocked notify, false if we saw the post
-// to the redirect target go out
-window.done = function(result) {
-  ok(result, "a 301 redirect when posting violation report should be blocked");
-
-  // clean up observers and finish the test
-  window.examiner.remove();
-  SimpleTest.finish();
-}
-
-SimpleTest.waitForExplicitFinish();
-
-// save this for last so that our listeners are registered.
-document.getElementById('content_iframe').src = 'file_redirect_content.sjs?301';
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/test_302_redirect.html
+++ /dev/null
@@ -1,77 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=650386
-Test that CSP violation reports are not sent when a 302 redirect is encountered
--->
-<head>
-  <title>Test for Bug 650386</title>
-  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<body>
-<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=650386">Mozilla Bug 650386</a>
-<p id="display"></p>
-<div id="content" style="display: none">
-<iframe id = "content_iframe"></iframe>
-</div>
-<pre id="test">
-<script type="application/javascript">
-
-/** Test for Bug 650386 **/
-
-// This is used to watch the redirect of the report POST get blocked
-function examiner() {
-  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
-  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
-}
-
-examiner.prototype  = {
-  observe: function(subject, topic, data) {
-    // subject should be an nsURI
-    if(!SpecialPowers.can_QI(subject))
-       return;
-
-    if (topic === "specialpowers-http-notify-request") {
-      // this is used to fail the test - if we see the POST to the target of the redirect
-      // we know this is a fail
-      var uri = data;
-      if (uri == "http://example.com/some/fake/path")
-        window.done(false);
-    }
-
-    if(topic === "csp-on-violate-policy") {
-      // something was blocked, but we are looking specifically for the redirect being blocked
-      if (data == "denied redirect while sending violation report")
-        window.done(true);
-    }
-  },
-
-  // must eventually call this to remove the listener,
-  // or mochitests might get borked.
-  remove: function() {
-    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
-    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
-  }
-}
-
-window.examiner = new examiner();
-
-// result == true if we saw the redirect blocked notify, false if we saw the post
-// to the redirect target go out
-window.done = function(result) {
-  ok(result, "a 302 redirect when posting violation report should be blocked");
-
-  // clean up observers and finish the test
-  window.examiner.remove();
-  SimpleTest.finish();
-}
-
-SimpleTest.waitForExplicitFinish();
-
-// save this for last so that our listeners are registered.
-document.getElementById('content_iframe').src = 'file_redirect_content.sjs?302';
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/test_303_redirect.html
+++ /dev/null
@@ -1,77 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=650386
-Test that CSP violation reports are not sent when a 303 redirect is encountered
--->
-<head>
-  <title>Test for Bug 650386</title>
-  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<body>
-<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=650386">Mozilla Bug 650386</a>
-<p id="display"></p>
-<div id="content" style="display: none">
-<iframe id = "content_iframe"></iframe>
-</div>
-<pre id="test">
-<script type="application/javascript">
-
-/** Test for Bug 650386 **/
-
-// This is used to watch the redirect of the report POST get blocked
-function examiner() {
-  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
-  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
-}
-
-examiner.prototype  = {
-  observe: function(subject, topic, data) {
-    // subject should be an nsURI
-    if(!SpecialPowers.can_QI(subject))
-       return;
-
-    if (topic === "specialpowers-http-notify-request") {
-      // this is used to fail the test - if we see the POST to the target of the redirect
-      // we know this is a fail
-      var uri = data;
-      if (uri == "http://example.com/some/fake/path")
-        window.done(false);
-    }
-
-    if(topic === "csp-on-violate-policy") {
-      // something was blocked, but we are looking specifically for the redirect being blocked
-      if (data == "denied redirect while sending violation report")
-        window.done(true);
-    }
-  },
-
-  // must eventually call this to remove the listener,
-  // or mochitests might get borked.
-  remove: function() {
-    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
-    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
-  }
-}
-
-window.examiner = new examiner();
-
-// result == true if we saw the redirect blocked notify, false if we saw the post
-// to the redirect target go out
-window.done = function(result) {
-  ok(result, "a 303 redirect when posting violation report should be blocked");
-
-  // clean up observers and finish the test
-  window.examiner.remove();
-  SimpleTest.finish();
-}
-
-SimpleTest.waitForExplicitFinish();
-
-// save this for last so that our listeners are registered.
-document.getElementById('content_iframe').src = 'file_redirect_content.sjs?303';
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/test_307_redirect.html
+++ /dev/null
@@ -1,77 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=650386
-Test that CSP violation reports are not sent when a 307 redirect is encountered
--->
-<head>
-  <title>Test for Bug 650386</title>
-  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<body>
-<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=650386">Mozilla Bug 650386</a>
-<p id="display"></p>
-<div id="content" style="display: none">
-<iframe id = "content_iframe"></iframe>
-</div>
-<pre id="test">
-<script type="application/javascript">
-
-/** Test for Bug 650386 **/
-
-// This is used to watch the redirect of the report POST get blocked
-function examiner() {
-  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
-  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
-}
-
-examiner.prototype  = {
-  observe: function(subject, topic, data) {
-    // subject should be an nsURI
-    if(!SpecialPowers.can_QI(subject))
-       return;
-
-    if (topic === "specialpowers-http-notify-request") {
-      // this is used to fail the test - if we see the POST to the target of the redirect
-      // we know this is a fail
-      var uri = data;
-      if (uri == "http://example.com/some/fake/path")
-        window.done(false);
-    }
-
-    if(topic === "csp-on-violate-policy") {
-      // something was blocked, but we are looking specifically for the redirect being blocked
-      if (data == "denied redirect while sending violation report")
-        window.done(true);
-    }
-  },
-
-  // must eventually call this to remove the listener,
-  // or mochitests might get borked.
-  remove: function() {
-    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
-    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
-  }
-}
-
-window.examiner = new examiner();
-
-// result == true if we saw the redirect blocked notify, false if we saw the post
-// to the redirect target go out
-window.done = function(result) {
-  ok(result, "a 307 redirect when posting violation report should be blocked");
-
-  // clean up observers and finish the test
-  window.examiner.remove();
-  SimpleTest.finish();
-}
-
-SimpleTest.waitForExplicitFinish();
-
-// save this for last so that our listeners are registered.
-document.getElementById('content_iframe').src = 'file_redirect_content.sjs?307';
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/test_CSP.html
+++ /dev/null
@@ -1,139 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Test for Content Security Policy Connections</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<p id="display"></p>
-<div id="content" style="display: none">
-</div>
-<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
-<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
-<script class="testbody" type="text/javascript">
-
-var path = "/tests/content/base/test/csp/";
-
-// These are test results: -1 means it hasn't run,
-// true/false is the pass/fail result.
