Bug 1037335 - Add a pref to enable only within Nightly and Early Beta. r=ckerschb,smaug
authorChung-Sheng Fu <cfu@mozilla.com>
Wed, 29 Nov 2017 16:55:00 +0200
changeset 448676 3f2598dad67c2ed8c521ce68c8f383385a2a088f
parent 448675 fd99633486a59a1771e84214998043e1a3684945
child 448677 dab9aa2ed975046aba9507d1d68efc8f95d98496
push id1648
push usermtabara@mozilla.com
push dateThu, 01 Mar 2018 12:45:47 +0000
treeherdermozilla-release@cbb9688c2eeb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb, smaug
bugs1037335
milestone59.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1037335 - Add a pref to enable only within Nightly and Early Beta. r=ckerschb,smaug MozReview-Commit-ID: Bi82dHm53qX
dom/security/nsCSPContext.cpp
dom/security/nsCSPContext.h
dom/security/test/csp/test_security_policy_violation_event.html
dom/webidl/SecurityPolicyViolationEvent.webidl
modules/libpref/init/all.js
testing/web-platform/meta/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html.ini
testing/web-platform/meta/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.ini
testing/web-platform/meta/content-security-policy/child-src/child-src-worker-blocked.sub.html.ini
testing/web-platform/meta/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html.ini
testing/web-platform/meta/content-security-policy/font-src/font-stylesheet-font-blocked.sub.html.ini
testing/web-platform/meta/content-security-policy/generic/generic-0_1-img-src.html.ini
testing/web-platform/meta/content-security-policy/generic/generic-0_1-script-src.html.ini
testing/web-platform/meta/content-security-policy/generic/generic-0_10_1.sub.html.ini
testing/web-platform/meta/content-security-policy/generic/generic-0_2_2.sub.html.ini
testing/web-platform/meta/content-security-policy/generic/generic-0_2_3.html.ini
testing/web-platform/meta/content-security-policy/generic/generic-0_8_1.sub.html.ini
testing/web-platform/meta/content-security-policy/media-src/media-src-7_1_2.sub.html.ini
testing/web-platform/meta/content-security-policy/media-src/media-src-7_2_2.sub.html.ini
testing/web-platform/meta/content-security-policy/media-src/media-src-7_3_2.sub.html.ini
testing/web-platform/meta/content-security-policy/media-src/media-src-blocked.sub.html.ini
testing/web-platform/meta/content-security-policy/navigation/to-javascript-url-script-src.html.ini
testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-only-sends-reports-on-violation.https.sub.html.ini
testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-1.https.sub.html.ini
testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-2.https.sub.html.ini
testing/web-platform/meta/content-security-policy/reporting/reporting-api-sends-reports-on-violation.https.sub.html.ini
testing/web-platform/meta/content-security-policy/reporting/securitypolicyviolation-idl.html.ini
testing/web-platform/meta/content-security-policy/script-src/javascript-window-open-blocked.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-1_1.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-1_10.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-1_2.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-1_2_1.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-1_4.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-1_4_1.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-1_4_2.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini
testing/web-platform/meta/content-security-policy/script-src/scripthash-unicode-normalization.sub.html.ini
testing/web-platform/meta/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html.ini
testing/web-platform/meta/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html.ini
testing/web-platform/meta/content-security-policy/securitypolicyviolation/blockeduri-inline.html.ini
testing/web-platform/meta/content-security-policy/securitypolicyviolation/idl.html.ini
testing/web-platform/meta/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html.ini
testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.ini
testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html.ini
testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html.ini
testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html.ini
testing/web-platform/meta/content-security-policy/securitypolicyviolation/targeting.html.ini
testing/web-platform/meta/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html.ini
testing/web-platform/meta/content-security-policy/style-src/style-src-hash-blocked.html.ini
testing/web-platform/meta/content-security-policy/style-src/style-src-injected-inline-style-blocked.html.ini
testing/web-platform/meta/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html.ini
testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html.ini
testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-blocked.html.ini
testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html.ini
testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html.ini
testing/web-platform/meta/content-security-policy/style-src/style-src-none-blocked.html.ini
testing/web-platform/meta/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html.ini
testing/web-platform/meta/content-security-policy/style-src/stylehash-basic-blocked.sub.html.ini
testing/web-platform/meta/content-security-policy/style-src/stylenonce-allowed.sub.html.ini
testing/web-platform/meta/content-security-policy/style-src/stylenonce-blocked.sub.html.ini
testing/web-platform/meta/content-security-policy/svg/object-in-svg-foreignobject.sub.html.ini
testing/web-platform/meta/content-security-policy/svg/svg-inline.sub.html.ini
testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_allowed.html.ini
testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_matching_hash_no_unsafe_inline_attribute.html.ini
testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_not_matching_hash.html.ini
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -268,28 +268,31 @@ NS_IMPL_CLASSINFO(nsCSPContext,
                   nsIClassInfo::MAIN_THREAD_ONLY,
                   NS_CSPCONTEXT_CID)
 
