Backed out 4 changesets (bug 671389) for frequent B2G debug test_tcpsocket_client_and_server_basics.html crashes.
authorRyan VanderMeulen <ryanvm@gmail.com>
Thu, 05 Feb 2015 16:48:18 -0500
changeset 256534 8d8a696af76a5fd8732b9349c967f5452313474b
parent 256533 5a065c4d610eda345b5b539b1b0e6cbf1aa90c64
child 256535 7c5f187b65bf09371de60cb4423ba76b306ba225
child 256555 cadacf4bc878b1481966b0c0b66a622a7dcd831d
push id721
push userjlund@mozilla.com
push dateTue, 21 Apr 2015 23:03:33 +0000
treeherdermozilla-release@d27c9211ebb3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs671389
milestone38.0a1
backs outb782435e5640be2a6a9e044bf4de030fbe6122d2
0f8d62109bfe3f23ad546ed491f41d3738915983
8d6021f66c491f8ac0de45ed27344ad32cf49bd4
cd3e227df9dc718c1bb96f0f339c25e13895a6a5
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out 4 changesets (bug 671389) for frequent B2G debug test_tcpsocket_client_and_server_basics.html crashes. Backed out changeset b782435e5640 (bug 671389) Backed out changeset 0f8d62109bfe (bug 671389) Backed out changeset 8d6021f66c49 (bug 671389) Backed out changeset cd3e227df9dc (bug 671389)
dom/base/nsContentUtils.cpp
dom/base/nsContentUtils.h
dom/base/nsDocument.cpp
dom/base/nsIDocument.h
dom/base/nsSandboxFlags.h
dom/base/test/csp/file_bug886164.html
dom/base/test/csp/file_bug886164.html^headers^
dom/base/test/csp/file_bug886164_2.html
dom/base/test/csp/file_bug886164_2.html^headers^
dom/base/test/csp/file_bug886164_3.html
dom/base/test/csp/file_bug886164_3.html^headers^
dom/base/test/csp/file_bug886164_4.html
dom/base/test/csp/file_bug886164_4.html^headers^
dom/base/test/csp/file_bug886164_5.html
dom/base/test/csp/file_bug886164_5.html^headers^
dom/base/test/csp/file_bug886164_6.html
dom/base/test/csp/file_bug886164_6.html^headers^
dom/base/test/csp/file_csp_sandbox_1.html
dom/base/test/csp/file_csp_sandbox_10.html
dom/base/test/csp/file_csp_sandbox_11.html
dom/base/test/csp/file_csp_sandbox_12.html
dom/base/test/csp/file_csp_sandbox_2.html
dom/base/test/csp/file_csp_sandbox_3.html
dom/base/test/csp/file_csp_sandbox_4.html
dom/base/test/csp/file_csp_sandbox_5.html
dom/base/test/csp/file_csp_sandbox_6.html
dom/base/test/csp/file_csp_sandbox_7.html
dom/base/test/csp/file_csp_sandbox_8.html
dom/base/test/csp/file_csp_sandbox_9.html
dom/base/test/csp/file_csp_sandbox_fail.js
dom/base/test/csp/file_csp_sandbox_pass.js
dom/base/test/csp/file_csp_testserver.sjs
dom/base/test/csp/file_iframe_sandbox_csp_document_write.html
dom/base/test/csp/mochitest.ini
dom/base/test/csp/test_csp_sandbox.html
dom/base/test/csp/test_iframe_sandbox_csp.html
dom/base/test/csp/test_iframe_sandbox_csp_top_1.html
dom/base/test/csp/test_iframe_sandbox_csp_top_1.html^headers^
dom/html/test/file_iframe_sandbox_c_if9.html
dom/html/test/mochitest.ini
dom/html/test/test_iframe_sandbox_general.html
dom/interfaces/security/nsIContentSecurityPolicy.idl
dom/locales/en-US/chrome/security/csp.properties
dom/security/nsCSPContext.cpp
dom/security/nsCSPParser.cpp
dom/security/nsCSPParser.h
dom/security/nsCSPUtils.cpp
dom/security/nsCSPUtils.h
dom/webidl/Document.webidl
--- a/dom/base/nsContentUtils.cpp
+++ b/dom/base/nsContentUtils.cpp
@@ -1236,123 +1236,54 @@ nsContentUtils::GetParserService()
     if (NS_FAILED(rv)) {
       sParserService = nullptr;
     }
   }
 
   return sParserService;
 }
 
-static nsIAtom** sSandboxFlagAttrs[] = {
-  &nsGkAtoms::allowsameorigin,     // SANDBOXED_ORIGIN
-  &nsGkAtoms::allowforms,          // SANDBOXED_FORMS
-  &nsGkAtoms::allowscripts,        // SANDBOXED_SCRIPTS | SANDBOXED_AUTOMATIC_FEATURES
-  &nsGkAtoms::allowtopnavigation,  // SANDBOXED_TOPLEVEL_NAVIGATION
-  &nsGkAtoms::allowpointerlock,    // SANDBOXED_POINTER_LOCK
-  &nsGkAtoms::allowpopups          // SANDBOXED_AUXILIARY_NAVIGATION
-};
-
-static const uint32_t sSandboxFlagValues[] = {
-  SANDBOXED_ORIGIN,                                 // allow-same-origin
-  SANDBOXED_FORMS,                                  // allow-forms
-  SANDBOXED_SCRIPTS | SANDBOXED_AUTOMATIC_FEATURES, // allow-scripts
-  SANDBOXED_TOPLEVEL_NAVIGATION,                    // allow-top-navigation
-  SANDBOXED_POINTER_LOCK,                           // allow-pointer-lock
-  SANDBOXED_AUXILIARY_NAVIGATION                    // allow-popups
-};
-
 /**
  * A helper function that parses a sandbox attribute (of an <iframe> or
  * a CSP directive) and converts it to the set of flags used internally.
  *
- * @param aSandboxAttr  the sandbox attribute
- * @return              the set of flags (SANDBOXED_NONE if aSandboxAttr is null)
+ * @param sandboxAttr   the sandbox attribute
+ * @return              the set of flags (0 if sandboxAttr is null)
  */
 uint32_t
-nsContentUtils::ParseSandboxAttributeToFlags(const nsAttrValue* aSandboxAttr)
+nsContentUtils::ParseSandboxAttributeToFlags(const nsAttrValue* sandboxAttr)
 {
   // No sandbox attribute, no sandbox flags.
-  if (!aSandboxAttr) { return SANDBOXED_NONE; }
+  if (!sandboxAttr) { return 0; }
 
   //  Start off by setting all the restriction flags.
   uint32_t out = SANDBOXED_NAVIGATION
                | SANDBOXED_AUXILIARY_NAVIGATION
                | SANDBOXED_TOPLEVEL_NAVIGATION
                | SANDBOXED_PLUGINS
                | SANDBOXED_ORIGIN
                | SANDBOXED_FORMS
                | SANDBOXED_SCRIPTS
                | SANDBOXED_AUTOMATIC_FEATURES
                | SANDBOXED_POINTER_LOCK
                | SANDBOXED_DOMAIN;
 
-  MOZ_ASSERT(ArrayLength(sSandboxFlagAttrs) == ArrayLength(sSandboxFlagValues),
-             "Lengths of SandboxFlagAttrs and SandboxFlagvalues do not match");
-
-  // For each flag: if it's in the attribute, update the (out) flag
-  for (uint32_t i = 0; i <  ArrayLength(sSandboxFlagAttrs); i++) {
-    if (aSandboxAttr->Contains(*sSandboxFlagAttrs[i], eIgnoreCase)) {
-        out &= ~(sSandboxFlagValues[i]);
-    }
-  }
+// Macro for updating the flag according to the keywords
+#define IF_KEYWORD(atom, flags) \
+  if (sandboxAttr->Contains(nsGkAtoms::atom, eIgnoreCase)) { out &= ~(flags); }
+
+  IF_KEYWORD(allowsameorigin, SANDBOXED_ORIGIN)
+  IF_KEYWORD(allowforms,  SANDBOXED_FORMS)
+  IF_KEYWORD(allowscripts, SANDBOXED_SCRIPTS | SANDBOXED_AUTOMATIC_FEATURES)
+  IF_KEYWORD(allowtopnavigation, SANDBOXED_TOPLEVEL_NAVIGATION)
+  IF_KEYWORD(allowpointerlock, SANDBOXED_POINTER_LOCK)
+  IF_KEYWORD(allowpopups, SANDBOXED_AUXILIARY_NAVIGATION)
 
   return out;
-}
-
-/**
- * A helper function that checks if a string matches (case-insensitive) a valid
- * sandbox flag.
- *
- * @param aFlag  the potential sandbox flag
- * @return       true if the flag is a sandbox flag
- */
-bool
-nsContentUtils::IsValidSandboxFlag(const nsAString& aFlag)
-{
-  for (uint32_t i = 0; i < ArrayLength(sSandboxFlagAttrs); i++) {
-    if (EqualsIgnoreASCIICase(nsDependentAtomString(*sSandboxFlagAttrs[i]), aFlag)) {
-      return true;
-    }
-  }
-  return false;
-}
-
-/**
- * A helper function that returns a string attribute corresponding to the
- * sandbox flags.
- *
- * @param aFlags  the sandbox flags
- * @param aString the attribute corresponding to the flags (null if flags is 0)
- */
-void
-nsContentUtils::SandboxFlagsToString(uint32_t aFlags, nsAString& aString)
-{
-  if (!aFlags) {
-    SetDOMStringToNull(aString);
-    return;
-  }
-
-  aString.Truncate();
-
-// Macro for updating the string according to set flags
-#define IF_FLAG(flag, atom)                                 \
-  if (!(aFlags & flag)) {                                   \
-    if (!aString.IsEmpty()) {                               \
-      aString.Append(NS_LITERAL_STRING(" "));               \
-    }                                                       \
-    aString.Append(nsDependentAtomString(nsGkAtoms::atom)); \
-  }
-
-  IF_FLAG(SANDBOXED_ORIGIN, allowsameorigin)
-  IF_FLAG(SANDBOXED_FORMS, allowforms)
-  IF_FLAG(SANDBOXED_SCRIPTS, allowscripts)
-  IF_FLAG(SANDBOXED_TOPLEVEL_NAVIGATION, allowtopnavigation)
-  IF_FLAG(SANDBOXED_POINTER_LOCK, allowpointerlock)
-  IF_FLAG(SANDBOXED_AUXILIARY_NAVIGATION, allowpopups)
-#undef IF_FLAG
+#undef IF_KEYWORD
 }
 
 nsIBidiKeyboard*
 nsContentUtils::GetBidiKeyboard()
 {
   if (!sBidiKeyboard) {
     nsresult rv = CallGetService("@mozilla.org/widget/bidikeyboard;1", &sBidiKeyboard);
     if (NS_FAILED(rv)) {
--- a/dom/base/nsContentUtils.h
+++ b/dom/base/nsContentUtils.h
@@ -827,38 +827,21 @@ public:
   static nsresult GetLocalizedString(PropertiesFile aFile,
                                      const char* aKey,
                                      nsXPIDLString& aResult);
 