-window.tests = {
-  img_good: -1,
-  img_bad: -1,
-  style_good: -1,
-  style_bad: -1,
-  frame_good: -1,
-  frame_bad: -1,
-  script_good: -1,
-  script_bad: -1,
-  xhr_good: -1,
-  xhr_bad: -1,
-  media_good: -1,
-  media_bad: -1,
-  font_good: -1,
-  font_bad: -1,
-  object_good: -1,
-  object_bad: -1,
-  img_spec_compliant_good: -1,
-  img_spec_compliant_bad: -1,
-  style_spec_compliant_good: -1,
-  style_spec_compliant_bad: -1,
-  frame_spec_compliant_good: -1,
-  frame_spec_compliant_bad: -1,
-  script_spec_compliant_good: -1,
-  script_spec_compliant_bad: -1,
-  xhr_spec_compliant_good: -1,
-  xhr_spec_compliant_bad: -1,
-  media_spec_compliant_good: -1,
-  media_spec_compliant_bad: -1,
-  font_spec_compliant_good: -1,
-  font_spec_compliant_bad: -1,
-  object_spec_compliant_good: -1,
-  object_spec_compliant_bad: -1,
-};
-
-// This is used to watch the blocked data bounce off CSP and allowed data
-// get sent out to the wire.
-function examiner() {
-  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
-  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
-}
-examiner.prototype  = {
-  observe: function(subject, topic, data) {
-    var testpat = new RegExp("testid=([a-z0-9_]+)");
-
-    //_good things better be allowed!
-    //_bad things better be stopped!
-
-    // This is a special observer topic that is proxied from
-    // http-on-modify-request in the parent process to inform us when a URI is
-    // loaded
-    if (topic === "specialpowers-http-notify-request") {
-      var uri = data;
-      if (!testpat.test(uri)) return;
-      var testid = testpat.exec(uri)[1];
-
-      window.testResult(testid,
-                        /_good/.test(testid),
-                        uri + " allowed by csp");
-    }
-
-    if (topic === "csp-on-violate-policy") {
-      // these were blocked... record that they were blocked
-      var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
-      if (!testpat.test(asciiSpec)) return;
-      var testid = testpat.exec(asciiSpec)[1];
-      window.testResult(testid,
-                        /_bad/.test(testid),
-                        asciiSpec + " blocked by \"" + data + "\"");
-    }
-  },
-
-  // must eventually call this to remove the listener,
-  // or mochitests might get borked.
-  remove: function() {
-    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
-    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
-  }
-}
-
-window.examiner = new examiner();
-
-window.testResult = function(testname, result, msg) {
-  //test already complete.... forget it... remember the first result.
-  if (window.tests[testname] != -1)
-    return;
-
-  window.tests[testname] = result;
-  is(result, true, testname + ' test: ' + msg);
-
-  // if any test is incomplete, keep waiting
-  for (var v in window.tests)
-    if(tests[v] == -1)
-      return;
-
-  // ... otherwise, finish
-  window.examiner.remove();
-  SimpleTest.finish();
-}
-
-SimpleTest.waitForExplicitFinish();
-
-SpecialPowers.pushPrefEnv(
-  {'set':[["security.csp.speccompliant", true],
-          // This defaults to 0 ("preload none") on mobile (B2G/Android), which
-          // blocks loading the resource until the user interacts with a
-          // corresponding widget, which breaks the media_* tests. We set it
-          // back to the default used by desktop Firefox to get consistent
-          // behavior.
-          ["media.preload.default", 2]]},
-    function() {
-      // save this for last so that our listeners are registered.
-      // ... this loads the testbed of good and bad requests.
-      document.getElementById('cspframe').src = 'file_CSP_main.html';
-      document.getElementById('cspframe2').src = 'file_CSP_main_spec_compliant.html';
-    });
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/test_CSP_evalscript.html
+++ /dev/null
@@ -1,65 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Test for Content Security Policy "no eval" base restriction</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<p id="display"></p>
-<div id="content" style="display: none">
-</div>
-<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
-<script class="testbody" type="text/javascript">
-
-var path = "/tests/content/base/test/csp/";
-
-var evalScriptsThatRan = 0;
-var evalScriptsBlocked = 0;
-var evalScriptsTotal = 24;
-
-// called by scripts that run
-var scriptRan = function(shouldrun, testname, data) {
-  evalScriptsThatRan++;
-  ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
-  checkTestResults();
-}
-
-// called when a script is blocked
-var scriptBlocked = function(shouldrun, testname, data) {
-  evalScriptsBlocked++;
-  ok(!shouldrun, 'EVAL SCRIPT BLOCKED: ' + testname + '(' + data + ')');
-  checkTestResults();
-}
-
-
-// Check to see if all the tests have run
-var checkTestResults = function() {
-  // if any test is incomplete, keep waiting
-  if (evalScriptsTotal - evalScriptsBlocked - evalScriptsThatRan > 0)
-    return;
-
-  // ... otherwise, finish
-  SimpleTest.finish();
-}
-
-//////////////////////////////////////////////////////////////////////
-// set up and go
-SimpleTest.waitForExplicitFinish();
-
-SpecialPowers.pushPrefEnv(
-  {'set':[["security.csp.speccompliant", true]]},
-    function() {
-      // save this for last so that our listeners are registered.
-      // ... this loads the testbed of good and bad requests.
-      document.getElementById('cspframe').src = 'file_CSP_evalscript_main.html';
-      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant.html';
-      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
-      // document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
-    });
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html
+++ /dev/null
@@ -1,65 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Test for Content Security Policy "no eval" in crypto.getCRMFRequest()</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<p id="display"></p>
-<div id="content" style="display: none">
-</div>
-<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe4'></iframe>
-<script class="testbody" type="text/javascript">
-
-var path = "/tests/content/base/test/csp/";
-
-var evalScriptsThatRan = 0;
-var evalScriptsBlocked = 0;
-var evalScriptsTotal = 4;
-
-// called by scripts that run
-var scriptRan = function(shouldrun, testname, data) {
-  evalScriptsThatRan++;
-  ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
-  checkTestResults();
-}
-
-// called when a script is blocked
-var scriptBlocked = function(shouldrun, testname, data) {
-  evalScriptsBlocked++;
-  ok(!shouldrun, 'EVAL SCRIPT BLOCKED: ' + testname + '(' + data + ')');
-  checkTestResults();
-}
-
-// Check to see if all the tests have run
-var checkTestResults = function() {
-  // if any test is incomplete, keep waiting
-  if (evalScriptsTotal - evalScriptsBlocked - evalScriptsThatRan > 0)
-    return;
-
-  // ... otherwise, finish
-  SimpleTest.finish();
-}
-
-//////////////////////////////////////////////////////////////////////
-// set up and go
-SimpleTest.waitForExplicitFinish();
-
-SpecialPowers.pushPrefEnv(
-  {'set':[["security.csp.speccompliant", true]]},
-    function() {
-      // save this for last so that our listeners are registered.