 NS_IMPL_ISUPPORTS_CI(nsCSPContext,
                      nsIContentSecurityPolicy,
                      nsISerializable)
 
 int32_t nsCSPContext::sScriptSampleMaxLength;
+bool nsCSPContext::sViolationEventsEnabled = false;
 
 nsCSPContext::nsCSPContext()
   : mInnerWindowID(0)
   , mLoadingContext(nullptr)
   , mLoadingPrincipal(nullptr)
   , mQueueUpMessages(true)
 {
   static bool sInitialized = false;
   if (!sInitialized) {
     Preferences::AddIntVarCache(&sScriptSampleMaxLength,
                                 "security.csp.reporting.script-sample.max-length",
                                 40);
+    Preferences::AddBoolVarCache(&sViolationEventsEnabled,
+                                 "security.csp.enable_violation_events");
     sInitialized = true;
   }
 
   CSPCONTEXTLOG(("nsCSPContext::nsCSPContext"));
 }
 
 nsCSPContext::~nsCSPContext()
 {
@@ -1132,16 +1135,20 @@ nsCSPContext::SendReports(
   }
   return NS_OK;
 }
 
 nsresult
 nsCSPContext::FireViolationEvent(
   const mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit)
 {
+  if (!sViolationEventsEnabled) {
+    return NS_OK;
+  }
+
   nsCOMPtr<nsIDocument> doc = do_QueryReferent(mLoadingContext);
   if (!doc) {
     return NS_OK;
   }
 
   RefPtr<mozilla::dom::Event> event =
     mozilla::dom::SecurityPolicyViolationEvent::Constructor(
       doc,
--- a/dom/security/nsCSPContext.h
+++ b/dom/security/nsCSPContext.h
@@ -139,16 +139,18 @@ class nsCSPContext : public nsIContentSe
 
     static int32_t sScriptSampleMaxLength;
 
     static uint32_t ScriptSampleMaxLength()
     {
       return std::max(sScriptSampleMaxLength, 0);
     }
 
+    static bool sViolationEventsEnabled;
+
     nsString                                   mReferrer;
     uint64_t                                   mInnerWindowID; // used for web console logging
     nsTArray<nsCSPPolicy*>                     mPolicies;
     nsCOMPtr<nsIURI>                           mSelfURI;
     nsDataHashtable<nsCStringHashKey, int16_t> mShouldLoadCache;
     nsCOMPtr<nsILoadGroup>                     mCallingChannelLoadGroup;
     nsWeakPtr                                  mLoadingContext;
     // The CSP hangs off the principal, so let's store a raw pointer of the principal
--- a/dom/security/test/csp/test_security_policy_violation_event.html
+++ b/dom/security/test/csp/test_security_policy_violation_event.html
@@ -1,14 +1,19 @@
 <!DOCTYPE html>
 <meta charset="utf-8">
 <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
 <script src="/tests/SimpleTest/SimpleTest.js"></script>
 <script>
 SimpleTest.waitForExplicitFinish();
+SpecialPowers.pushPrefEnv({
+  set: [
+    ["security.csp.enable_violation_events", true]
+  ]
+});
 document.addEventListener("securitypolicyviolation", (e) => {
   SimpleTest.is(e.blockedURI, "http://mochi.test:8888/foo/bar.jpg", "blockedURI");
   SimpleTest.todo_is(e.violatedDirective, "img-src", "violatedDirective")
   SimpleTest.is(e.originalPolicy, "img-src 'none'", "originalPolicy");
   SimpleTest.finish();
 });
 </script>
 <img src="http://mochi.test:8888/foo/bar.jpg">
--- a/dom/webidl/SecurityPolicyViolationEvent.webidl
+++ b/dom/webidl/SecurityPolicyViolationEvent.webidl
@@ -2,17 +2,18 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 enum SecurityPolicyViolationEventDisposition
 {
   "enforce", "report"
 };
 