   /**
    * A helper function that parses a sandbox attribute (of an <iframe> or
    * a CSP directive) and converts it to the set of flags used internally.
    *
-   * @param aSandboxAttr  the sandbox attribute
-   * @return              the set of flags (SANDBOXED_NONE if aSandboxAttr is null)
+   * @param sandboxAttr   the sandbox attribute
+   * @return              the set of flags (0 if sandboxAttr is null)
    */
-  static uint32_t ParseSandboxAttributeToFlags(const nsAttrValue* aSandboxAttr);
+  static uint32_t ParseSandboxAttributeToFlags(const nsAttrValue* sandboxAttr);
 
-  /**
-   * A helper function that checks if a string matches a valid sandbox
-   * flag.
-   *
-   * @param aFlag  the potential sandbox flag
-   * @return       true if the flag is a sandbox flag
-   */
-  static bool IsValidSandboxFlag(const nsAString& aFlag);
-
-  /**
-   * A helper function that returns a string attribute corresponding to the
-   * sandbox flags.
-   *
-   * @param aFlags  the sandbox flags
-   * @param aString the attribute corresponding to the flags (null if flags is 0)
-   */
-  static void SandboxFlagsToString(uint32_t aFlags, nsAString& aString);
 
   /**
    * Fill (with the parameters given) the localized string named |aKey| in
    * properties file |aFile|.
    */
 private:
   static nsresult FormatLocalizedString(PropertiesFile aFile,
                                         const char* aKey,
--- a/dom/base/nsDocument.cpp
+++ b/dom/base/nsDocument.cpp
@@ -2859,17 +2859,17 @@ nsDocument::InitCSP(nsIChannel* aChannel
     httpChannel->GetResponseHeader(
         NS_LITERAL_CSTRING("content-security-policy-report-only"),
         tCspROHeaderValue);
   }
   NS_ConvertASCIItoUTF16 cspHeaderValue(tCspHeaderValue);
   NS_ConvertASCIItoUTF16 cspROHeaderValue(tCspROHeaderValue);
 
   // Figure out if we need to apply an app default CSP or a CSP from an app manifest
-  nsCOMPtr<nsIPrincipal> principal = NodePrincipal();
+  nsIPrincipal* principal = NodePrincipal();
 
   uint16_t appStatus = principal->GetAppStatus();
   bool applyAppDefaultCSP = false;
   bool applyAppManifestCSP = false;
 
   nsAutoString appManifestCSP;
   nsAutoString appDefaultCSP;
   if (appStatus != nsIPrincipal::APP_STATUS_NOT_INSTALLED) {
@@ -3031,40 +3031,21 @@ nsDocument::InitCSP(nsIChannel* aChannel
 #endif
     }
 
     // Referrer Policy is set separately for the speculative parser in
     // nsHTMLDocument::StartDocumentLoad() so there's nothing to do here for
     // speculative loads.
   }
 
-  // ----- Set sandbox flags according to CSP header
-  // The document may already have some sandbox flags set (e.g., if the
-  // document is an iframe with the sandbox attribute set).  If we have a CSP
-  // sandbox directive, intersect the CSP sandbox flags with the existing
-  // flags.  This corresponds to the _least_ permissive policy.
-  uint32_t cspSandboxFlags = SANDBOXED_NONE;
-  rv = csp->GetCSPSandboxFlags(&cspSandboxFlags);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  mSandboxFlags |= cspSandboxFlags;
-
-  if (cspSandboxFlags & SANDBOXED_ORIGIN) {
-    // If the new CSP sandbox flags do not have the allow-same-origin flag
-    // reset the document principal to a null principal
-    principal = do_CreateInstance("@mozilla.org/nullprincipal;1");
-    SetPrincipal(principal);
-  }
-
-
   rv = principal->SetCsp(csp);
   NS_ENSURE_SUCCESS(rv, rv);
 #ifdef PR_LOGGING
   PR_LOG(gCspPRLog, PR_LOG_DEBUG,
-         ("Inserted CSP into principal %p", principal.get()));
+         ("Inserted CSP into principal %p", principal));
 #endif
 
   return NS_OK;
 }
 
 void
 nsDocument::StopDocumentLoad()
 {
@@ -3725,22 +3706,16 @@ nsDocument::AddCharSetObserver(nsIObserv
 
 void
 nsDocument::RemoveCharSetObserver(nsIObserver* aObserver)
 {
   mCharSetObservers.RemoveElement(aObserver);
 }
 
 void
-nsIDocument::GetSandboxFlagsAsString(nsAString& aFlags)
-{
-  nsContentUtils::SandboxFlagsToString(mSandboxFlags, aFlags);
-}
-
-void
 nsDocument::GetHeaderData(nsIAtom* aHeaderField, nsAString& aData) const
 {
   aData.Truncate();
   const nsDocHeaderData* data = mHeaderData;
   while (data) {
     if (data->mField == aHeaderField) {
       aData = data->mData;
 
--- a/dom/base/nsIDocument.h
+++ b/dom/base/nsIDocument.h
@@ -593,22 +593,16 @@ public:
    * Get the sandbox flags for this document.
    * @see nsSandboxFlags.h for the possible flags
    */
   uint32_t GetSandboxFlags() const
   {
     return mSandboxFlags;
   }
 
-   /**
-   * Get string representation of sandbox flags (null if no flags as
-   * set).
-   */
-  void GetSandboxFlagsAsString(nsAString& aFlags);
-
   /**
    * Set the sandbox flags for this document.
    * @see nsSandboxFlags.h for the possible flags
    */
   void SetSandboxFlags(uint32_t sandboxFlags)
   {
     mSandboxFlags = sandboxFlags;
   }
--- a/dom/base/nsSandboxFlags.h
+++ b/dom/base/nsSandboxFlags.h
@@ -7,21 +7,16 @@
  * Constant flags that describe how a document is sandboxed according to the
  * HTML5 spec.
  */
 