-      // ... this loads the testbed of good and bad requests.
-      document.getElementById('cspframe').src = 'file_CSP_evalscript_main_getCRMFRequest.html';
-      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
-      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
-      document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
-    });
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/test_CSP_frameancestors.html
+++ /dev/null
@@ -1,136 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Test for Content Security Policy Frame Ancestors directive</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<p id="display"></p>
-<div id="content" style="display: none">
-</div>
-<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<script class="testbody" type="text/javascript">
-
-var path = "/tests/content/base/test/csp/";
-
-// These are test results: -1 means it hasn't run,
-// true/false is the pass/fail result.
-var framesThatShouldLoad = {
-  aa_allow: -1,    /* innermost frame allows a */
-  //aa_block: -1,    /* innermost frame denies a */
-  ab_allow: -1,    /* innermost frame allows a */
-  //ab_block: -1,    /* innermost frame denies a */
-  aba_allow: -1,   /* innermost frame allows b,a */
-  //aba_block: -1,   /* innermost frame denies b */
-  //aba2_block: -1,  /* innermost frame denies a */
-  abb_allow: -1,   /* innermost frame allows b,a */
-  //abb_block: -1,   /* innermost frame denies b */
-  //abb2_block: -1,  /* innermost frame denies a */
-  aa_allow_spec_compliant: -1,    /* innermost frame allows a *
-  //aa_block_spec_compliant: -1,    /* innermost frame denies a */
-  ab_allow_spec_compliant: -1,    /* innermost frame allows a */
-  //ab_block_spec_compliant: -1,    /* innermost frame denies a */
-  aba_allow_spec_compliant: -1,   /* innermost frame allows b,a */
-  //aba_block_spec_compliant: -1,   /* innermost frame denies b */
-  //aba2_block_spec_compliant: -1,  /* innermost frame denies a */
-  abb_allow_spec_compliant: -1,   /* innermost frame allows b,a */
-  //abb_block_spec_compliant: -1,   /* innermost frame denies b */
-  //abb2_block_spec_compliant: -1,  /* innermost frame denies a */
-};
-
-var expectedViolationsLeft = 12;
-
-// This is used to watch the blocked data bounce off CSP and allowed data
-// get sent out to the wire.
-function examiner() {
-  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
-}
-examiner.prototype  = {
-  observe: function(subject, topic, data) {
-    // subject should be an nsURI, and should be either allowed or blocked.
-    if (!SpecialPowers.can_QI(subject))
-      return;
-
-    if (topic === "csp-on-violate-policy") {
-      //these were blocked... record that they were blocked
-      var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
-      window.frameBlocked(asciiSpec, data);
-    }
-  },
-
-  // must eventually call this to remove the listener,
-  // or mochitests might get borked.
-  remove: function() {
-    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
-  }
-}
-
-// called when a frame is loaded
-// -- if it's not enumerated above, it should not load!
-var frameLoaded = function(testname, uri) {
-  //test already complete.... forget it... remember the first result.
-  if (window.framesThatShouldLoad[testname] != -1)
-    return;
-
-  if (typeof window.framesThatShouldLoad[testname] === 'undefined') {
-    // uh-oh, we're not expecting this frame to load!
-    ok(false, testname + ' framed site should not have loaded: ' + uri);
-  } else {
-    framesThatShouldLoad[testname] = true;
-    ok(true, testname + ' framed site when allowed by csp (' + uri + ')');
-  }
-  checkTestResults();
-}
-
-// called when a frame is blocked
-// -- we can't determine *which* frame was blocked, but at least we can count them
-var frameBlocked = function(uri, policy) {
-  ok(true, 'a CSP policy blocked frame from being loaded: ' + policy);
-  expectedViolationsLeft--;
-  checkTestResults();
-}
-
-
-// Check to see if all the tests have run
-var checkTestResults = function() {
-  // if any test is incomplete, keep waiting
-  for (var v in framesThatShouldLoad)
-    if(window.framesThatShouldLoad[v] == -1)
-      return;
-
-  if (window.expectedViolationsLeft > 0)
-    return;
-
-  // ... otherwise, finish
-  window.examiner.remove();
-  SimpleTest.finish();
-}
-
-window.addEventListener("message", receiveMessage, false);
-
-function receiveMessage(event) {
-  if (event.data.call && event.data.call == 'frameLoaded')
-    frameLoaded(event.data.testname, event.data.uri);
-}
-
-//////////////////////////////////////////////////////////////////////
-// set up and go
-window.examiner = new examiner();
-SimpleTest.waitForExplicitFinish();
-
-// added this so the tests run even if we don't flip the pref on by default.
-SpecialPowers.pushPrefEnv(
-  {'set':[["security.csp.speccompliant", true]]},
-  function() {
-    // save this for last so that our listeners are registered.
-    // ... this loads the testbed of good and bad requests.
-    document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
-    document.getElementById('cspframe2').src = 'file_CSP_frameancestors_main_spec_compliant.html';
-  });
-
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/test_CSP_inlinescript.html
+++ /dev/null
@@ -1,128 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Test for Content Security Policy Frame Ancestors directive</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<p id="display"></p>
-<div id="content" style="display: none">
-</div>
-
-<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
-<script class="testbody" type="text/javascript">
-
-var path = "/tests/content/base/test/csp/";
-
-var inlineScriptsThatRan = 0;
-var inlineScriptsBlocked = 0;
-var inlineScriptsTotal = 12;
-
-// This is used to watch the blocked data bounce off CSP and allowed data
-// get sent out to the wire.
-function examiner() {
-  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
-}
-examiner.prototype  = {
-  observe: function(subject, topic, data) {
-    // subject should be an nsURI, and should be either allowed or blocked.
-    if (!SpecialPowers.can_QI(subject))
-      return;
-
-    if (topic === "csp-on-violate-policy") {
-      var what = null;
-      try {
-        //these were blocked... record that they were blocked
-        what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
-      } catch(e) {
-        //if that fails, the subject is probably a string
-        what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data");
-      }
-      window.scriptBlocked(what, data);
-    }
-  },
-
-  // must eventually call this to remove the listener,
-  // or mochitests might get borked.
-  remove: function() {
-    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
-  }
-}
-
-// called by scripts that run
-// the first argument is whether the script expects to be allowed or not.