-[Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)]
+[Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict),
+ Pref="security.csp.enable_violation_events"]
 interface SecurityPolicyViolationEvent : Event
 {
     readonly attribute DOMString      documentURI;
     readonly attribute DOMString      referrer;
     readonly attribute DOMString      blockedURI;
     readonly attribute DOMString      violatedDirective;
     readonly attribute DOMString      effectiveDirective;
     readonly attribute DOMString      originalPolicy;
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2527,16 +2527,21 @@ pref("security.directory",              
 pref("signed.applets.codebase_principal_support", false);
 // security-sensitive dialogs should delay button enabling. In milliseconds.
 pref("security.dialog_enable_delay", 1000);
 pref("security.notification_enable_delay", 500);
 
 pref("security.csp.enable", true);
 pref("security.csp.experimentalEnabled", false);
 pref("security.csp.enableStrictDynamic", true);
+#ifdef EARLY_BETA_OR_EARLIER
+pref("security.csp.enable_violation_events", true);
+#else
+pref("security.csp.enable_violation_events", false);
+#endif
 
 // Default Content Security Policy to apply to signed contents.
 pref("security.signed_content.CSP.default", "script-src 'self'; style-src 'self'");
 
 // Mixed content blocking
 pref("security.mixed_content.block_active_content", false);
 pref("security.mixed_content.block_display_content", false);
 
--- a/testing/web-platform/meta/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html.ini
@@ -1,4 +1,5 @@
 [base-uri_iframe_sandbox.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   expected: ERROR
 
--- a/testing/web-platform/meta/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.ini
@@ -1,4 +1,5 @@
 [report-uri-does-not-respect-base-uri.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Event is fired]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/child-src/child-src-worker-blocked.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/child-src/child-src-worker-blocked.sub.html.ini
@@ -1,5 +1,6 @@
 [child-src-worker-blocked.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should throw a securitypolicyviolation event]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html.ini
@@ -1,10 +1,11 @@
 [connect-src-xmlhttprequest-blocked.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [XHR should fire onerror.]
     expected: TIMEOUT
 
   [XHR should fire onerror after a redirect.]
     expected: FAIL
 
   [Expecting logs: ["Pass","violated-directive=connect-src"\]]
     expected: FAIL
--- a/testing/web-platform/meta/content-security-policy/font-src/font-stylesheet-font-blocked.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/font-src/font-stylesheet-font-blocked.sub.html.ini
@@ -1,5 +1,6 @@
 [font-stylesheet-font-blocked.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Test font does not load if it does not match font-src.]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/generic/generic-0_1-img-src.html.ini
+++ b/testing/web-platform/meta/content-security-policy/generic/generic-0_1-img-src.html.ini
@@ -1,8 +1,9 @@
 [generic-0_1-img-src.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Violation report status OK.]
     expected: FAIL
 
   [Should fire violation events for every failed violation]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/generic/generic-0_1-script-src.html.ini
+++ b/testing/web-platform/meta/content-security-policy/generic/generic-0_1-script-src.html.ini
@@ -1,8 +1,9 @@
 [generic-0_1-script-src.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Violation report status OK.]
     expected: FAIL
 