 #ifndef nsSandboxFlags_h___
 #define nsSandboxFlags_h___
 
 /**
- * This constant denotes the lack of a sandbox attribute/directive.
- */
-const unsigned long SANDBOXED_NONE  = 0x0;
-
-/**
  * This flag prevents content from navigating browsing contexts other than
  * itself, browsing contexts nested inside it, the top-level browsing context
  * and browsing contexts that it has opened.
  * As it is always on for sandboxed browsing contexts, it is used implicitly
  * within the code by checking that the overall flags are non-zero.
  * It is only uesd directly when the sandbox flags are initially set up.
  */
 const unsigned long SANDBOXED_NAVIGATION  = 0x1;
new file mode 100644
--- /dev/null
+++ b/dom/base/test/csp/file_bug886164.html
@@ -0,0 +1,15 @@
+<html>
+<head> <meta charset="utf-8"> </head>
+  <body>
+    <!-- sandbox="allow-same-origin" -->
+    <!-- Content-Security-Policy: default-src 'self' -->
+
+    <!-- these should be stopped by CSP -->
+    <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img_bad&type=img/png"> </img>
+
+    <!-- these should load ok -->
+    <img src="/tests/dom/base/test/csp/file_CSP.sjs?testid=img_good&type=img/png" />
+    <script src='/tests/dom/base/test/csp/file_CSP.sjs?testid=scripta_bad&type=text/javascript'></script>
+
+  </body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/base/test/csp/file_bug886164.html^headers^
@@ -0,0 +1,1 @@
+Content-Security-Policy: default-src 'self'
new file mode 100644
--- /dev/null
+++ b/dom/base/test/csp/file_bug886164_2.html
@@ -0,0 +1,14 @@
+<html>
+<head> <meta charset="utf-8"> </head>
+  <body>
+    <!-- sandbox -->
+    <!-- Content-Security-Policy: default-src 'self' -->
+
+    <!-- these should be stopped by CSP -->
+    <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img2_bad&type=img/png"> </img>
+
+    <!-- these should load ok -->
+    <img src="/tests/dom/base/test/csp/file_CSP.sjs?testid=img2a_good&type=img/png" />
+
+  </body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/base/test/csp/file_bug886164_2.html^headers^
@@ -0,0 +1,1 @@
+Content-Security-Policy: default-src 'self'
new file mode 100644
--- /dev/null
+++ b/dom/base/test/csp/file_bug886164_3.html
@@ -0,0 +1,12 @@
+<html>
+<head> <meta charset="utf-8"> </head>
+  <body>
+    <!-- sandbox -->
+    <!-- Content-Security-Policy: default-src 'none' -->
+
+    <!-- these should be stopped by CSP -->
+    <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img3_bad&type=img/png"> </img>
+    <img src="/tests/dom/base/test/csp/file_CSP.sjs?testid=img3a_bad&type=img/png" />
+
+  </body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/base/test/csp/file_bug886164_3.html^headers^
@@ -0,0 +1,1 @@
+Content-Security-Policy: default-src 'none'
new file mode 100644
--- /dev/null
+++ b/dom/base/test/csp/file_bug886164_4.html
@@ -0,0 +1,12 @@
+<html>
+<head> <meta charset="utf-8"> </head>
+  <body>
+    <!-- sandbox -->
+    <!-- Content-Security-Policy: default-src 'none' -->
+
+    <!-- these should be stopped by CSP -->
+    <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img4_bad&type=img/png"> </img>
+    <img src="/tests/dom/base/test/csp/file_CSP.sjs?testid=img4a_bad&type=img/png" />
+
+  </body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/base/test/csp/file_bug886164_4.html^headers^
@@ -0,0 +1,1 @@
+Content-Security-Policy: default-src 'none'
new file mode 100644
--- /dev/null
+++ b/dom/base/test/csp/file_bug886164_5.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head> <meta charset="utf-8"> </head>
+<script type="text/javascript">
+  function ok(result, desc) {
+    window.parent.postMessage({ok: result, desc: desc}, "*");
+  }
+
+  function doStuff() {
+    ok(true, "documents sandboxed with allow-scripts should be able to run inline scripts");
+  }
+</script>
+<script src='file_iframe_sandbox_pass.js'></script>
+<body onLoad='ok(true, "documents sandboxed with allow-scripts should be able to run script from event listeners");doStuff();'>
+  I am sandboxed but with only inline "allow-scripts"
+
+ <!-- sandbox="allow-scripts" -->
+ <!-- Content-Security-Policy: default-src 'none' 'unsafe-inline'-->
+
+ <!-- these should be stopped by CSP -->
+ <img src="/tests/dom/base/test/csp/file_CSP.sjs?testid=img5_bad&type=img/png" />
+ <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img5a_bad&type=img/png"> </img>
+ <script src='/tests/dom/base/test/csp/file_CSP.sjs?testid=script5_bad&type=text/javascript'></script>
+ <script src='http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=script5a_bad&type=text/javascript'></script>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/base/test/csp/file_bug886164_5.html^headers^
@@ -0,0 +1,1 @@
+Content-Security-Policy: default-src 'none' 'unsafe-inline';
new file mode 100644
--- /dev/null
+++ b/dom/base/test/csp/file_bug886164_6.html
@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+</head>
+<script type="text/javascript">
+  function ok(result, desc) {
+    window.parent.postMessage({ok: result, desc: desc}, "*");
+  }
+
+  function doStuff() {
+    ok(true, "documents sandboxed with allow-scripts should be able to run inline scripts");
+
+    document.getElementById('a_form').submit();
+
+    // trigger the javascript: url test
+    sendMouseEvent({type:'click'}, 'a_link');
+  }
+</script>
+<script src='file_iframe_sandbox_pass.js'></script>
+<body onLoad='ok(true, "documents sandboxed with allow-scripts should be able to run script from event listeners");doStuff();'>
+  I am sandboxed but with "allow-scripts"
+  <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img6_bad&type=img/png"> </img>
+  <script src='http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=script6_bad&type=text/javascript'></script>
+
+  <form method="get" action="file_iframe_sandbox_form_fail.html" id="a_form">
+    First name: <input type="text" name="firstname">
+    Last name: <input type="text" name="lastname">
+    <input type="submit" onclick="doSubmit()" id="a_button">
+  </form>
+
+  <a href = 'javascript:ok(true, "documents sandboxed with allow-scripts should be able to run script from javascript: URLs");' id='a_link'>click me</a>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/base/test/csp/file_bug886164_6.html^headers^
@@ -0,0 +1,1 @@
+Content-Security-Policy: default-src 'self' 'unsafe-inline';
deleted file mode 100644
--- a/dom/base/test/csp/file_csp_sandbox_1.html
+++ /dev/null
@@ -1,16 +0,0 @@
-<html>
-<head> <meta charset="utf-8"> </head>
-  <body>
-    <!-- sandbox="allow-same-origin" -->
-    <!-- Content-Security-Policy: default-src 'self' -->
-
-    <!-- these should be stopped by CSP -->
-    <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img1_bad&type=img/png"> </img>
-
-    <!-- these should load ok -->
-    <img src="/tests/dom/base/test/csp/file_CSP.sjs?testid=img1a_good&type=img/png" />
-    <!-- should not execute script -->
-    <script src='/tests/dom/base/test/csp/file_csp_sandbox_fail.js'></script>
-
-  </body>
-</html>
deleted file mode 100644
--- a/dom/base/test/csp/file_csp_sandbox_10.html
+++ /dev/null
@@ -1,12 +0,0 @@
-<html>
-<head> <meta charset="utf-8"> </head>
-  <body>
-    <!-- Content-Security-Policy: default-src 'none'; sandbox -->
-
-    <!-- these should be stopped by CSP -->
-    <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img10_bad&type=img/png"> </img>
-    <img src="/tests/dom/base/test/csp/file_CSP.sjs?testid=img10a_bad&type=img/png" />
-    <script src='/tests/dom/base/test/csp/file_csp_sandbox_fail.js'></script>
-
-  </body>
-</html>
deleted file mode 100644
--- a/dom/base/test/csp/file_csp_sandbox_11.html
+++ /dev/null
@@ -1,25 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head> <meta charset="utf-8"> </head>
-<script type="text/javascript">
-  function ok(result, desc) {
-    window.parent.postMessage({ok: result, desc: desc}, "*");
-  }
-
-  function doStuff() {
-    ok(true, "documents sandboxed with allow-scripts should be able to run inline scripts");
-  }
-</script>
-<script src='file_csp_sandbox_fail.js'></script>
-<body onLoad='ok(true, "documents sandboxed with allow-scripts should be able to run script from event listeners");doStuff();'>
-  I am sandboxed but with only inline "allow-scripts"
-
- <!-- Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline'; sandbox allow-scripts -->
-
- <!-- these should be stopped by CSP -->
- <img src="/tests/dom/base/test/csp/file_CSP.sjs?testid=img11_bad&type=img/png" />
- <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img11a_bad&type=img/png"> </img>
- <script src='/tests/dom/base/test/csp/file_CSP.sjs?testid=script11_bad&type=text/javascript'></script>
- <script src='http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=script11a_bad&type=text/javascript'></script>
-</body>
-</html>
deleted file mode 100644
--- a/dom/base/test/csp/file_csp_sandbox_12.html
+++ /dev/null
@@ -1,40 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
-</head>
-<script type="text/javascript">
-  function ok(result, desc) {
-    window.parent.postMessage({ok: result, desc: desc}, "*");
-  }
-
-  function doStuff() {
-    ok(true, "documents sandboxed with allow-scripts should be able to run inline scripts");
-
-    document.getElementById('a_form').submit();
-
-    // trigger the javascript: url test
-    sendMouseEvent({type:'click'}, 'a_link');
-  }
-</script>
-<script src='file_csp_sandbox_pass.js'></script>
-<body onLoad='ok(true, "documents sandboxed with allow-scripts should be able to run script from event listeners");doStuff();'>
-  I am sandboxed but with "allow-same-origin" and allow-scripts"
-
-
-  <!-- Content-Security-Policy: sandbox allow-same-origin allow-scripts; default-src 'self' 'unsafe-inline'; -->
-
-  <!-- these should be stopped by CSP -->
-  <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img12_bad&type=img/png"> </img>
-  <script src='http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=script12_bad&type=text/javascript'></script>
-
-  <form method="get" action="/tests/content/html/content/test/file_iframe_sandbox_form_fail.html" id="a_form">
-    First name: <input type="text" name="firstname">
-    Last name: <input type="text" name="lastname">
-    <input type="submit" onclick="doSubmit()" id="a_button">
-  </form>
-
-  <a href = 'javascript:ok(true, "documents sandboxed with allow-scripts should be able to run script from javascript: URLs");' id='a_link'>click me</a>
-</body>
-</html>
deleted file mode 100644
--- a/dom/base/test/csp/file_csp_sandbox_2.html
+++ /dev/null
@@ -1,16 +0,0 @@
-<html>
-<head> <meta charset="utf-8"> </head>
-  <body>
-    <!-- sandbox -->
-    <!-- Content-Security-Policy: default-src 'self' -->
-
-    <!-- these should be stopped by CSP -->
-    <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img2_bad&type=img/png"> </img>
-
-    <!-- these should load ok -->
-    <img src="/tests/dom/base/test/csp/file_CSP.sjs?testid=img2a_good&type=img/png" />
-    <!-- should not execute script -->
-    <script src='/tests/dom/base/test/csp/file_csp_sandbox_fail.js'></script>
-
-  </body>
-</html>
deleted file mode 100644
--- a/dom/base/test/csp/file_csp_sandbox_3.html
+++ /dev/null
@@ -1,13 +0,0 @@
-<html>
-<head> <meta charset="utf-8"> </head>
-  <body>
-    <!-- sandbox="allow-same-origin" -->
-    <!-- Content-Security-Policy: default-src 'none' -->
-
-    <!-- these should be stopped by CSP -->
-    <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img3_bad&type=img/png"> </img>
-    <img src="/tests/dom/base/test/csp/file_CSP.sjs?testid=img3a_bad&type=img/png" />
-    <script src='/tests/dom/base/test/csp/file_csp_sandbox_fail.js'></script>
-
-  </body>
-</html>
deleted file mode 100644
--- a/dom/base/test/csp/file_csp_sandbox_4.html
+++ /dev/null
@@ -1,13 +0,0 @@
-<html>
-<head> <meta charset="utf-8"> </head>
-  <body>
-    <!-- sandbox -->
-    <!-- Content-Security-Policy: default-src 'none' -->
-
-    <!-- these should be stopped by CSP -->
-    <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img4_bad&type=img/png"> </img>
-    <img src="/tests/dom/base/test/csp/file_CSP.sjs?testid=img4a_bad&type=img/png" />
-    <script src='/tests/dom/base/test/csp/file_csp_sandbox_fail.js'></script>
-
-  </body>
-</html>
deleted file mode 100644
--- a/dom/base/test/csp/file_csp_sandbox_5.html
+++ /dev/null
@@ -1,26 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head> <meta charset="utf-8"> </head>
-<script type="text/javascript">
-  function ok(result, desc) {
-    window.parent.postMessage({ok: result, desc: desc}, "*");
-  }
-
-  function doStuff() {
-    ok(true, "documents sandboxed with allow-scripts should be able to run inline scripts");
-  }
-</script>
-<script src='file_csp_sandbox_fail.js'></script>
-<body onLoad='ok(true, "documents sandboxed with allow-scripts should be able to run script from event listeners");doStuff();'>
-  I am sandboxed but with only inline "allow-scripts"
-
- <!-- sandbox="allow-scripts" -->
- <!-- Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline' -->
-
- <!-- these should be stopped by CSP -->
- <img src="/tests/dom/base/test/csp/file_CSP.sjs?testid=img5_bad&type=img/png" />
- <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img5a_bad&type=img/png"> </img>
- <script src='/tests/dom/base/test/csp/file_CSP.sjs?testid=script5_bad&type=text/javascript'></script>
- <script src='http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=script5a_bad&type=text/javascript'></script>
-</body>
-</html>
deleted file mode 100644
--- a/dom/base/test/csp/file_csp_sandbox_6.html
+++ /dev/null
@@ -1,35 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
-</head>
-<script type="text/javascript">
-  function ok(result, desc) {
-    window.parent.postMessage({ok: result, desc: desc}, "*");
-  }
-
-  function doStuff() {
-    ok(true, "documents sandboxed with allow-scripts should be able to run inline scripts");
-
-    document.getElementById('a_form').submit();
-
-    // trigger the javascript: url test
-    sendMouseEvent({type:'click'}, 'a_link');
-  }
-</script>
-<script src='file_csp_sandbox_pass.js'></script>
-<body onLoad='ok(true, "documents sandboxed with allow-scripts should be able to run script from event listeners");doStuff();'>
-  I am sandboxed but with "allow-same-origin" and allow-scripts"
-  <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img6_bad&type=img/png"> </img>
-  <script src='http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=script6_bad&type=text/javascript'></script>
-
-  <form method="get" action="/tests/content/html/content/test/file_iframe_sandbox_form_fail.html" id="a_form">
-    First name: <input type="text" name="firstname">
-    Last name: <input type="text" name="lastname">
-    <input type="submit" onclick="doSubmit()" id="a_button">
-  </form>
-
-  <a href = 'javascript:ok(true, "documents sandboxed with allow-scripts should be able to run script from javascript: URLs");' id='a_link'>click me</a>
-</body>
-</html>
deleted file mode 100644
--- a/dom/base/test/csp/file_csp_sandbox_7.html
+++ /dev/null
@@ -1,15 +0,0 @@
-<html>
-<head> <meta charset="utf-8"> </head>
-  <body>
-    <!-- Content-Security-Policy: default-src 'self'; sandbox allow-same-origin -->
-
-    <!-- these should be stopped by CSP -->
-    <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img7_bad&type=img/png"> </img>
-
-    <!-- these should load ok -->
-    <img src="/tests/dom/base/test/csp/file_CSP.sjs?testid=img7a_good&type=img/png" />
-    <!-- should not execute script -->
-    <script src='/tests/dom/base/test/csp/file_csp_sandbox_fail.js'></script>
-
-  </body>
-</html>
deleted file mode 100644
--- a/dom/base/test/csp/file_csp_sandbox_8.html
+++ /dev/null
@@ -1,15 +0,0 @@
-<html>
-<head> <meta charset="utf-8"> </head>
-  <body>
-    <!-- Content-Security-Policy: sandbox; default-src 'self' -->
-
-    <!-- these should be stopped by CSP -->
-    <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img8_bad&type=img/png"> </img>
-
-    <!-- these should load ok -->
-    <img src="/tests/dom/base/test/csp/file_CSP.sjs?testid=img8a_good&type=img/png" />
-    <!-- should not execute script -->
-    <script src='/tests/dom/base/test/csp/file_csp_sandbox_fail.js'></script>
-
-  </body>
-</html>
deleted file mode 100644
--- a/dom/base/test/csp/file_csp_sandbox_9.html
+++ /dev/null
@@ -1,12 +0,0 @@
-<html>
-<head> <meta charset="utf-8"> </head>
-  <body>
-    <!-- Content-Security-Policy: default-src 'none'; sandbox allow-same-origin -->
-
-    <!-- these should be stopped by CSP -->
-    <img src="http://example.org/tests/dom/base/test/csp/file_CSP.sjs?testid=img9_bad&type=img/png"> </img>
-    <img src="/tests/dom/base/test/csp/file_CSP.sjs?testid=img9a_bad&type=img/png" />
-
-    <script src='/tests/dom/base/test/csp/file_csp_sandbox_fail.js'></script>
-  </body>
-</html>
deleted file mode 100644
--- a/dom/base/test/csp/file_csp_sandbox_fail.js
+++ /dev/null
@@ -1,4 +0,0 @@
-function ok(result, desc) {
-  window.parent.postMessage({ok: result, desc: desc}, "*");
-}
-ok(false, "documents sandboxed with allow-scripts should NOT be able to run <script src=...>");
deleted file mode 100644
--- a/dom/base/test/csp/file_csp_sandbox_pass.js
+++ /dev/null
@@ -1,4 +0,0 @@
-function ok(result, desc) {
-  window.parent.postMessage({ok: result, desc: desc}, "*");
-}
-ok(true, "documents sandboxed with allow-scripts should be able to run <script src=...>");
--- a/dom/base/test/csp/file_csp_testserver.sjs
+++ b/dom/base/test/csp/file_csp_testserver.sjs
@@ -25,30 +25,21 @@ function loadHTMLFromFile(path) {
 function handleRequest(request, response)
 {
   var query = {};
   request.queryString.split('&').forEach(function (val) {
     var [name, value] = val.split('=');
     query[name] = unescape(value);
   });
 