-var scriptRan = function(result, testname, data) {
-  inlineScriptsThatRan++;
-  ok(result, 'INLINE SCRIPT RAN: ' + testname + '(' + data + ')');
-  checkTestResults();
-}
-
-// called when a script is blocked
-// -- we can't determine *which* frame was blocked, but at least we can count them
-var scriptBlocked = function(testname, data) {
-  inlineScriptsBlocked++;
-  ok(true, 'INLINE SCRIPT BLOCKED: ' + testname + '(' + data + ')');
-  checkTestResults();
-}
-
-
-// Check to see if all the tests have run
-var checkTestResults = function() {
-  // if any test is incomplete, keep waiting
-  if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal)
-    return;
-
-  // The four scripts in the page with 'unsafe-inline' should run.
-  is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
-
-  // The other eight scripts in the other two pages should be blocked.
-  is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked");
-
-  // ... otherwise, finish
-  window.examiner.remove();
-  SimpleTest.finish();
-}
-
-//////////////////////////////////////////////////////////////////////
-// set up and go
-window.examiner = new examiner();
-SimpleTest.waitForExplicitFinish();
-
-function clickit() {
-  var cspframe = document.getElementById('cspframe');
-  var a = cspframe.contentDocument.getElementById('anchortoclick');
-  sendMouseEvent({type:'click'}, a, cspframe.contentWindow);
-}
-
-function clickit2() {
-  var cspframe2 = document.getElementById('cspframe2');
-  var a = cspframe2.contentDocument.getElementById('anchortoclick');
-  sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
-}
-
-function clickit3() {
-  var cspframe3 = document.getElementById('cspframe3');
-  var a = cspframe3.contentDocument.getElementById('anchortoclick');
-  sendMouseEvent({type:'click'}, a, cspframe3.contentWindow);
-}
-
-SpecialPowers.pushPrefEnv(
-  {'set':[["security.csp.speccompliant", true]]},
-  function() {
-    // save this for last so that our listeners are registered.
-    // ... this loads the testbed of good and bad requests.
-    document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';
-    document.getElementById('cspframe').addEventListener('load', clickit, false);
-    document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html';
-    document.getElementById('cspframe2').addEventListener('load', clickit2, false);
-    document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
-    document.getElementById('cspframe3').addEventListener('load', clickit3, false);
-  });
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/test_CSP_inlinestyle.html
+++ /dev/null
@@ -1,142 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Test for Content Security Policy inline stylesheets stuff</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<p id="display"></p>
-<div id="content" style="display: none">
-</div>
-
-<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
-<script class="testbody" type="text/javascript">
-
-var path = "/tests/content/base/test/csp/";
-
-
-//////////////////////////////////////////////////////////////////////
-// set up and go
-SimpleTest.waitForExplicitFinish();
-
-var done = 0;
-
-// Our original CSP implementation does not block inline styles.
-function checkStyles(evt) {
-  var cspframe = document.getElementById('cspframe');
-  var color;
-
-  // black means the style wasn't applied.  green colors are used for styles
-  //expected to be applied.  A color is red if a style is erroneously applied
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (original CSP implementation) (' + color + ')');
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (original CSP implementation) (' + color + ')');
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Style Attribute (original CSP implementation) (' + color + ')');
-  // SMIL tests
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTest',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
-  checkIfDone();
-}
-
-// When a CSP 1.0 compliant policy is specified we should block inline
-// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
-// (when it's not explicitly allowed.)
-function checkStylesSpecCompliant(evt) {
-  var cspframe = document.getElementById('cspframe2');
-  var color;
-
-  // black means the style wasn't applied.  green colors are used for styles
-  //expected to be applied.  A color is red if a style is erroneously applied
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('linkstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('inlinestylediv'),null)['color'];
-  ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('attrstylediv'),null)['color'];
-  ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('csstextstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
-  // SMIL tests
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('xmlTest',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTest',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssSetTestById',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
-
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
-
-  checkIfDone();
-}
-
-// When a CSP 1.0 compliant policy is specified we should allow inline
-// styles when it is explicitly allowed.
-function checkStylesSpecCompliantAllowed(evt) {
-  var cspframe = document.getElementById('cspframe3');
-  var color;
-
-  // black means the style wasn't applied.  green colors are used for styles
-  // expected to be applied.  A color is red if a style is erroneously applied
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('linkstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('inlinestylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('attrstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
-
-  // Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
-  // since it relies on executing script to set .cssText
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('csstextstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  // SMIL tests
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('xmlTest',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTest',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssSetTestById',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
-
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
-
-  checkIfDone();
-}
-
-function checkIfDone() {
-  done++;
-  if (done == 3)
-    SimpleTest.finish();
-}
-
-SpecialPowers.pushPrefEnv(
-  {'set':[["security.csp.speccompliant", true]]},
-  function() {
-    // save this for last so that our listeners are registered.
-    // ... this loads the testbed of good and bad requests.
-    document.getElementById('cspframe').src = 'file_CSP_inlinestyle_main.html';
-    document.getElementById('cspframe').addEventListener('load', checkStyles, false);
-    document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
-    document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliant, false);
-    document.getElementById('cspframe3').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
-    document.getElementById('cspframe3').addEventListener('load', checkStylesSpecCompliantAllowed, false);
-  }
-);
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/test_csp_bug768029.html
+++ /dev/null
@@ -1,223 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-  https://bugzilla.mozilla.org/show_bug.cgi?id=768029
--->
-<head>
-  <meta charset="utf-8">
-  <title>Test for CSP on trusted/certified apps -- bug 768029</title>
-  <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
-</head>
-<body>
-<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=768029">Mozilla Bug 768029</a>
-<p id="display"></p>
-<div id="content">
-
-</div>
-<pre id="test">
-<script type="application/javascript;version=1.7">
-
-Components.utils.import("resource://gre/modules/Services.jsm");
-
-/** Test for Bug 768029 **/
-
-// Note: we don't have to inspect all the different operations of CSP,
-// we're just looking for specific differences in behavior that indicate
-// a default CSP got applied.