   [Should fire violation events for every failed violation]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/generic/generic-0_10_1.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/generic/generic-0_10_1.sub.html.ini
@@ -1,4 +1,5 @@
 [generic-0_10_1.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire violation events for every failed violation]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/generic/generic-0_2_2.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/generic/generic-0_2_2.sub.html.ini
@@ -1,4 +1,5 @@
 [generic-0_2_2.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire violation events for every failed violation]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/generic/generic-0_2_3.html.ini
+++ b/testing/web-platform/meta/content-security-policy/generic/generic-0_2_3.html.ini
@@ -1,4 +1,5 @@
 [generic-0_2_3.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire violation events for every failed violation]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/generic/generic-0_8_1.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/generic/generic-0_8_1.sub.html.ini
@@ -1,4 +1,5 @@
 [generic-0_8_1.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire violation events for every failed violation]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/media-src/media-src-7_1_2.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/media-src/media-src-7_1_2.sub.html.ini
@@ -1,4 +1,5 @@
 [media-src-7_1_2.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that securitypolicyviolation events are fired]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/media-src/media-src-7_2_2.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/media-src/media-src-7_2_2.sub.html.ini
@@ -1,4 +1,5 @@
 [media-src-7_2_2.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that securitypolicyviolation events are fired]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/media-src/media-src-7_3_2.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/media-src/media-src-7_3_2.sub.html.ini
@@ -1,4 +1,5 @@
 [media-src-7_3_2.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that securitypolicyviolation events are fired]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/media-src/media-src-blocked.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/media-src/media-src-blocked.sub.html.ini
@@ -1,4 +1,5 @@
 [media-src-blocked.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that securitypolicyviolation events are fired]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/navigation/to-javascript-url-script-src.html.ini
+++ b/testing/web-platform/meta/content-security-policy/navigation/to-javascript-url-script-src.html.ini
@@ -1,11 +1,12 @@
 [to-javascript-url-script-src.html]
   type: testharness
   expected: TIMEOUT
+  prefs: [security.csp.enable_violation_events:true]
   [<iframe src='javascript:'> blocked without 'unsafe-inline'.]
     expected: TIMEOUT
 
   [<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'.]
     expected: TIMEOUT
 
   [<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document]
     expected: TIMEOUT
--- a/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-only-sends-reports-on-violation.https.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-only-sends-reports-on-violation.https.sub.html.ini
@@ -1,7 +1,8 @@
 [reporting-api-report-only-sends-reports-on-violation.https.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Event is fired]
     expected: FAIL
 
   [Violation report status OK.]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-1.https.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-1.https.sub.html.ini
@@ -1,4 +1,5 @@
 [reporting-api-report-to-overrides-report-uri-1.https.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Event is fired]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-2.https.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-2.https.sub.html.ini
@@ -1,4 +1,5 @@
 [reporting-api-report-to-overrides-report-uri-2.https.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Event is fired]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/reporting/reporting-api-sends-reports-on-violation.https.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/reporting/reporting-api-sends-reports-on-violation.https.sub.html.ini
@@ -1,7 +1,8 @@
 [reporting-api-sends-reports-on-violation.https.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Event is fired]
     expected: FAIL
 
   [Violation report status OK.]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/reporting/securitypolicyviolation-idl.html.ini
+++ b/testing/web-platform/meta/content-security-policy/reporting/securitypolicyviolation-idl.html.ini
@@ -1,5 +1,6 @@
 [securitypolicyviolation-idl.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [SecurityPolicyViolationEvent IDL Tests]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/javascript-window-open-blocked.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/javascript-window-open-blocked.html.ini
@@ -1,5 +1,6 @@
 [javascript-window-open-blocked.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Check that a securitypolicyviolation event is fired]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_1.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_1.html.ini
@@ -1,4 +1,5 @@
 [script-src-1_1.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Should not fire policy violation events]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_10.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_10.html.ini
@@ -1,4 +1,5 @@
 [script-src-1_10.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that securitypolicyviolation event is fired]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_2.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_2.html.ini
@@ -1,7 +1,8 @@
 [script-src-1_2.html]
   type: testharness
   disabled:
     if os == "win": bug 1172411
+  prefs: [security.csp.enable_violation_events:true]
   [Should not fire policy violation events]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_2_1.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_2_1.html.ini
@@ -1,7 +1,8 @@
 [script-src-1_2_1.html]
   type: testharness
   disabled:
     if os == "win": bug 1094323
+  prefs: [security.csp.enable_violation_events:true]
   [Test that securitypolicyviolation event is fired]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4.html.ini
@@ -1,8 +1,9 @@
 [script-src-1_4.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [eval() should throw without 'unsafe-eval' keyword source in script-src directive.]
     expected: FAIL
 