+  var csp = unescape(query['csp']);
+  var file = unescape(query['file']);
+
   // avoid confusing cache behaviors
   response.setHeader("Cache-Control", "no-cache", false);
 
-  if (query['csp']) {
-    var csp = unescape(query['csp']);
-    // Deliver the CSP policy encoded in the URI
-    response.setHeader("Content-Security-Policy", csp, false);
-  }
+  // Deliver the CSP policy encoded in the URI
+  response.setHeader("Content-Security-Policy", csp, false);
 
-  if (query['cspRO']) {
-    var cspRO = unescape(query['cspRO']);
-    // Deliver the CSP report-only policy encoded in the URI
-    response.setHeader("Content-Security-Policy-Report-Only", cspRO, false);
-  }
-
-  if (query['file']) {
-    var file = unescape(query['file']);
-    // Send HTML to test allowed/blocked behaviors
-    response.setHeader("Content-Type", "text/html", false);
-    response.write(loadHTMLFromFile(file));
-  }
+  // Send HTML to test allowed/blocked behaviors
+  response.setHeader("Content-Type", "text/html", false);
+  response.write(loadHTMLFromFile(file));
 }
deleted file mode 100644
--- a/dom/base/test/csp/file_iframe_sandbox_csp_document_write.html
+++ /dev/null
@@ -1,21 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head> <meta charset="utf-8"> </head>
-<script type="text/javascript">
-  function ok(result, desc) {
-    window.parent.postMessage({ok: result, desc: desc}, "*");
-  }
-  function doStuff() {
-    var beforePrincipal = SpecialPowers.wrap(document).nodePrincipal;
-    document.open();
-    document.write("rewritten sandboxed document");
-    document.close();
-    var afterPrincipal = SpecialPowers.wrap(document).nodePrincipal;
-    ok(beforePrincipal.equals(afterPrincipal),
-       "document.write() does not change underlying principal");
-  }
-</script>
-<body onLoad='doStuff();'>
-  sandboxed with allow-scripts
-</body>
-</html>
--- a/dom/base/test/csp/mochitest.ini
+++ b/dom/base/test/csp/mochitest.ini
@@ -40,30 +40,28 @@ support-files =
   file_csp_invalid_source_expression.html
   file_CSP_main.html
   file_CSP_main.html^headers^
   file_CSP_main.js
   file_bug836922_npolicies.html
   file_bug836922_npolicies.html^headers^
   file_bug836922_npolicies_ro_violation.sjs
   file_bug836922_npolicies_violation.sjs
-  file_csp_sandbox_pass.js
-  file_csp_sandbox_fail.js
-  file_csp_sandbox_1.html
-  file_csp_sandbox_2.html
-  file_csp_sandbox_3.html
-  file_csp_sandbox_4.html
-  file_csp_sandbox_5.html
-  file_csp_sandbox_6.html
-  file_csp_sandbox_7.html
-  file_csp_sandbox_8.html
-  file_csp_sandbox_9.html
-  file_csp_sandbox_10.html
-  file_csp_sandbox_11.html
-  file_csp_sandbox_12.html
+  file_bug886164.html
+  file_bug886164.html^headers^
+  file_bug886164_2.html
+  file_bug886164_2.html^headers^
+  file_bug886164_3.html
+  file_bug886164_3.html^headers^
+  file_bug886164_4.html
+  file_bug886164_4.html^headers^
+  file_bug886164_5.html
+  file_bug886164_5.html^headers^
+  file_bug886164_6.html
+  file_bug886164_6.html^headers^
   file_csp_bug768029.html
   file_csp_bug768029.sjs
   file_csp_bug773891.html
   file_csp_bug773891.sjs
   file_csp_redirects_main.html
   file_csp_redirects_page.sjs
   file_csp_redirects_resource.sjs
   file_CSP_bug910139.sjs
@@ -102,18 +100,16 @@ support-files =
   file_multi_policy_injection_bypass.html^headers^
   file_multi_policy_injection_bypass_2.html
   file_multi_policy_injection_bypass_2.html^headers^
   file_form-action.html
   file_worker_redirect.html
   file_worker_redirect.sjs
   file_csp_referrerdirective.html
   referrerdirective.sjs
-  test_iframe_sandbox_csp_top_1.html^headers^
-  file_iframe_sandbox_csp_document_write.html
 