-const DEFAULT_CSP_PRIV = "default-src *; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'";
-const DEFAULT_CSP_CERT = "default-src *; script-src 'self'; style-src 'self'; object-src 'none'";
-
-SimpleTest.waitForExplicitFinish();
-
-var gData = [
-  {
-    app: "https://example.com/manifest.webapp",
-    appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_INSTALLED,
-    origin: "https://example.com",
-    uri: "https://example.com/tests/content/base/test/csp/file_csp_bug768029.html",
-    statusString: "installed app",
-    expectedTestResults: {
-      max_tests: 7, /* number of bools below plus one for the status check */
-      cross_origin: { img: true,  script: true,  style: true },
-      same_origin:  { img: true,  script: true,  style: true  },
-    },
-  },
-
-  {
-    app: "https://example.com/manifest_priv.webapp",
-    appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_PRIVILEGED,
-    origin: "https://example.com",
-    uri: "https://example.com/tests/content/base/test/csp/file_csp_bug768029.html",
-    statusString: "privileged app",
-    expectedTestResults: {
-      max_tests: 7, /* number of bools below plus one for the status check */
-      cross_origin: { img: true,  script: false, style: false },
-      same_origin:  { img: true,  script: true,  style: true  },
-    },
-  },
-
-  {
-    app: "https://example.com/manifest_cert.webapp",
-    appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_CERTIFIED,
-    origin: "https://example.com",
-    uri: "https://example.com/tests/content/base/test/csp/file_csp_bug768029.html",
-    statusString: "certified app",
-    expectedTestResults: {
-      max_tests: 7, /* number of bools below plus one for the status check */
-      cross_origin: { img: true,  script: false, style: false },
-      same_origin:  { img: true,  script: true,  style: true  },
-    },
-  },
-];
-
-// Observer for watching allowed loads and blocked attempts
-function ThingyListener(app, iframe) {
-  Services.obs.addObserver(this, "csp-on-violate-policy", false);
-  Services.obs.addObserver(this, "http-on-modify-request", false);
-  dump("added observers\n");
-  // keep track of which app ID this test is monitoring.
-  this._testData = app;
-  this._expectedResults = app.expectedTestResults;
-  this._resultsRecorded = { cross_origin: {}, same_origin: {}};
-  this._iframe = iframe;
-  this._countedTests = 0;
-}
-ThingyListener.prototype = {
-
-  observe: function(subject, topic, data) {
-    // make sure to only observe app-generated calls to the helper for this test.
-    var testpat = new RegExp("file_csp_bug768029\\.sjs");
-
-    // used to extract which kind of load this is (img, script, etc).
-    var typepat = new RegExp("type=([\\_a-z0-9]+)");
-
-    // used to identify whether it's cross-origin or same-origin loads
-    // (the applied CSP allows same-origin loads).
-    var originpat = new RegExp("origin=([\\_a-z0-9]+)");
-
-    if (topic === "http-on-modify-request") {
-      // Matching requests on this topic were allowed by the csp
-      var chan = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
-      var uri = chan.URI;
-      // ignore irrelevent URIs
-      if (!testpat.test(uri.asciiSpec)) return;
-
-      var loadType = typepat.exec(uri.asciiSpec)[1];
-      var originType = originpat.exec(uri.asciiSpec)[1];
-
-      // skip duplicate hits to this topic (potentially document loads
-      // may generate duplicate loads.
-      if (this._resultsRecorded[originType] &&
-          this._resultsRecorded[originType][loadType]) {
-        return;
-      }
-      var message = originType + " : " + loadType + " should be " +
-                    (this._expectedResults[originType][loadType] ? "allowed" : "blocked");
-      ok(this._expectedResults[originType][loadType] == true, message);
-      this._resultsRecorded[originType][loadType] = true;
-      this._countedTests++;
-    }
-    else if (topic === "csp-on-violate-policy") {
-      // Matching hits on this topic were blocked by the csp
-      var uri = subject.QueryInterface(Components.interfaces.nsIURI);
-      // ignore irrelevent URIs
-      if (!testpat.test(uri.asciiSpec)) return;
-
-      var loadType = typepat.exec(uri.asciiSpec)[1];
-      var originType = originpat.exec(uri.asciiSpec)[1];
-
-      // skip duplicate hits to this topic (potentially document loads
-      // may generate duplicate loads.
-      if (this._resultsRecorded[originType] &&
-          this._resultsRecorded[originType][loadType]) {
-        return;
-      }
-
-      var message = originType + " : " + loadType + " should be " +
-                    (this._expectedResults[originType][loadType] ? "allowed" : "blocked");
-      ok(this._expectedResults[originType][loadType] == false, message);
-      this._resultsRecorded[originType][loadType] = true;
-      this._countedTests++;
-    }
-    else {
-      // wrong topic!  Nothing to do.
-      return;
-    }
-
-    this._checkForFinish();
-  },
-
-  _checkForFinish: function() {
-    // check to see if there are load tests still pending.
-    // (All requests triggered by the app should hit one of the
-    // two observer topics.)
-    if (this._countedTests == this._expectedResults.max_tests) {
-      Services.obs.removeObserver(this, "csp-on-violate-policy");
-      Services.obs.removeObserver(this, "http-on-modify-request");
-      dump("removed observers\n");
-      checkedCount++;
-      if (checkedCount == checksTodo) {
-        SpecialPowers.removePermission("browser", "https://example.com");
-        SimpleTest.finish();
-      } else {
-        gTestRunner.next();
-      }
-    }
-  },
-
-  // verify the status of the app
-  checkAppStatus: function() {
-    var principal = this._iframe.contentDocument.nodePrincipal;
-    if (this._testData.app) {
-      is(principal.appStatus, this._testData.appStatus,
-         "iframe principal's app status doesn't match the expected app status.");
-      this._countedTests++;
-      this._checkForFinish();
-    }
-  }
-}
-
-var content = document.getElementById('content');
-var checkedCount = 0; // number of apps checked
-var checksTodo = gData.length;
-
-// quick check to make sure we can test apps:
-is('appStatus' in document.nodePrincipal, true,
-   'appStatus should be present in nsIPrincipal, if not the rest of this test will fail');
-
-function runTest() {
-  for (var i = 0; i < gData.length; i++) {
-    let data = gData[i];
-    var iframe = document.createElement('iframe');
-
-    // watch for successes and failures
-    var examiner = new ThingyListener(data, iframe);
-
-    iframe.setAttribute('mozapp', data.app);
-    iframe.setAttribute('mozbrowser', 'true');
-    iframe.addEventListener('load', examiner.checkAppStatus.bind(examiner));
-    iframe.src = data.uri;
-
-    content.appendChild(iframe);
-
-    yield undefined;
-  }
-}
-
-var gTestRunner = runTest();
-
-// load the default CSP and pref it on
-SpecialPowers.addPermission("browser", true, "https://example.com");
-SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
-                                   ["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
-                                   ["security.apps.certified.CSP.default", DEFAULT_CSP_CERT],
-                                   ["security.mixed_content.block_active_content", false],
-                                   ["security.mixed_content.block_display_content", false]]},
-                          function() {  gTestRunner.next(); });
-
-
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/test_csp_bug773891.html
+++ /dev/null
@@ -1,228 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-  https://bugzilla.mozilla.org/show_bug.cgi?id=768029
--->
-<head>
-  <meta charset="utf-8">
-  <title>Test for CSP on trusted/certified and installed apps -- bug 773891</title>
-  <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
-</head>
-<body>
-<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=773891">Mozilla Bug 773891</a>
-<p id="display"></p>
-<div id="content">
-
-</div>
-<pre id="test">
-<script type="application/javascript;version=1.7">
-
-Components.utils.import("resource://gre/modules/Services.jsm");
-
-/** Test for Bug 773891 **/
-
-// Note: we don't have to inspect all the different operations of CSP,
-// we're just looking for specific differences in behavior that indicate
-// a default CSP got applied.