   [Test that securitypolicyviolation event is fired]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4_1.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4_1.html.ini
@@ -1,7 +1,8 @@
 [script-src-1_4_1.html]
   type: testharness
   disabled:
     if os == "win": bug 1094323
+  prefs: [security.csp.enable_violation_events:true]
   [Test that securitypolicyviolation event is fired]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4_2.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4_2.html.ini
@@ -1,8 +1,9 @@
 [script-src-1_4_2.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Unsafe eval ran in Function() constructor.]
     expected: FAIL
 
   [Test that securitypolicyviolation event is fired]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.ini
@@ -1,8 +1,9 @@
 [script-src-report-only-policy-works-with-external-hash-policy.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [External script in a script tag with matching SRI hash should run.]
     expected: FAIL
 
   [Should fire securitypolicyviolation event]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.ini
@@ -1,5 +1,6 @@
 [script-src-report-only-policy-works-with-hash-policy.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Test that the securitypolicyviolation event is fired]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html.ini
@@ -1,5 +1,6 @@
 [script-src-strict_dynamic_discard_whitelist.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.ini
@@ -1,5 +1,6 @@
 [script-src-strict_dynamic_double_policy_different_nonce.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.ini
@@ -1,4 +1,5 @@
 [script-src-strict_dynamic_double_policy_report_only.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Script injected via `appendChild` is allowed with `strict-dynamic` + Report-Only `script-src \'none\'` policy.]
     expected: FAIL
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.ini
@@ -1,4 +1,5 @@
 [script-src-strict_dynamic_hashes.html]
   type: testharness
   expected: ERROR
+  prefs: [security.csp.enable_violation_events:true]
 
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.ini
@@ -1,5 +1,6 @@
 [script-src-strict_dynamic_javascript_uri.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.ini
@@ -1,5 +1,6 @@
 [script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [All the expected CSP violation reports have been fired.]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini
@@ -1,11 +1,12 @@
 [script-src-strict_dynamic_parser_inserted.html]
   type: testharness
   expected: TIMEOUT
+  prefs: [security.csp.enable_violation_events:true]
   [Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
     expected: FAIL
 
   [Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
     expected: FAIL
 
   [Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
     expected: FAIL
--- a/testing/web-platform/meta/content-security-policy/script-src/scripthash-unicode-normalization.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/scripthash-unicode-normalization.sub.html.ini
@@ -1,4 +1,5 @@
 [scripthash-unicode-normalization.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire securitypolicyviolation]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html.ini
@@ -1,4 +1,5 @@
 [scriptnonce-and-scripthash.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"\]]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html.ini
@@ -1,4 +1,5 @@
 [scriptnonce-ignore-unsafeinline.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src"\]]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/blockeduri-inline.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/blockeduri-inline.html.ini
@@ -1,5 +1,6 @@
 [blockeduri-inline.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Inline violations have a blockedURI of 'inline']
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/idl.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/idl.html.ini
@@ -1,3 +1,4 @@
 [idl.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
 
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html.ini
@@ -1,3 +1,4 @@
 [img-src-redirect-upgrade-reporting.https.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
 