 [test_base-uri.html]
 [test_connect-src.html]
 [test_CSP.html]
 [test_csp_allow_https_schemes.html]
 skip-if = buildapp == 'b2g' #no ssl support
 [test_CSP_bug663567.html]
 [test_CSP_bug802872.html]
@@ -121,26 +117,24 @@ skip-if = buildapp == 'b2g' #no ssl supp
 [test_CSP_bug888172.html]
 [test_CSP_evalscript.html]
 [test_CSP_frameancestors.html]
 skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'android' # Times out, not sure why (bug 1008445)
 [test_CSP_inlinescript.html]
 [test_CSP_inlinestyle.html]
 [test_csp_invalid_source_expression.html]
 [test_bug836922_npolicies.html]
-[test_csp_sandbox.html]
+[test_bug886164.html]
 [test_csp_redirects.html]
 [test_CSP_bug910139.html]
 [test_CSP_bug909029.html]
 [test_policyuri_regression_from_multipolicy.html]
 [test_nonce_source.html]
 [test_CSP_bug941404.html]
 [test_form-action.html]
-[test_iframe_sandbox_csp.html]
-[test_iframe_sandbox_csp_top_1.html]
 skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observers are not available in child processes
 [test_hash_source.html]
 skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
 [test_self_none_as_hostname_confusion.html]
 [test_bug949549.html]
 [test_csp_path_matching.html]
 [test_csp_path_matching_redirect.html]
 [test_report_uri_missing_in_report_only_header.html]
deleted file mode 100644
--- a/dom/base/test/csp/test_csp_sandbox.html
+++ /dev/null
@@ -1,240 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <title>Tests for bugs 886164 and 671389</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<p id="display"></p>
-<div id="content">
-</div>
-
-<script class="testbody" type="text/javascript">
-
-var testCases = [
-  {
-    // Test 1: don't load image from non-same-origin; allow loading
-    // images from same-same origin
-    sandboxAttribute: "allow-same-origin",
-    csp: "default-src 'self'",
-    file: "file_csp_sandbox_1.html",
-    results: { img1a_good: -1, img1_bad: -1 }
-    // fails if scripts execute
-  },
-  {
-    // Test 2: don't load image from non-same-origin; allow loading
-    // images from same-same origin, even without allow-same-origin
-    // flag
-    sandboxAttribute: "",
-    csp: "default-src 'self'",
-    file: "file_csp_sandbox_2.html",
-    results: { img2_bad: -1, img2a_good: -1 }
-    // fails if scripts execute
-  },
-  {
-    // Test 3: disallow loading images from any host, even with
-    // allow-same-origin flag set
-    sandboxAttribute: "allow-same-origin",
-    csp: "default-src 'none'",
-    file: "file_csp_sandbox_3.html",
-    results: { img3_bad: -1, img3a_bad: -1 },
-    // fails if scripts execute
-  },
-  {
-    // Test 4: disallow loading images from any host
-    sandboxAttribute: "",
-    csp: "default-src 'none'",
-    file: "file_csp_sandbox_4.html",
-    results: { img4_bad: -1, img4a_bad: -1 }
-    // fails if scripts execute
-  },
-  {
-    // Test 5: disallow loading images or scripts, allow inline scripts
-    sandboxAttribute: "allow-scripts",
-    csp: "default-src 'none'; script-src 'unsafe-inline';",
-    file: "file_csp_sandbox_5.html",
-    results: { img5_bad: -1, img5a_bad: -1, script5_bad: -1, script5a_bad: -1 },
-    nrOKmessages: 2 // sends 2 ok message
-    // fails if scripts execute
-  },
-  {
-    // Test 6: disallow non-same-origin images, allow inline and same origin scripts
-    sandboxAttribute: "allow-same-origin allow-scripts",
-    csp: "default-src 'self' 'unsafe-inline';",
-    file: "file_csp_sandbox_6.html",
-    results: { img6_bad: -1, script6_bad: -1 },
-    nrOKmessages: 4 // sends 4 ok message
-    // fails if forms are not disallowed
-  },
-  {
-    // Test 7: same as Test 1
-    csp: "default-src 'self'; sandbox allow-same-origin",
-    file: "file_csp_sandbox_7.html",
-    results: { img7a_good: -1, img7_bad: -1 }
-  },
-  {
-    // Test 8: same as Test 2
-    csp: "sandbox; default-src 'self'",
-    file: "file_csp_sandbox_8.html",
-    results: { img8_bad: -1, img8a_good: -1 }
-  },
-  {
-    // Test 9: same as Test 3
-    csp: "default-src 'none'; sandbox allow-same-origin",
-    file: "file_csp_sandbox_9.html",
-    results: { img9_bad: -1, img9a_bad: -1 }
-  },
-  {
-    // Test 10: same as Test 4
-    csp: "default-src 'none'; sandbox",
-    file: "file_csp_sandbox_10.html",
-    results: { img10_bad: -1, img10a_bad: -1 }
-  },
-  {
-    // Test 11: same as Test 5
-    csp: "default-src 'none'; script-src 'unsafe-inline'; sandbox allow-scripts",
-    file: "file_csp_sandbox_11.html",
-    results: { img11_bad: -1, img11a_bad: -1, script11_bad: -1, script11a_bad: -1 },
-    nrOKmessages: 2 // sends 2 ok message
-  },
-  {
-    // Test 12: same as Test 6
-    csp: "sandbox allow-same-origin allow-scripts; default-src 'self' 'unsafe-inline';",
-    file: "file_csp_sandbox_12.html",
-    results: { img12_bad: -1, script12_bad: -1 },
-    nrOKmessages: 4 // sends 4 ok message
-  },
-];
-
-// a postMessage handler that is used by sandboxed iframes without
-// 'allow-same-origin' to communicate pass/fail back to this main page.
-// it expects to be called with an object like:
-//  { ok: true/false,
-//    desc: <description of the test> which it then forwards to ok() }
-window.addEventListener("message", receiveMessage, false);
-
-function receiveMessage(event) {
-  ok_wrapper(event.data.ok, event.data.desc);
-}
-
-var completedTests = 0;
-var passedTests = 0;
-
-var totalTests = (function() {
-    var nrCSPloadTests = 0;
-    for(var i = 0; i < testCases.length; i++) {
-      nrCSPloadTests += Object.keys(testCases[i].results).length;
-      if (testCases[i].nrOKmessages) {
-        // + number of expected postMessages from iframe
-        nrCSPloadTests += testCases[i].nrOKmessages;
-      }
-    }
-    return nrCSPloadTests;
-})();
-
-function ok_wrapper(result, desc) {
-  ok(result, desc);
-
-  completedTests++;
-
-  if (result) {
-    passedTests++;
-  }
-
-  if (completedTests === totalTests) {
-    window.examiner.remove();
-    SimpleTest.finish();
-  }
-}
-
-// Set the iframe src and sandbox attribute
-function runTest(test) {
-  var iframe = document.createElement('iframe');
-
-  document.getElementById('content').appendChild(iframe);
-
-  // set sandbox attribute
-  if (test.sandboxAttribute !== undefined) {
-    iframe.sandbox = test.sandboxAttribute;
-  }
-
-  // set query string
-  var src = 'file_csp_testserver.sjs';
-  // path where the files are
-  var path = '/tests/dom/base/test/csp/';
-
-  src += '?file=' + escape(path+test.file);
-
-  if (test.csp !== undefined) {
-    src += '&csp=' + escape(test.csp);
-  }
-
-  iframe.src = src;
-  iframe.width = iframe.height = 10;
-}
-
-// Examiner related
-
-// This is used to watch the blocked data bounce off CSP and allowed data
-// get sent out to the wire.
-function examiner() {
-  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
-  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
-}
-
-examiner.prototype  = {
-  observe: function(subject, topic, data) {
-    var testpat = new RegExp("testid=([a-z0-9_]+)");
-
-    //_good things better be allowed!
-    //_bad things better be stopped!
-
-    if (topic === "specialpowers-http-notify-request") {
-      //these things were allowed by CSP
-      var uri = data;
-      if (!testpat.test(uri)) return;
-      var testid = testpat.exec(uri)[1];
-
-      if(/_good/.test(testid)) {
-        ok_wrapper(true, uri + " is allowed by csp");
-      } else {
-        ok_wrapper(false, uri + " should not be allowed by csp");
-      }
-    }
-
-    if(topic === "csp-on-violate-policy") {
-      //these were blocked... record that they were blocked
-      var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
-      if (!testpat.test(asciiSpec)) return;
-      var testid = testpat.exec(asciiSpec)[1];
-      if(/_bad/.test(testid)) {
-        ok_wrapper(true, asciiSpec + " was blocked by \"" + data + "\"");
-      } else {
-        ok_wrapper(false, asciiSpec + " should have been blocked by \"" + data + "\"");
-      }
-    }
-  },
-
-  // must eventually call this to remove the listener,
-  // or mochitests might get borked.
-  remove: function() {
-    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
-    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
-  }
-}
-
-window.examiner = new examiner();
-
-SimpleTest.waitForExplicitFinish();
-
-(function() { // Run tests:
-  for(var i = 0; i < testCases.length; i++) {
-    runTest(testCases[i]);
-  }
-})();
-
-</script>
-</body>
-</html>
deleted file mode 100644
--- a/dom/base/test/csp/test_iframe_sandbox_csp.html
+++ /dev/null
@@ -1,239 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=671389
-Bug 671389 - Implement CSP sandbox directive
--->
-<head>
-  <meta charset="utf-8">
-  <title>Tests for Bug 671389</title>
-  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<script type="application/javascript">
-
-  SimpleTest.waitForExplicitFinish();
-
-  // Check if two sandbox flags are the same, ignoring case-sensitivity.
-  // getSandboxFlags returns a list of sandbox flags (if any) or
-  // null if the flag is not set.
-  // This function checks if two flags are the same, i.e., they're
-  // either not set or have the same flags.
-  function eqFlags(a, b) {
-    if (a === null && b === null) { return true; }
-    if (a === null || b === null) { return false; }
-    if (a.length !== b.length) {  return false; }
-    var a_sorted = a.map(function(e) { return e.toLowerCase(); }).sort();
-    var b_sorted = b.map(function(e) { return e.toLowerCase(); }).sort();
-    for (var i in a_sorted) {
-      if (a_sorted[i] !== b_sorted[i]) {
-        return false;
-      }
-    }
-    return true;
-  }
-
-  // Get the sandbox flags of document doc.
-  // If the flag is not set sandboxFlagsAsString returns null,
-  // this function also returns null.
-  // If the flag is set it may have some flags; in this case
-  // this function returns the (potentially empty) list of flags.
-  function getSandboxFlags(doc) {
-    var flags = doc.sandboxFlagsAsString;
-    if (flags === null) { return null; }
-    return flags? flags.split(" "):[];
-  }
-
-  // Constructor for a CSP sandbox flags test. The constructor
-  // expectes a description 'desc' and set of options 'opts':
-  //  - sandboxAttribute: [null] or string corresponding to the iframe sandbox attributes
-  //  - csp: [null] or string corresponding to the CSP sandbox flags
-  //  - cspReportOnly: [null] or string corresponding to the CSP report-only sandbox flags
-  //  - file: [null] or string corresponding to file the server should serve
-  // Above, we use [brackets] to denote default values.
-  function CSPFlagsTest(desc, opts) {
-    function ifundef(x, v) {
-      return (x !== undefined) ? x : v;
-    }
-
-    function intersect(as, bs) { // Intersect two csp attributes:
-      as = as === null ? null
-                       : as.split(' ').filter(function(x) { return !!x; });
-      bs = bs === null ? null
-                       : bs.split(' ').filter(function(x) { return !!x; });
-
-      if (as === null) { return bs; }
-      if (bs === null) { return as; }
-
-      var cs = [];
-      as.forEach(function(a) {
-        if (a && bs.indexOf(a) != -1)
-          cs.push(a);
-      });
-      return cs;
-    }
-
-    this.desc     = desc || "Untitled test";
-    this.attr     = ifundef(opts.sandboxAttribute, null);
-    this.csp      = ifundef(opts.csp, null);
-    this.cspRO    = ifundef(opts.cspReportOnly, null);
-    this.file     = ifundef(opts.file, null);
-    this.expected = intersect(this.attr, this.csp);
-  }
-
-  // Return function that checks that the actual flags are the same as the
-  // expected flags
-  CSPFlagsTest.prototype.checkFlags = function(iframe) {
-    var this_ = this;
-    return function() {
-      try {
-        var actual = getSandboxFlags(SpecialPowers.wrap(iframe).contentDocument);
-        ok(eqFlags(actual, this_.expected),
-           this_.desc, 'expected: "' + this_.expected + '", got: "' + actual + '"');
-      } catch (e) {
-        ok(false, this_.desc, 'expected: "' + this_.expected + '", failed with: "' + e + '"');
-      }
-      runNextTest();
-     };
-  };
-
-  // Set the iframe src and sandbox attribute
-  CSPFlagsTest.prototype.runTest = function () {
-    var iframe = document.createElement('iframe');
-    document.getElementById("content").appendChild(iframe);
-    iframe.onload = this.checkFlags(iframe);
-
-    // set sandbox attribute
-    if (this.attr === null) {
-      iframe.removeAttribute('sandbox');
-    } else {
-      iframe.sandbox = this.attr;
-    }
-
-    // set query string
-    var src = 'file_csp_testserver.sjs';
-
-    var delim = '?';
-
-    if (this.csp !== null) {
-      src += delim + 'csp=' + escape('sandbox ' + this.csp);
-      delim = '&';
-    }
-
-    if (this.cspRO !== null) {
-      src += delim + 'cspRO=' + escape('sandbox ' + this.cspRO);
-      delim = '&';
-    }
-
-    if (this.file !== null) {
-      src += delim + 'file=' + escape(this.file);
-      delim = '&';
-    }
-
-    iframe.src = src;
-    iframe.width = iframe.height = 10;
-
-  }
-
-  testCases = [
-    {
-      desc: "Test 1: Header should not override attribute",
-      sandboxAttribute: "",
-      csp: "allow-forms aLLOw-POinter-lock alLOW-popups aLLOW-SAME-ORIGin ALLOW-SCRIPTS allow-top-navigation"
-    },
-    {
-      desc: "Test 2: Attribute should not override header",
-      sandboxAttribute: "sandbox allow-forms allow-pointer-lock allow-popups allow-same-origin allow-scripts allow-top-navigation",
-      csp: ""
-    },
-    {
-      desc: "Test 3: Header and attribute intersect",
-      sandboxAttribute: "allow-same-origin allow-scripts",
-      csp: "allow-forms allow-same-origin allow-scripts"
-    },
-    {
-      desc: "Test 4: CSP sandbox sets the right flags (pt 1)",
-      csp: "alLOW-FORms ALLOW-pointer-lock allow-popups allow-same-origin allow-scripts ALLOW-TOP-NAVIGation"
-    },
-    {
-      desc: "Test 5: CSP sandbox sets the right flags (pt 2)",
-      csp: "allow-same-origin allow-TOP-navigation"
-    },
-    {
-      desc: "Test 6: CSP sandbox sets the right flags (pt 3)",
-      csp: "allow-FORMS ALLOW-scripts"
-    },
-    {
-      desc: "Test 7: CSP sandbox sets the right flags (pt 4)",
-      csp: ""
-    },
-    {
-      desc: "Test 8: CSP sandbox sets the right flags (pt 5)",
-      csp: null
-    },
-    {
-      desc: "Test 9: Read-only header should not override attribute",
-      sandboxAttribute: "",
-      cspReportOnly: "allow-forms ALLOW-pointer-lock allow-POPUPS allow-same-origin ALLOW-scripts allow-top-NAVIGATION"
-    },
-    {
-      desc: "Test 10: Read-only header should not override CSP header",
-      csp: "allow-forms allow-scripts",
-      cspReportOnly: "allow-forms aLlOw-PoInTeR-lOcK aLLow-pOPupS aLLoW-SaME-oRIgIN alLow-scripts allow-tOp-navigation"
-    },
-    {
-      desc: "Test 11: Read-only header should not override attribute or CSP header",
-      sandboxAttribute: "allow-same-origin allow-scripts",
-      csp: "allow-forms allow-same-origin allow-scripts",
-      cspReportOnly: "allow-forms allow-pointer-lock allow-popups allow-same-origin allow-scripts allow-top-navigation"
-    },
-    {
-      desc: "Test 12: CSP sandbox not affected by document.write()",
-      csp: "allow-scripts",
-      file: 'tests/dom/base/test/csp/file_iframe_sandbox_csp_document_write.html'
-    },
-  ].map(function(t) { return (new CSPFlagsTest(t.desc,t)); });
-
-
-  var testCaseIndex = 0;
-
-  // Track ok messages from iframes
-  var childMessages = 0;
-  var totalChildMessages = 1;
-
-
-  // Check to see if we ran all the tests and received all messges
-  // from child iframes. If so, finish.
-  function tryFinish() {
-    if (testCaseIndex === testCases.length && childMessages === totalChildMessages){
-      SimpleTest.finish();
-    }
-  }
-
-  function runNextTest() {
-
-    tryFinish();
-
-    if (testCaseIndex < testCases.length) {
-      testCases[testCaseIndex].runTest();
-      testCaseIndex++;
-    }
-  }
-
-  function receiveMessage(event) {
-    ok(event.data.ok, event.data.desc);
-    childMessages++;
-    tryFinish();
-  }
-
-  window.addEventListener("message", receiveMessage, false);
-
-  addLoadEvent(runNextTest);
-</script>
-<body>
-  <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=671389">Mozilla Bug 671389</a> - Implement CSP sandbox directive
-  <p id="display"></p>
-  <div id="content">
-  </div>
-</body>
-</html>
deleted file mode 100644
--- a/dom/base/test/csp/test_iframe_sandbox_csp_top_1.html
+++ /dev/null
@@ -1,80 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=671389
-Bug 671389 - Implement CSP sandbox directive
-
-Tests CSP sandbox attribute on top-level page.
-
-Minimal flags: allow-same-origin allow-scripts:
-Since we need to load the SimpleTest files, we have to set the
-allow-same-origin flag. Additionally, we set the allow-scripts flag
-since we need JS to check the flags.
-
-Though not necessary, for this test we also set the allow-forms flag.
-We may later wish to extend the testing suite with sandbox_csp_top_*
-tests that set different permutations of the flags.
-
-CSP header: Content-Security-Policy: sandbox allow-forms allow-scripts allow-same-origin
--->
-<head>
-  <meta charset="utf-8">
-  <title>Tests for Bug 671389</title>
-  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<script type="application/javascript">
-
-SimpleTest.waitForExplicitFinish();
-
-// Check if two sandbox flags are the same.
-// getSandboxFlags returns a list of sandbox flags (if any) or
-// null if the flag is not set.
-// This function checks if two flags are the same, i.e., they're
-// either not set or have the same flags.
-function eqFlags(a, b) {
-  if (a === null && b === null) { return true; }
-  if (a === null || b === null) { return false; }
-  if (a.length !== b.length) { return false; }
-  var a_sorted = a.sort();
-  var b_sorted = b.sort();
-  for (var i in a_sorted) {
-    if (a_sorted[i] !== b_sorted[i]) {
-      return false;
-    }
-  }
-  return true;
-}
-
-// Get the sandbox flags of document doc.
-// If the flag is not set sandboxFlagsAsString returns null,
-// this function also returns null.
-// If the flag is set it may have some flags; in this case
-// this function returns the (potentially empty) list of flags.
-function getSandboxFlags(doc) {
-  var flags = doc.sandboxFlagsAsString;
-  if (flags === null) { return null; }
-  return flags? flags.split(" "):[];
-}
-
-function checkFlags(expected) {
-  try {
-    var flags = getSandboxFlags(SpecialPowers.wrap(document));
-    ok(eqFlags(flags, expected), name + ' expected: "' + expected + '", got: "' + flags + '"');
-  } catch (e) {
-    ok(false, name + ' expected "' + expected + ', but failed with ' + e);
-  }
-  SimpleTest.finish();
-}
-
-</script>
-
-<body onLoad='checkFlags(["allow-forms", "allow-scripts", "allow-same-origin"]);'>
-<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=671389">Mozilla Bug 671389</a> - Implement CSP sandbox directive
-<p id="display"></p>
-<div id="content">
-  I am a top-level page sandboxed with "allow-scripts allow-forms
-  allow-same-origin".
-</div>
-</body>
-</html>
deleted file mode 100644
--- a/dom/base/test/csp/test_iframe_sandbox_csp_top_1.html^headers^
+++ /dev/null
@@ -1,1 +0,0 @@
-Content-Security-Policy: sAnDbOx aLLow-FOrms aLlOw-ScRiPtS ALLOW-same-origin
deleted file mode 100644
--- a/dom/html/test/file_iframe_sandbox_c_if9.html
+++ /dev/null
@@ -1,17 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <title>Test for Bug 671389</title>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<body>
-  I am
-  <ul>
-    <li>sandboxed but with "allow-forms", "allow-pointer-lock", "allow-popups", "allow-same-origin", "allow-scripts", and "allow-top-navigation", </li>
-    <li>sandboxed but with "allow-same-origin", "allow-scripts", </li>
-    <li>sandboxed, or </li>
-    <li>not sandboxed.</li>
-  </ul>
-</body>
-</html>
--- a/dom/html/test/mochitest.ini
+++ b/dom/html/test/mochitest.ini
@@ -87,17 +87,16 @@ support-files =
   file_iframe_sandbox_c_if1.html
   file_iframe_sandbox_c_if2.html
   file_iframe_sandbox_c_if3.html
   file_iframe_sandbox_c_if4.html
   file_iframe_sandbox_c_if5.html
   file_iframe_sandbox_c_if6.html
   file_iframe_sandbox_c_if7.html
   file_iframe_sandbox_c_if8.html
-  file_iframe_sandbox_c_if9.html
   file_iframe_sandbox_close.html
   file_iframe_sandbox_d_if1.html
   file_iframe_sandbox_d_if10.html
   file_iframe_sandbox_d_if11.html
   file_iframe_sandbox_d_if12.html
   file_iframe_sandbox_d_if13.html
   file_iframe_sandbox_d_if14.html
   file_iframe_sandbox_d_if15.html
--- a/dom/html/test/test_iframe_sandbox_general.html
+++ b/dom/html/test/test_iframe_sandbox_general.html
@@ -36,17 +36,17 @@ function ok_wrapper(result, desc) {
   ok(result, desc);
 
