Bug 1473668 [wpt PR 11770] - "navigate-to" remaining work, a=testonly
authorAndy Paicu <andypaicu@chromium.org>
Thu, 11 Oct 2018 10:03:59 +0000
changeset 499517 98523b594c73686a9407514a557c5076fff19332
parent 499516 620367d865abe05f5fee4c1c8f96b5d563fe51c0
child 499518 26c8d3dfc40ffefaa2bc7038cc40970e9cc74c4e
push id1864
push userffxbld-merge
push dateMon, 03 Dec 2018 15:51:40 +0000
treeherdermozilla-release@f040763d99ad [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1473668, 11770, 837627, 805886, 1124476, 598336
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1473668 [wpt PR 11770] - "navigate-to" remaining work, a=testonly Automatic update from web-platform-tests"navigate-to" remaining work This patch includes: The security violation event and CSP report are now sent to the correct document via an interface ptr sent though the common params Added 'unsafe-allowed-redirects' keyword tests Bundled all CSP info into one InitiatorCSPInfo struct Modified existing tests to test the violation event as well Bug: 837627, 805886 Change-Id: I03124f29d4205ad4a5c2ac899b15f42e8e23659b Reviewed-on: https://chromium-review.googlesource.com/c/1124476 Commit-Queue: Andy Paicu <andypaicu@chromium.org> Reviewed-by: Jochen Eisinger <jochen@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/master@{#598336} -- wpt-commits: 50812d274c2fd70219c8d6962ff66b880a04b6ea wpt-pr: 11770
testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html
testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.html
testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.html
testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.html
testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.html
testing/web-platform/tests/content-security-policy/navigate-to/form-blocked.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/form-redirected-blocked.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/href-location-blocked.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/link-click-allowed.html
testing/web-platform/tests/content-security-policy/navigate-to/link-click-blocked.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-allowed.html
testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-blocked.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html
testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html
testing/web-platform/tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.html
testing/web-platform/tests/content-security-policy/navigate-to/support/delayed_frame.py
testing/web-platform/tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/support/redirect_to_post_message_to_frame_owner.py
testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html.sub.headers
testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe2.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub.html
testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html
--- a/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html
@@ -1,19 +1,18 @@
 <!DOCTYPE html>
 
 <head>
-<meta name="timeout" content="long">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
 <script>
-  var t = async_test("Test that the child can navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child)");
+  var t = async_test("Test that the child can navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child, which has the policy `navigate-to 'self'`)");
   window.onmessage = t.step_func_done(function(e) {
     assert_equals(e.data.result, 'success');
   });
 </script>
 
 <iframe srcdoc="<iframe src='support/navigate_parent.sub.html?csp=navigate-to%20%27self%27'>">
 
 </body>
--- a/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html
@@ -1,12 +1,19 @@
 <!DOCTYPE html>
 
 <head>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
+<script>
+  var t = async_test("Test that the child can't navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child which has the policy `navigate-to 'none'`)");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
 <iframe srcdoc="<iframe src='support/navigate_parent.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}'>"></iframe>
 
 <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script>
-</body>
\ No newline at end of file
+</body>
--- a/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.html
@@ -7,10 +7,10 @@
 
 <body>
 <script>
   var t = async_test("Test that form-action overrides navigate-to when present.");
   window.onmessage = t.step_func_done(function(e) {
     assert_equals(e.data.result, 'success');
   });
 </script>
-<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27%3B%20form-action%20%27self%27%3B&action=post_message_to_frame_owner.html">
+<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27%3B%20form-action%20%27self%27%3B&action=post_message_to_frame_owner.html&report_id=dummy">
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.html
@@ -7,10 +7,10 @@
 