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.ini
@@ -1,5 +1,6 @@
 [securitypolicyviolation-block-cross-origin-image-from-script.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Non-redirected cross-origin URLs are not stripped.]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html.ini
@@ -1,5 +1,6 @@
 [securitypolicyviolation-block-cross-origin-image.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Non-redirected cross-origin URLs are not stripped.]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html.ini
@@ -1,5 +1,6 @@
 [securitypolicyviolation-block-image-from-script.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Non-redirected cross-origin URLs are not stripped.]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html.ini
@@ -1,5 +1,6 @@
 [securitypolicyviolation-block-image.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Non-redirected same-origin URLs are not stripped.]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/targeting.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/targeting.html.ini
@@ -1,11 +1,11 @@
 [targeting.html]
   type: testharness
-  prefs: [dom.webcomponents.enabled:true]
+  prefs: [dom.webcomponents.enabled:true, security.csp.enable_violation_events:true]
   expected: TIMEOUT
   [These tests should not fail.]
     expected: NOTRUN
 
   [Inline violations target the right element.]
     expected: FAIL
 
   [Correct targeting inside shadow tree (inline handler).]
--- a/testing/web-platform/meta/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html.ini
@@ -1,4 +1,5 @@
 [inline-style-allowed-while-cloning-objects.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that violation report event was fired]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-hash-blocked.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-hash-blocked.html.ini
@@ -1,5 +1,6 @@
 [style-src-hash-blocked.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-injected-inline-style-blocked.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-injected-inline-style-blocked.html.ini
@@ -1,5 +1,6 @@
 [style-src-injected-inline-style-blocked.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html.ini
@@ -1,5 +1,6 @@
 [style-src-injected-stylesheet-blocked.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html.ini
@@ -1,5 +1,6 @@
 [style-src-inline-style-attribute-blocked.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-blocked.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-blocked.html.ini
@@ -1,5 +1,6 @@
 [style-src-inline-style-blocked.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html.ini
@@ -1,9 +1,10 @@
 [style-src-inline-style-nonce-blocked-error-event.html]
   type: testharness
   expected: TIMEOUT
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
   [Test that paragraph remains unmodified and error events received.]
     expected: NOTRUN
 
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html.ini
@@ -1,5 +1,6 @@
 [style-src-inline-style-nonce-blocked.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-none-blocked.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-none-blocked.html.ini
@@ -1,5 +1,6 @@
 [style-src-none-blocked.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html.ini
@@ -1,5 +1,6 @@
 [style-src-stylesheet-nonce-blocked.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/style-src/stylehash-basic-blocked.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/stylehash-basic-blocked.sub.html.ini
@@ -1,5 +1,6 @@
 [stylehash-basic-blocked.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Expecting alerts: ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src"\]]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/style-src/stylenonce-allowed.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/stylenonce-allowed.sub.html.ini
@@ -1,4 +1,5 @@
 [stylenonce-allowed.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire securitypolicyviolation]
     expected: FAIL
--- a/testing/web-platform/meta/content-security-policy/style-src/stylenonce-blocked.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/stylenonce-blocked.sub.html.ini
@@ -1,4 +1,5 @@
 [stylenonce-blocked.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire securitypolicyviolation]
     expected: FAIL
--- a/testing/web-platform/meta/content-security-policy/svg/object-in-svg-foreignobject.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/svg/object-in-svg-foreignobject.sub.html.ini
@@ -1,5 +1,6 @@
 [object-in-svg-foreignobject.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should throw a securitypolicyviolation]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/svg/svg-inline.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/svg/svg-inline.sub.html.ini
@@ -1,4 +1,5 @@
 [svg-inline.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire violation event]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_allowed.html.ini
+++ b/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_allowed.html.ini
@@ -1,4 +1,5 @@
 [script_event_handlers_allowed.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that the inline event handler is allowed to run]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_matching_hash_no_unsafe_inline_attribute.html.ini
+++ b/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_matching_hash_no_unsafe_inline_attribute.html.ini
@@ -1,4 +1,5 @@
 [script_event_handlers_denied_matching_hash_no_unsafe_inline_attribute.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that the inline event handler is not allowed to run]
     expected: FAIL
 
--- a/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_not_matching_hash.html.ini
+++ b/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_not_matching_hash.html.ini
@@ -1,4 +1,5 @@
 [script_event_handlers_denied_not_matching_hash.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that the inline event handler is not allowed to run]
     expected: FAIL