   completedTests++;
 
   if (result) {
     passedTests++;
   }
 
-  if (completedTests == 33) {
+  if (completedTests == 27) {
     is(passedTests, completedTests, "There are " + completedTests + " general tests that should pass");
     SimpleTest.finish();
   }
 }
 
 function doTest() {
   // passes twice if good
   // 1) test that inline scripts (<script>) can run in an iframe sandboxed with "allow-scripts"
@@ -175,24 +175,16 @@ function doTest() {
   // done via file_iframe_sandbox_c_if8.html, which has sandbox='allow-scripts allow-same-origin'
 
   // fails if bad
   // 28) Test that a sandboxed iframe can't open a new window using the target.attribute for a
   // non-existing browsing context (BC341604).
   // This is done via file_iframe_sandbox_c_if4.html which is sandboxed with "allow-scripts" and "allow-same-origin"
   // the window it attempts to open calls window.opener.ok(false, ...) and file_iframe_c_if4.html has an ok()
   // function that calls window.parent.ok_wrapper.
-
-  // passes twice if good
-  // 29-32) Test that sandboxFlagsAsString returns the set flags.
-  // see if_14 and if_15
-
-  // passes once if good
-  // 33) Test that sandboxFlagsAsString returns null if iframe does not have sandbox flag set.
-  // see if_16
 }
 
 addLoadEvent(doTest);
 
 var started_if_9 = false;
 var started_if_10 = false;
 
 function start_if_9() {
@@ -215,46 +207,16 @@ function do_if_9() {
   var if_9 = document.getElementById('if_9');
   if_9.src = 'javascript:"<html><script>window.parent.ok_wrapper(false, \'an iframe sandboxed without allow-scripts should not execute script in a javascript URL in a newly set src attribute\');<\/script><\/html>"';
 }
 