-const DEFAULT_CSP_PRIV = "default-src *; script-src *; style-src 'self' 'unsafe-inline'; object-src 'none'";
-const DEFAULT_CSP_CERT = "default-src *; script-src *; style-src 'self'; object-src 'none'";
-
-const MANIFEST_CSP_PRIV = "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'";
-const MANIFEST_CSP_INST = "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'";
-const MANIFEST_CSP_CERT = "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'";
-
-SimpleTest.waitForExplicitFinish();
-
-var gData = [
-
-  {
-    app: "https://example.com/manifest_csp_inst.webapp",
-    appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_INSTALLED,
-    csp: MANIFEST_CSP_INST,
-    origin: "https://example.com",
-    uri: "https://example.com/tests/content/base/test/csp/file_csp_bug773891.html",
-    statusString: "installed app",
-    expectedTestResults: {
-      max_tests: 7, /* number of bools below plus one for the status check */
-      cross_origin: { img: true,  script: false, style: false },
-      same_origin:  { img: true,  script: true,  style: true  },
-    },
-  },
-  {
-    app: "https://example.com/manifest_csp_cert.webapp",
-    appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_CERTIFIED,
-    csp: MANIFEST_CSP_CERT,
-    origin: "https://example.com",
-    uri: "https://example.com/tests/content/base/test/csp/file_csp_bug773891.html",
-    statusString: "certified app",
-    expectedTestResults: {
-      max_tests: 7, /* number of bools below plus one for the status check */
-      cross_origin: { img: true,  script: false, style: false },
-      same_origin:  { img: true,  script: true,  style: true  },
-    },
-  },
-  {
-    app: "https://example.com/manifest_csp_priv.webapp",
-    appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_PRIVILEGED,
-    csp: MANIFEST_CSP_PRIV,
-    origin: "https://example.com",
-    uri: "https://example.com/tests/content/base/test/csp/file_csp_bug773891.html",
-    statusString: "privileged app",
-    expectedTestResults: {
-      max_tests: 7, /* number of bools below plus one for the status check */
-      cross_origin: { img: true,  script: false, style: false },
-      same_origin:  { img: true,  script: true,  style: true  },
-    },
-  },
-];
-
-// Observer for watching allowed loads and blocked attempts
-function ThingyListener(app, iframe) {
-  Services.obs.addObserver(this, "csp-on-violate-policy", false);
-  Services.obs.addObserver(this, "http-on-modify-request", false);
-  dump("added observers\n");
-  // keep track of which app ID this test is monitoring.
-  this._testData = app;
-  this._expectedResults = app.expectedTestResults;
-  this._resultsRecorded = { cross_origin: {}, same_origin: {}};
-  this._iframe = iframe;
-  this._countedTests = 0;
-}
-ThingyListener.prototype = {
-
-  observe: function(subject, topic, data) {
-    // make sure to only observe app-generated calls to the helper for this test.
-    var testpat = new RegExp("file_csp_bug773891\\.sjs");
-
-    // used to extract which kind of load this is (img, script, etc).
-    var typepat = new RegExp("type=([\\_a-z0-9]+)");
-
-    // used to identify whether it's cross-origin or same-origin loads
-    // (the applied CSP allows same-origin loads).
-    var originpat = new RegExp("origin=([\\_a-z0-9]+)");
-
-    if (topic === "http-on-modify-request") {
-      // Matching requests on this topic were allowed by the csp
-      var chan = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
-      var uri = chan.URI;
-      // ignore irrelevent URIs
-      if (!testpat.test(uri.asciiSpec)) return;
-
-      var loadType = typepat.exec(uri.asciiSpec)[1];
-      var originType = originpat.exec(uri.asciiSpec)[1];
-
-      // skip duplicate hits to this topic (potentially document loads
-      // may generate duplicate loads.
-      if (this._resultsRecorded[originType] &&
-          this._resultsRecorded[originType][loadType]) {
-        return;
-      }
-      var message = originType + " : " + loadType + " should be " +
-                    (this._expectedResults[originType][loadType] ? "allowed" : "blocked");
-      ok(this._expectedResults[originType][loadType] == true, message);
-      this._resultsRecorded[originType][loadType] = true;
-      this._countedTests++;
-    }
-    else if (topic === "csp-on-violate-policy") {
-      // Matching hits on this topic were blocked by the csp
-      var uri = subject.QueryInterface(Components.interfaces.nsIURI);
-      // ignore irrelevent URIs
-      if (!testpat.test(uri.asciiSpec)) return;
-
-      var loadType = typepat.exec(uri.asciiSpec)[1];
-      var originType = originpat.exec(uri.asciiSpec)[1];
-
-      // skip duplicate hits to this topic (potentially document loads
-      // may generate duplicate loads.
-      if (this._resultsRecorded[originType] &&
-          this._resultsRecorded[originType][loadType]) {
-        return;
-      }
-
-      var message = originType + " : " + loadType + " should be " +
-                    (this._expectedResults[originType][loadType] ? "allowed" : "blocked");
-      ok(this._expectedResults[originType][loadType] == false, message);
-      this._resultsRecorded[originType][loadType] = true;
-      this._countedTests++;
-    }
-    else {
-      // wrong topic!  Nothing to do.
-      return;
-    }
-
-    this._checkForFinish();
-  },
-
-  _checkForFinish: function() {
-    // check to see if there are load tests still pending.
-    // (All requests triggered by the app should hit one of the
-    // two observer topics.)