 <body>
 <script>
   var t = async_test("Test that form-action overrides navigate-to when present.");
   window.onmessage = t.step_func_done(function(e) {
     assert_equals(e.data.result, 'success');
   });
 </script>
-<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27%3B%20form-action%20%27self%27%3B&action=post_message_to_frame_owner.html">
+<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27%3B%20form-action%20%27self%27%3B&action=post_message_to_frame_owner.html&report_id=dummy">
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.html
@@ -8,10 +8,10 @@
 <body>
 <script>
   var t = async_test("Test that form-action overrides navigate-to when present.");
   window.onmessage = t.step_func_done(function(e) {
     assert_equals(e.data.result, 'fail');
     assert_equals(e.data.violatedDirective, 'form-action');
   });
 </script>
-<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27%3B%20form-action%20%27none%27%3B&action=post_message_to_frame_owner.html">
+<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27%3B%20form-action%20%27none%27%3B&action=post_message_to_frame_owner.html&report_id=dummy">
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.html
@@ -8,10 +8,10 @@
 <body>
 <script>
   var t = async_test("Test that form-action overrides navigate-to when present.");
   window.onmessage = t.step_func_done(function(e) {
     assert_equals(e.data.result, 'fail');
     assert_equals(e.data.violatedDirective, 'form-action');
   });
 </script>
-<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27%3B%20form-action%20%27none%27%3B&action=post_message_to_frame_owner.html">
+<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27%3B%20form-action%20%27none%27%3B&action=post_message_to_frame_owner.html&report_id=dummy">
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/form-blocked.sub.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-blocked.sub.html
@@ -1,12 +1,19 @@
 <!DOCTYPE html>
 
 <head>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
 <iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}&action=post_message_to_frame_owner.html"></iframe>
 
 <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script>
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub.html
@@ -1,12 +1,19 @@
 <!DOCTYPE html>
 
 <head>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
 <iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&action=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe>
 
 <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/form-redirected-blocked.sub.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-redirected-blocked.sub.html
@@ -1,12 +1,20 @@
 <!DOCTYPE html>
 
 <head>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
+
 <iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&action=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dhttp%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe>
 
 <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/href-location-blocked.sub.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-blocked.sub.html
@@ -2,13 +2,19 @@
 
 <head>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
 <script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+
   window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}&target=post_message_to_frame_owner.html", "_blank");
 </script>
 
 <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script>
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html
@@ -2,13 +2,19 @@
 
 <head>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
 <script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+
   window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html", "_blank");
 </script>
 
 <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub.html
@@ -2,13 +2,19 @@
 
 <head>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
 <script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+
   window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dhttp%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html", "_blank");
 </script>
 
 <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-allowed.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-allowed.html
@@ -1,12 +1,11 @@
 <!DOCTYPE html>
 
 <head>
-<meta name="timeout" content="long">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
 <script>
   var t = async_test("Test that the child iframe navigation is allowed");
   window.onmessage = t.step_func_done(function(e) {
--- a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-blocked.sub.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-blocked.sub.html
@@ -1,12 +1,19 @@
 <!DOCTYPE html>
 
 <head>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
 <iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}&target=post_message_to_frame_owner.html"></iframe>
 
-<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script>
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html
@@ -1,12 +1,11 @@
 <!DOCTYPE html>
 
 <head>
-<meta name="timeout" content="long">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
 <script>
   var t = async_test("Test that the child iframe navigation is allowed");
   window.onmessage = t.step_func_done(function(e) {
--- a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html
@@ -1,13 +1,20 @@
 <!DOCTYPE html>
 
 <head>
-<meta name="timeout" content="long">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
+
 <iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe>
 
 <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-allowed.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-allowed.html
@@ -1,12 +1,11 @@
 <!DOCTYPE html>
 
 <head>
-<meta name="timeout" content="long">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
 <script>
   var t = async_test("Test that the child iframe navigation is allowed");
   window.onmessage = t.step_func_done(function(e) {
--- a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html
@@ -1,13 +1,19 @@
 <!DOCTYPE html>
 
 <head>
-<meta name="timeout" content="long">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
 <iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dhttp%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe>
 