 function do_if_10() {
   var if_10 = document.getElementById('if_10');
   if_10.src = 'javascript:"<html><script>window.parent.ok_wrapper(true, \'an iframe sandboxed with allow-scripts should execute script in a javascript URL in a newly set src attribute\');<\/script><\/html>"';
 }
-
-function eqFlags(a, b) {
-  // both a and b should be either null or have the array same flags
-  if (a === null && b === null) { return true; }
-  if (a === null || b === null) { return false; }
-  if (a.length !== b.length) { return false; }
-  var a_sorted = a.sort();
-  var b_sorted = b.sort();
-  for (var i in a_sorted) {
-    if (a_sorted[i] !== b_sorted[i]) { return false; }
-  }
-  return true;
-}
-
-function getSandboxFlags(doc) {
-  var flags = doc.sandboxFlagsAsString;
-  if (flags === null) { return null; }
-  return flags? flags.split(" "):[];
-}
-
-function test_sandboxFlagsAsString(name, expected) {
-  var ifr = document.getElementById(name);
-  try {
-    var flags = getSandboxFlags(SpecialPowers.wrap(ifr).contentDocument);
-    ok_wrapper(eqFlags(flags, expected), name + ' expected: "' + expected + '", got: "' + flags + '"');
-  } catch (e) {
-    ok_wrapper(false, name + ' expected "' + expected + ', but failed with ' + e);
-  }
-}
-
 </script>
 <body>
 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=341604">Mozilla Bug 341604</a> - Implement HTML5 sandbox attribute for IFRAMEs
 <p id="display"></p>
 <div id="content">
 <iframe sandbox="allow-same-origin allow-scripts" id="if_1" src="file_iframe_sandbox_c_if1.html" height="10" width="10"></iframe>
 <iframe sandbox="aLlOw-SAME-oRiGin ALLOW-sCrIpTs" id="if_1_case_insensitive" src="file_iframe_sandbox_c_if1.html" height="10" width="10"></iframe>
 <iframe sandbox="" id="if_2" src="file_iframe_sandbox_c_if2.html" height="10" width="10"></iframe>
@@ -267,17 +229,13 @@ function test_sandboxFlagsAsString(name,
 <iframe sandbox="&#x0c;allow-same-origin&#x0c;allow-scripts&#x0c;" id="if_6_d" src="file_iframe_sandbox_c_if6.html" height="10" width="10"></iframe>
 <iframe sandbox="&#x0d;allow-same-origin&#x0d;allow-scripts&#x0d;" id="if_6_e" src="file_iframe_sandbox_c_if6.html" height="10" width="10"></iframe>
 <iframe sandbox="allow-same-origin" id='if_7' src="javascript:'<html><script>window.parent.ok_wrapper(false, \'an iframe sandboxed without allow-scripts should not execute script in a javascript URL in its src attribute\');<\/script><\/html>';" height="10" width="10"></iframe>
 <iframe sandbox="allow-same-origin allow-scripts" id='if_8' src="javascript:'<html><script>window.parent.ok_wrapper(true, \'an iframe sandboxed without allow-scripts should execute script in a javascript URL in its src attribute\');<\/script><\/html>';" height="10" width="10"></iframe>
 <iframe sandbox="allow-same-origin" onload='start_if_9()' id='if_9' src="about:blank" height="10" width="10"></iframe>
 <iframe sandbox="allow-same-origin allow-scripts" onload='start_if_10()' id='if_10' src="about:blank" height="10" width="10"></iframe>
 <iframe sandbox="allow-scripts" id='if_11' src="file_iframe_sandbox_c_if7.html" height="10" width="10"></iframe>
 <iframe sandbox="allow-same-origin allow-scripts" id='if_12' src="file_iframe_sandbox_c_if8.html" height="10" width="10"></iframe>
-<iframe sandbox="allow-forms allow-pointer-lock allow-popups allow-same-origin allow-scripts allow-top-navigation " id='if_13' src="file_iframe_sandbox_c_if9.html" height="10" width="10" onload='test_sandboxFlagsAsString("if_13",["allow-forms", "allow-pointer-lock", "allow-popups", "allow-same-origin", "allow-scripts", "allow-top-navigation"])'></iframe>
-<iframe sandbox="&#x09;allow-same-origin&#x09;allow-scripts&#x09;" id="if_14" src="file_iframe_sandbox_c_if6.html" height="10" width="10" onload='test_sandboxFlagsAsString("if_14",["allow-same-origin","allow-scripts"])'></iframe>
-<iframe sandbox="" id="if_15" src="file_iframe_sandbox_c_if9.html" height="10" width="10" onload='test_sandboxFlagsAsString("if_15",[])'></iframe>
-<iframe id="if_16" src="file_iframe_sandbox_c_if9.html" height="10" width="10" onload='test_sandboxFlagsAsString("if_16",null)'></iframe>
 <input type='button' id="a_button" onclick='do_if_9()'>
 <input type='button' id="a_button2" onclick='do_if_10()'>
 </div>
 </body>
 </html>
--- a/dom/interfaces/security/nsIContentSecurityPolicy.idl
+++ b/dom/interfaces/security/nsIContentSecurityPolicy.idl
@@ -15,17 +15,17 @@ interface nsIURI;
  * nsIContentSecurityPolicy
  * Describes an XPCOM component used to model and enforce CSPs.  Instances of
  * this class may have multiple policies within them, but there should only be
  * one of these per document/principal.
  */
 
 typedef unsigned short CSPDirective;
 
-[scriptable, uuid(9454a677-5342-4220-8154-e619410e07e7)]
+[scriptable, uuid(68434447-b816-4473-a731-efc4f6d59902)]
 interface nsIContentSecurityPolicy : nsISerializable
 {
   /**
    * Directives supported by Content Security Policy.  These are enums for
    * the CSPDirective type.
    * The NO_DIRECTIVE entry is  used for checking default permissions and
    * returning failure when asking CSP which directive to check.
    *
@@ -43,17 +43,16 @@ interface nsIContentSecurityPolicy : nsI
   const unsigned short FONT_SRC_DIRECTIVE         = 8;
   const unsigned short CONNECT_SRC_DIRECTIVE      = 9;
   const unsigned short REPORT_URI_DIRECTIVE       = 10;
   const unsigned short FRAME_ANCESTORS_DIRECTIVE  = 11;
   const unsigned short REFLECTED_XSS_DIRECTIVE    = 12;
   const unsigned short BASE_URI_DIRECTIVE         = 13;
   const unsigned short FORM_ACTION_DIRECTIVE      = 14;
   const unsigned short REFERRER_DIRECTIVE         = 15;
-  const unsigned short SANDBOX_DIRECTIVE          = 16;
 
   /**
    * Accessor method for a read-only string version of the policy at a given
    * index.
    */
   AString getPolicy(in unsigned long index);
 
   /**
@@ -259,27 +258,16 @@ interface nsIContentSecurityPolicy : nsI
    *    directives that don't fall-back.
    * @return
    *    Whether or not the provided URI is allowed by CSP under the given
    *    directive. (block the pending operation if false).
    */
   boolean permits(in nsIURI aURI, in CSPDirective aDir, in boolean aSpecific);
 
   /**
-   * Delegate method called by the service when the protected document is loaded.
-   * Returns the intersection of all the sandbox flags contained in
-   * CSP policies. This is the most restricting sandbox policy.
-   * See nsSandboxFlags.h for the possible flags.
-   *
-   * @return
-   *    sandbox flags or SANDBOXED_NONE if no sandbox directive exists
-   */
-  uint32_t getCSPSandboxFlags();
-
-  /**
    * Delegate method called by the service when sub-elements of the protected
    * document are being loaded.  Given a bit of information about the request,
    * decides whether or not the policy is satisfied.
    *
    * Calls to this may trigger violation reports when queried, so
    * this value should not be cached.
    */
   short shouldLoad(in nsContentPolicyType aContentType,
--- a/dom/locales/en-US/chrome/security/csp.properties
+++ b/dom/locales/en-US/chrome/security/csp.properties
@@ -45,19 +45,16 @@ inlineScriptBlocked = An attempt to exec
 # inline style refers to CSS code that is embedded into the HTML document.
 inlineStyleBlocked = An attempt to apply inline style sheets has been blocked
 # LOCALIZATION NOTE (scriptFromStringBlocked):
 # eval is a name and should not be localized.
 scriptFromStringBlocked = An attempt to call JavaScript from a string (by calling a function like eval) has been blocked
 # LOCALIZATION NOTE (hostNameMightBeKeyword):
 # %1$S is the hostname in question and %2$S is the keyword
 hostNameMightBeKeyword = Interpreting %1$S as a hostname, not a keyword. If you intended this to be a keyword, use '%2$S' (wrapped in single quotes).
-# LOCALIZATION NOTE (ignoringReportOnlyDirective):
-# %1$S is the directive that is ignore in report-only mode.
-ignoringReportOnlyDirective = Ignoring sandbox directive when delivered in a report-only policy '%1$S'.
 # LOCALIZATION NOTE (notSupportingDirective):
 # directive is not supported (e.g. 'reflected-xss')
 notSupportingDirective = Not supporting directive '%1$S'. Directive and values will be ignored.
 
 # CSP Errors:
 # LOCALIZATION NOTE (couldntParseInvalidSource):
 # %1$S is the source that could not be parsed
 couldntParseInvalidSource = Couldn't parse invalid source %1$S
@@ -68,11 +65,8 @@ couldntParseInvalidHost = Couldn't parse
 # %1$S is the string source
 couldntParseScheme = Couldn't parse scheme in %1$S
 # LOCALIZATION NOTE (couldntParsePort):
 # %1$S is the string source
 couldntParsePort = Couldn't parse port in %1$S
 # LOCALIZATION NOTE (duplicateDirective):
 # %1$S is the name of the duplicate directive
 duplicateDirective = Duplicate %1$S directives detected.  All but the first instance will be ignored.
-# LOCALIZATION NOTE (couldntParseInvalidSandboxFlag):
-# %1$S is the option that could not be understood
-couldntParseInvalidSandboxFlag = Couldn't parse invalid sandbox flag %1$S
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -32,17 +32,16 @@
 #include "nsNullPrincipal.h"
 #include "nsIContentPolicy.h"
 #include "nsSupportsPrimitives.h"
 #include "nsThreadUtils.h"
 #include "nsString.h"
 #include "prlog.h"
 #include "mozilla/dom/CSPReportBinding.h"
 #include "mozilla/net/ReferrerPolicy.h"
-#include "nsSandboxFlags.h"
 
 using namespace mozilla;
 
 #if defined(PR_LOGGING)
 static PRLogModuleInfo *
 GetCspContextLog()
 {
   static PRLogModuleInfo *gCspContextPRLog;
@@ -1182,59 +1181,16 @@ nsCSPContext::Permits(nsIURI* aURI,
                   spec.get(), aDir,
                   *outPermits ? "allow" : "deny"));
   }
 #endif
 
   return NS_OK;
 }
 
-NS_IMETHODIMP
-nsCSPContext::GetCSPSandboxFlags(uint32_t* aOutSandboxFlags)
-{
-  if (aOutSandboxFlags == nullptr) {
-    return NS_ERROR_FAILURE;
-  }
-  *aOutSandboxFlags = SANDBOXED_NONE;
-
-  for (uint32_t i = 0; i < mPolicies.Length(); i++) {
-    uint32_t flags = mPolicies[i]->getSandboxFlags();
-
-    // current policy doesn't have sandbox flag, check next policy
-    if (!flags) {
-      continue;
-    }
-
-    // current policy has sandbox flags, if the policy is in
-    // enforcement-mode (i.e., not report-only) set these flags
-    // and check for policies with more restrictions
-    if (!mPolicies[i]->getReportOnlyFlag()) {
-      *aOutSandboxFlags |= flags;
-    } else {
-      // sandbox directive is ignored in report-only mode, warn about
-      // it and continue the loop checking for an enforcement-mode policy
-      nsAutoString policy;
-      mPolicies[i]->toString(policy);
-
-      CSPCONTEXTLOG(("nsCSPContext::ShouldSandbox, report only policy, ignoring sandbox in: %s",
-                      policy.get()));
-
-      const char16_t* params[] = { policy.get() };
-      CSP_LogLocalizedStr(MOZ_UTF16("ignoringReportOnlyDirective"),
-                          params, ArrayLength(params),
-                          EmptyString(),
-                          EmptyString(),
-                          0, 0,
-                          nsIScriptError::warningFlag,
-                          "CSP", mInnerWindowID);
-    }
-  }
-  return NS_OK;
-}
-
 /* ========== CSPViolationReportListener implementation ========== */
 
 NS_IMPL_ISUPPORTS(CSPViolationReportListener, nsIStreamListener, nsIRequestObserver, nsISupports);
 
 CSPViolationReportListener::CSPViolationReportListener()
 {
 }
 
--- a/dom/security/nsCSPParser.cpp
+++ b/dom/security/nsCSPParser.cpp
@@ -10,17 +10,16 @@
 #include "nsIConsoleService.h"
 #include "nsIScriptError.h"
 #include "nsIStringBundle.h"
 #include "nsNetUtil.h"
 #include "nsReadableUtils.h"
 #include "nsServiceManagerUtils.h"
 #include "nsUnicharUtils.h"
 #include "mozilla/net/ReferrerPolicy.h"
-#include "nsContentUtils.h"
 
 using namespace mozilla;
 
 #if defined(PR_LOGGING)
 static PRLogModuleInfo*
 GetCspParserLog()
 {
   static PRLogModuleInfo* gCspParserPRLog;
@@ -908,49 +907,16 @@ nsCSPParser::reportURIList(nsTArray<nsCS
     }
 
     // Create new nsCSPReportURI and append to the list.
     nsCSPReportURI* reportURI = new nsCSPReportURI(uri);
     outSrcs.AppendElement(reportURI);
   }
 }
 