-    if (this._countedTests == this._expectedResults.max_tests) {
-      Services.obs.removeObserver(this, "csp-on-violate-policy");
-      Services.obs.removeObserver(this, "http-on-modify-request");
-      dump("removed observers\n");
-      checkedCount++;
-      if (checkedCount == checksTodo) {
-        SpecialPowers.removePermission("browser", "https://example.com");
-        SimpleTest.finish();
-      } else {
-        gTestRunner.next();
-      }
-    }
-  },
-
-  // verify the status of the app
-  checkAppStatus: function() {
-    var principal = this._iframe.contentDocument.nodePrincipal;
-    if (this._testData.app) {
-      is(principal.appStatus, this._testData.appStatus,
-         "iframe principal's app status doesn't match the expected app status.");
-      this._countedTests++;
-      this._checkForFinish();
-    }
-  }
-}
-
-var content = document.getElementById('content');
-var checkedCount = 0; // number of apps checked
-var checksTodo = gData.length;
-
-// quick check to make sure we can test apps:
-is('appStatus' in document.nodePrincipal, true,
-   'appStatus should be present in nsIPrincipal, if not the rest of this test will fail');
-
-function runTest() {
-  for (var i = 0; i < gData.length; i++) {
-    let data = gData[i];
-    var iframe = document.createElement('iframe');
-
-    // watch for successes and failures
-    var examiner = new ThingyListener(data, iframe);
-
-    iframe.setAttribute('mozapp', data.app);
-    iframe.setAttribute('mozbrowser', 'true');
-    iframe.addEventListener('load', examiner.checkAppStatus.bind(examiner));
-    iframe.src = data.uri;
-
-    content.appendChild(iframe);
-
-    yield undefined;
-  }
-}
-
-var gTestRunner = runTest();
-
-// load the default CSP and pref it on
-SpecialPowers.addPermission("browser", true, "https://example.com");
-
-SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
-                                   ["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
-                                   ["security.apps.certified.CSP.default", DEFAULT_CSP_CERT]]},
-                          function() {  gTestRunner.next(); });
-
-
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/test_csp_redirects.html
+++ /dev/null
@@ -1,148 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Tests for Content Security Policy during redirects</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<p id="display"></p>
-<div id="content" style="display: none">
-
-</div>
-
-<iframe style="width:100%;height:300px;" id="harness"></iframe>
-<pre id="log"></pre>
-<script class="testbody" type="text/javascript">
-
-var path = "/tests/content/base/test/csp/";
-
-// debugging
-function log(s) {
-  return;
-  dump("**" + s + "\n");
-  var log = document.getElementById("log");
-  log.textContent = log.textContent+s+"\n";
-}
-
-// used to watch if requests are blocked by CSP or allowed through
-function examiner() {
-  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
-  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
-}
-examiner.prototype  = {
-  observe: function(subject, topic, data) {
-    var testpat = new RegExp("testid=([a-z0-9-]+)");
-    var asciiSpec;
-    var testid;
-
-    if (topic === "specialpowers-http-notify-request") {
-      // request was sent
-      var allowedUri = data;
-      if (!testpat.test(allowedUri)) return;
-      testid = testpat.exec(allowedUri)[1];
-      if (testExpectedResults[testid] == "completed") return;
-      log("allowed: "+allowedUri);
-      window.testResult(testid, allowedUri, true);
-    }
-
-    else if (topic === "csp-on-violate-policy") {
-      // request was blocked
-      asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
-      if (!testpat.test(asciiSpec)) return;
-      testid = testpat.exec(asciiSpec)[1];
-      // had to add this check because http-on-modify-request can fire after
-      // csp-on-violate-policy, apparently, even though the request does
-      // not hit the wire.
-      if (testExpectedResults[testid] == "completed") return;
-      log("BLOCKED: "+asciiSpec);
-      window.testResult(testid, asciiSpec, false);
-    }
-  },
-
-  remove: function() {
-    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
-    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
-  }
-}
-window.examiner = new examiner();
-
-// contains { test_frame_id : expected_result }
-var testExpectedResults = { "font-src": true,
-                            "font-src-redir": false,
-                            "frame-src": true,
-                            "frame-src-redir": false,
-                            "img-src": true,
-                            "img-src-redir": false,
-                            "media-src": true,
-                            "media-src-redir": false,
-                            "object-src": true,
-                            "object-src-redir": false,
-                            "script-src": true,
-                            "script-src-redir": false,
-                            "style-src": true,
-                            "style-src-redir": false,
-                            "worker": true,
-                            "worker-redir": false,
-                            "xhr-src": true,
-                            "xhr-src-redir": false,
-                            "font-src-spec-compliant": true,
-                            "font-src-redir-spec-compliant": false,
-                            "frame-src-spec-compliant": true,
-                            "frame-src-redir-spec-compliant": false,
-                            "img-src-spec-compliant": true,
-                            "img-src-redir-spec-compliant": false,
-                            "media-src-spec-compliant": true,
-                            "media-src-redir-spec-compliant": false,
-                            "object-src-spec-compliant": true,
-                            "object-src-redir-spec-compliant": false,
-                            "script-src-spec-compliant": true,
-                            "script-src-redir-spec-compliant": false,
-                            "style-src-spec-compliant": true,
-                            "style-src-redir-spec-compliant": false,
-                            "worker-spec-compliant": true,
-                            "worker-redir-spec-compliant": false,
-                            "xhr-src-spec-compliant": true,
-                            "xhr-src-redir-spec-compliant": false,
-                          };
-
-// takes the name of the test, the URL that was tested, and whether the
-// load occurred
-var testResult = function(testName, url, result) {
-  log("  testName: "+testName+", result: "+result+", expected: "+testExpectedResults[testName]+"\n");
-  is(result, testExpectedResults[testName], testName+" test: "+url);
-
- // mark test as completed
-  testExpectedResults[testName] = "completed";
-
-  // don't finish until we've run all the tests
-  for (var t in testExpectedResults) {
-    if (testExpectedResults[t] != "completed") {
-      return;
-    }
-  }
-
-  window.examiner.remove();
-  SimpleTest.finish();
-}
-
-SimpleTest.waitForExplicitFinish();
-
-SpecialPowers.pushPrefEnv(
-  {'set':[["security.csp.speccompliant", true],
-          // This defaults to 0 ("preload none") on mobile (B2G/Android), which
-          // blocks loading the resource until the user interacts with a
-          // corresponding widget, which breaks the media_* tests. We set it
-          // back to the default used by desktop Firefox to get consistent
-          // behavior.
-          ["media.preload.default", 2]]},
-  function() {
-    // save this for last so that our listeners are registered.
-    // ... this loads the testbed of good and bad requests.
-    document.getElementById("harness").src = "file_csp_redirects_main.html";
-  });
-</script>
-</pre>
-
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/test_csp_report.html
+++ /dev/null
@@ -1,108 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=548193
--->
-<head>
-  <title>Test for Bug 548193</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<p id="display"></p>
-<div id="content" style="display: none">
-</div>
-
-<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
-<script class="testbody" type="text/javascript">
-// This is used to watch requests go out so we can see if the report is
-// sent correctly
-function examiner() {
-  SpecialPowers.addObserver(this, "http-on-opening-request", false);
-}
-examiner.prototype  = {
-  observe: function(subject, topic, data) {
-    // subject should be an nsURI
-    if (!SpecialPowers.can_QI(subject))
-      return;
-
-    const reportURI = "http://mochi.test:8888/csp-report.cgi";
-
-    if (topic === "http-on-opening-request") {
-      var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIHttpChannel"), "URI.asciiSpec");
-      if (asciiSpec !== reportURI) return;
-
-      // Verify that the report was properly formatted.