-/* Helper function for parsing sandbox flags. This function solely
- * concatenates all the source list tokens (the sandbox flags) so the
- * attribute parser (nsContentUtils::ParseSandboxAttributeToFlags) can
- * use them.
- */
-void
-nsCSPParser::sandboxFlagList(nsTArray<nsCSPBaseSrc*>& outSrcs)
-{
-  nsAutoString flags;
-
-  // remember, srcs start at index 1
-  for (uint32_t i = 1; i < mCurDir.Length(); i++) {
-    mCurToken = mCurDir[i];
-
-    CSPPARSERLOG(("nsCSPParser::sandboxFlagList, mCurToken: %s, mCurValue: %s",
-                 NS_ConvertUTF16toUTF8(mCurToken).get(),
-                 NS_ConvertUTF16toUTF8(mCurValue).get()));
-
-    if (!nsContentUtils::IsValidSandboxFlag(mCurToken)) {
-      const char16_t* params[] = { mCurToken.get() };
-      logWarningErrorToConsole(nsIScriptError::warningFlag, "couldntParseInvalidSandboxFlag",
-                               params, ArrayLength(params));
-      continue;
-    }
-    flags.Append(mCurToken);
-    if (i != mCurDir.Length() - 1) {
-      flags.AppendASCII(" ");
-    }
-  }
-  nsCSPSandboxFlags* sandboxFlags = new nsCSPSandboxFlags(flags);
-  outSrcs.AppendElement(sandboxFlags);
-}
-
 // directive-value = *( WSP / <VCHAR except ";" and ","> )
 void
 nsCSPParser::directiveValue(nsTArray<nsCSPBaseSrc*>& outSrcs)
 {
   CSPPARSERLOG(("nsCSPParser::directiveValue"));
 
   // The tokenzier already generated an array in the form of
   // [ name, src, src, ... ], no need to parse again, but
@@ -962,23 +928,16 @@ nsCSPParser::directiveValue(nsTArray<nsC
 
   // special case handling of the referrer directive (since it doesn't contain
   // source lists)
   if (CSP_IsDirective(mCurDir[0], nsIContentSecurityPolicy::REFERRER_DIRECTIVE)) {
     referrerDirectiveValue();
     return;
   }
 
-  // For the sandbox flag the source list is a list of flags, so we're
-  // special casing this directive
-  if (CSP_IsDirective(mCurDir[0], nsIContentSecurityPolicy::SANDBOX_DIRECTIVE)) {
-    sandboxFlagList(outSrcs);
-    return;
-  }
-
   // Otherwise just forward to sourceList
   sourceList(outSrcs);
 }
 
 // directive-name = 1*( ALPHA / DIGIT / "-" )
 nsCSPDirective*
 nsCSPParser::directiveName()
 {
--- a/dom/security/nsCSPParser.h
+++ b/dom/security/nsCSPParser.h
@@ -123,25 +123,24 @@ class nsCSPParser {
     nsCSPHashSrc*   hashSource();
     nsCSPHostSrc*   appHost(); // helper function to support app specific hosts
     nsCSPHostSrc*   host();
     bool            hostChar();
     bool            schemeChar();
     bool            port();
     bool            path(nsCSPHostSrc* aCspHost);
 
-    bool subHost();                                         // helper function to parse subDomains
-    bool atValidUnreservedChar();                           // helper function to parse unreserved
-    bool atValidSubDelimChar();                             // helper function to parse sub-delims
-    bool atValidPctEncodedChar();                           // helper function to parse pct-encoded
-    bool subPath(nsCSPHostSrc* aCspHost);                   // helper function to parse paths
-    void reportURIList(nsTArray<nsCSPBaseSrc*>& outSrcs);   // helper function to parse report-uris
-    void percentDecodeStr(const nsAString& aEncStr,         // helper function to percent-decode
+    bool subHost();                                       // helper function to parse subDomains
+    bool atValidUnreservedChar();                         // helper function to parse unreserved
+    bool atValidSubDelimChar();                           // helper function to parse sub-delims
+    bool atValidPctEncodedChar();                         // helper function to parse pct-encoded
+    bool subPath(nsCSPHostSrc* aCspHost);                 // helper function to parse paths
+    void reportURIList(nsTArray<nsCSPBaseSrc*>& outSrcs); // helper function to parse report-uris
+    void percentDecodeStr(const nsAString& aEncStr,       // helper function to percent-decode
                           nsAString& outDecStr);
-    void sandboxFlagList(nsTArray<nsCSPBaseSrc*>& outSrcs); // helper function to parse sandbox flags
 
     inline bool atEnd()
     {
       return mCurChar >= mEndChar;
     }
 
     inline bool accept(char16_t aSymbol)
     {
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -7,19 +7,16 @@
 #include "nsDebug.h"
 #include "nsIConsoleService.h"
 #include "nsICryptoHash.h"
 #include "nsIScriptError.h"
 #include "nsIServiceManager.h"
 #include "nsIStringBundle.h"
 #include "nsNetUtil.h"
 #include "nsReadableUtils.h"
-#include "nsContentUtils.h"
-#include "nsAttrValue.h"
-#include "nsSandboxFlags.h"
 
 #if defined(PR_LOGGING)
 static PRLogModuleInfo*
 GetCspUtilsLog()
 {
   static PRLogModuleInfo* gCspUtilsPRLog;
   if (!gCspUtilsPRLog)
     gCspUtilsPRLog = PR_NewLogModule("CSPUtils");
@@ -670,33 +667,16 @@ nsCSPReportURI::toString(nsAString& outS
   nsAutoCString spec;
   nsresult rv = mReportURI->GetSpec(spec);
   if (NS_FAILED(rv)) {
     return;
   }
   outStr.AppendASCII(spec.get());
 }
 
-/* ===== nsCSPSandboxFlags ===================== */
-
-nsCSPSandboxFlags::nsCSPSandboxFlags(const nsAString& aFlags)
-  : mFlags(aFlags)
-{
-}
-
-nsCSPSandboxFlags::~nsCSPSandboxFlags()
-{
-}
-
-void
-nsCSPSandboxFlags::toString(nsAString& outStr) const
-{
-  outStr.Append(mFlags);
-}
-
 /* ===== nsCSPDirective ====================== */
 
 nsCSPDirective::nsCSPDirective(CSPDirective aDirective)
 {
   mDirective = aDirective;
 }
 
 nsCSPDirective::~nsCSPDirective()
@@ -989,31 +969,8 @@ nsCSPPolicy::getReportURIs(nsTArray<nsSt
 {
   for (uint32_t i = 0; i < mDirectives.Length(); i++) {
     if (mDirectives[i]->equals(nsIContentSecurityPolicy::REPORT_URI_DIRECTIVE)) {
       mDirectives[i]->getReportURIs(outReportURIs);
       return;
     }
   }
 }
-
-/*
- * Helper function that returns the underlying bit representation of
- * sandbox flags. The function returns SANDBOXED_NONE if there is no
- * sandbox directives.
- */
-uint32_t
-nsCSPPolicy::getSandboxFlags() const
-{
-  nsAutoString flags;
-  for (uint32_t i = 0; i < mDirectives.Length(); i++) {
-    if (mDirectives[i]->equals(nsIContentSecurityPolicy::SANDBOX_DIRECTIVE)) {
-      flags.Truncate();
-      mDirectives[i]->toString(flags);
-
-      nsAttrValue attr;
-      attr.ParseAtomArray(flags);
-
-      return nsContentUtils::ParseSandboxAttributeToFlags(&attr);
-    }
-  }
-  return SANDBOXED_NONE;
-}
--- a/dom/security/nsCSPUtils.h
+++ b/dom/security/nsCSPUtils.h
@@ -69,18 +69,17 @@ static const char* CSPStrDirectives[] = 
   "frame-src",       // FRAME_SRC_DIRECTIVE
   "font-src",        // FONT_SRC_DIRECTIVE
   "connect-src",     // CONNECT_SRC_DIRECTIVE
   "report-uri",      // REPORT_URI_DIRECTIVE
   "frame-ancestors", // FRAME_ANCESTORS_DIRECTIVE
   "reflected-xss",   // REFLECTED_XSS_DIRECTIVE
   "base-uri",        // BASE_URI_DIRECTIVE
   "form-action",     // FORM_ACTION_DIRECTIVE
-  "referrer",        // REFERRER_DIRECTIVE
-  "sandbox",         // SANDBOX_DIRECTIVE
+  "referrer"         // REFERRER_DIRECTIVE
 };
 
 inline const char* CSP_CSPDirectiveToString(CSPDirective aDir)
 {
   return CSPStrDirectives[static_cast<uint32_t>(aDir)];
 }
 
 inline CSPDirective CSP_StringToCSPDirective(const nsAString& aDir)
@@ -264,29 +263,16 @@ class nsCSPReportURI : public nsCSPBaseS
     virtual ~nsCSPReportURI();
 
     void toString(nsAString& outStr) const;
 
   private:
     nsCOMPtr<nsIURI> mReportURI;
 };
 
-/* =============== nsCSPSandboxFlag ============ */
-
-class nsCSPSandboxFlags : public nsCSPBaseSrc {
-  public:
-    explicit nsCSPSandboxFlags(const nsAString& aFlags);
-    virtual ~nsCSPSandboxFlags();
-
-    void toString(nsAString& outStr) const;
-
-  private:
-    nsString mFlags;
-};
-
 /* =============== nsCSPDirective ============= */
 
 class nsCSPDirective {
   public:
     nsCSPDirective();
     explicit nsCSPDirective(CSPDirective aDirective);
     virtual ~nsCSPDirective();
 
@@ -358,17 +344,15 @@ class nsCSPPolicy {
     void getDirectiveStringForContentType(nsContentPolicyType aContentType,
                                           nsAString& outDirective) const;
 
     void getDirectiveAsString(CSPDirective aDir, nsAString& outDirective) const;
 
     inline uint32_t getNumDirectives() const
       { return mDirectives.Length(); }
 
-    uint32_t getSandboxFlags() const;
-
   private:
     nsTArray<nsCSPDirective*> mDirectives;
     bool                      mReportOnly;
     nsString                  mReferrerPolicy;
 };
 
 #endif /* nsCSPUtils_h___ */
--- a/dom/webidl/Document.webidl
+++ b/dom/webidl/Document.webidl
@@ -349,22 +349,16 @@ partial interface Document {
   [ChromeOnly] readonly attribute DOMString contentLanguage;
 };
 
 // Extension to give chrome JS the ability to determine when a document was
 // created to satisfy an iframe with srcdoc attribute.
 partial interface Document {
   [ChromeOnly] readonly attribute boolean isSrcdocDocument;
 };
-// Extension to give chrome JS the ability to get the underlying
-// sandbox flag attribute
-partial interface Document {
-  [ChromeOnly] readonly attribute DOMString? sandboxFlagsAsString;
-};
-
 
 /**
  * Chrome document anonymous content management.
  * This is a Chrome-only API that allows inserting fixed positioned anonymous
  * content on top of the current page displayed in the document.
  * The supplied content is cloned and inserted into the document's CanvasFrame.
  * Note that this only works for HTML documents.
  */