-      // We'll parse the report text as JSON and verify that the properties
-      // have expected values.
-      var reportText = "{}";
-      try {
-        var uploadStream = SpecialPowers.wrap(SpecialPowers.do_QueryInterface(subject, "nsIUploadChannel")).uploadStream;
-
-        if (uploadStream) {
-          // get the bytes from the request body
-          var binstream = SpecialPowers.Cc["@mozilla.org/binaryinputstream;1"]
-                                          .createInstance(SpecialPowers.Ci.nsIBinaryInputStream);
-          binstream.setInputStream(uploadStream);
-
-          var segments = [];
-          for (var count = uploadStream.available(); count; count = uploadStream.available()) {
-            var data = binstream.readBytes(count);
-            segments.push(data);
-          }
-
-          var reportText = segments.join("");
-          // rewind stream as we are supposed to - there will be an assertion later if we don't.
-          SpecialPowers.do_QueryInterface(uploadStream, "nsISeekableStream").seek(SpecialPowers.Ci.nsISeekableStream.NS_SEEK_SET, 0);
-        }
-      }
-      catch(e) {}
-
-      var reportObj = JSON.parse(reportText);
-
-      // test for the proper values in the report object
-      window.checkResults(reportObj);
-
-      // finish up
-      window.examiner.remove();
-      SimpleTest.finish();
-    }
-  },
-
-  // remove the listener
-  remove: function() {
-    SpecialPowers.removeObserver(this, "http-on-opening-request");
-  }
-}
-
-// content file that triggers a violation report
-var testFile = "file_csp_report.sjs";
-
-window.checkResults = function(reportObj) {
-  var cspReport = reportObj["csp-report"];
-  // correct violating request
-  is(cspReport["document-uri"],
-     "http://mochi.test:8888/tests/content/base/test/csp/" + testFile,
-     "Incorrect violating request");
-  // correct blocked-uri
-  is(cspReport["blocked-uri"],
-     "http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png",
-     "Incorrect blocked uri");
-  // correct violated-directive
-  is(cspReport["violated-directive"], "default-src http://mochi.test:8888",
-     "Incorrect violated directive");
-  // not practical to test request-headers as header names and values will
-  // change with the trunk
-}
-
-window.examiner = new examiner();
-
-SimpleTest.waitForExplicitFinish();
-
-// load the resource which will generate a CSP violation report
-document.getElementById("cspframe").src = testFile;
-
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/test_multi_policy_injection_bypass.html
+++ /dev/null
@@ -1,121 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=717511
--->
-<head>
-  <title>Test for Bug 717511</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<p id="display"></p>
-<div id="content" style="display: none">
-
-
-</div>
-
-<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
-<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
-<script class="testbody" type="text/javascript">
-
-var path = "/tests/content/base/test/";
-
-// These are test results: -1 means it hasn't run,
-// true/false is the pass/fail result.
-// This is not exhaustive, just double-checking the 'self' vs * policy conflict in the two HTTP headers.
-window.tests = {
-  img_good: -1,
-  img_bad: -1,
-  script_good: -1,
-  script_bad: -1,
-  img2_good: -1,
-  img2_bad: -1,
-  script2_good: -1,
-  script2_bad: -1,
-};
-
-
-// This is used to watch the blocked data bounce off CSP and allowed data
-// get sent out to the wire.
-function examiner() {
-  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
-  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
-}
-examiner.prototype  = {
-  observe: function(subject, topic, data) {
-    var testpat = new RegExp("testid=([a-z0-9_]+)");
-
-    //_good things better be allowed!
-    //_bad things better be stopped!
-
-    if (topic === "specialpowers-http-notify-request") {
-      //these things were allowed by CSP
-      var asciiSpec = data;
-      if (!testpat.test(asciiSpec)) return;
-      var testid = testpat.exec(asciiSpec)[1];
-      window.testResult(testid,
-                        /_good/.test(testid),
-                        asciiSpec + " allowed by csp");
-
-    }
-
-    if(topic === "csp-on-violate-policy") {
-      // subject should be an nsIURI for csp-on-violate-policy
-      if (!SpecialPowers.can_QI(subject)) {
-        return;
-      }
-
-      //these were blocked... record that they were blocked
-      var asciiSpec = SpecialPowers.getPrivilegedProps(
-                        SpecialPowers.do_QueryInterface(subject, "nsIURI"),
-                        "asciiSpec");
-      if (!testpat.test(asciiSpec)) return;
-      var testid = testpat.exec(asciiSpec)[1];
-      window.testResult(testid,
-                        /_bad/.test(testid),
-                        asciiSpec + " blocked by \"" + data + "\"");
-    }
-  },
-
-  // must eventually call this to remove the listener,
-  // or mochitests might get borked.
-  remove: function() {
-    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
-    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
-  }
-}
-
-window.examiner = new examiner();
-
-window.testResult = function(testname, result, msg) {
-
-  //test already complete.... forget it... remember the first result.
-  if (window.tests[testname] != -1)
-    return;
-
-  window.tests[testname] = result;
-  is(result, true, testname + ' test: ' + msg);
-
-  // if any test is incomplete, keep waiting
-  for (var v in window.tests)
-    if(tests[v] == -1)
-      return;
-
-  // ... otherwise, finish
-  window.examiner.remove();
-  SimpleTest.finish();
-}
-
-SimpleTest.waitForExplicitFinish();
-
-// save this for last so that our listeners are registered.
-// ... this loads the testbed of good and bad requests.
-
-document.getElementById('cspframe').src = 'file_multi_policy_injection_bypass.html';
-document.getElementById('cspframe2').src = 'file_multi_policy_injection_bypass_2.html';
-
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/content/base/test/xcsp/test_subframe_run_js_if_allowed.html
+++ /dev/null
@@ -1,32 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=702439
-
-This test verifies that child iframes of CSP documents are
-permitted to execute javascript: URLs assuming the policy
-allows this.
--->
-<head>
-  <title>Test for Bug 702439</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<script class="testbody" type="text/javascript">
-var javascript_link_ran = false;
-
-// check that the script in the child frame's javascript: URL ran
-function checkResult()
-{
-  is(javascript_link_ran, true,
-     "javascript URL didn't execute");
-
-  SimpleTest.finish();
-}
-
-SimpleTest.waitForExplicitFinish();
-</script>
-<iframe id="i" src="file_subframe_run_js_if_allowed.html"></iframe>
-</body>
-</html>