 <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-blocked.sub.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-blocked.sub.html
@@ -1,12 +1,20 @@
 <!DOCTYPE html>
 
 <head>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
+
 <iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}&target=post_message_to_frame_owner.html"></iframe>
 
 <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script>
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html
@@ -1,12 +1,20 @@
 <!DOCTYPE html>
 
 <head>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
+
 <iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe>
 
 <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html
@@ -1,12 +1,20 @@
 <!DOCTYPE html>
 
 <head>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
+<script>
+  var t = async_test("Test that the child iframe navigation is not allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+</script>
+
 <iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dhttp%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe>
 
 <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script>
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html
@@ -2,25 +2,25 @@
 
 <head>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
 <script>
-  var t = async_test("Test that the parent can navigate the child because the relevant policy belongs to the navigation initiator (in this case the parent)");
+  var t = async_test("Test that the parent can navigate the child because the relevant policy belongs to the navigation initiator (in this case the parent, which has the policy `navigate-to 'self'`)");
   window.onmessage = t.step_func_done(function(e) {
     assert_equals(e.data.result, 'success');
   });
   window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have triggered a policy violation"));
 
   var i = document.createElement('iframe');
   var src_changed = false;
   i.onload = function() {
     if (src_changed) return;
     src_changed = true;
     i.src = "support/post_message_to_frame_owner.html";
   }
   i.src = "support/wait_for_navigation.html?csp=navigate-to%20%none%27";
   document.body.appendChild(i);
 </script>
-</body>
\ No newline at end of file
+</body>
--- a/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html
@@ -2,20 +2,27 @@
 
 <head>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
 <script>
+  var t = async_test("Test that the parent can't navigate the child because the relevant policy belongs to the navigation initiator (in this case the parent, which has the policy `navigate-to support/wait_for_navigation.html;`)");
+  window.onmessage = t.unreached_func("Should not have received a message as the navigation should not have been successful");
+  window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+    assert_equals(e.violatedDirective, 'navigate-to');
+  }));
+
   var i = document.createElement('iframe');
   var src_changed = false;
   i.onload = function() {
     if (src_changed) return;
     src_changed = true;
     i.src = "support/post_message_to_frame_owner.html";
   }
   i.src = "support/wait_for_navigation.html?csp=navigate-to%20%27self%27";
   document.body.appendChild(i);
 </script>
+
 <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20support%2Fwait_for_navigation.html'></script>
-</body>
\ No newline at end of file
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.html
@@ -0,0 +1,48 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<!-- This tests that a navigation initiator that has been replaced by the time
+     the navigation it initiates is blocked, will not receive the SPV event.
+
+     An iframe will navigate another iframe and the navigate itself.
+     The second iframe's navigation response will be delayed by the server but will
+     eventually be blocked by the CSP of the first iframe.
+     By the time this happens the first iframe should be an entirely different
+     document and it should not receive a SPV event -->
+<script>
+  var t = async_test("Test that no spv event is raised");
+  window.onmessage = t.step_func(function(e) {
+    if (e.data == "end_test") t.done();
+    else assert_unreached("Should not have raised a spv event");
+  });
+
+  var frames_loaded_count = 0;
+  var frame_loaded = function() {
+    if (++frames_loaded_count == 2) {
+      // both child frame have loaded we can start the
+      // test now, send a message to iframe1 so it knows to start
+      document.getElementById('iframe1').contentWindow.postMessage('start_test', '*');
+    }
+  }
+  var i1 = document.createElement('iframe');
+  i1.src = "support/spv-test-iframe1.sub.html?report_id={{$id:uuid()}}";
+  i1.id = "iframe1";
+  i1.name = "iframe1";
+  i1.onload = frame_loaded;
+  document.body.appendChild(i1);
+
+  var i2 = document.createElement('iframe');
+  i2.src = "support/spv-test-iframe2.sub.html";
+  i2.id = "iframe2";
+  i2.name = "iframe2";
+  i2.onload = frame_loaded;
+  document.body.appendChild(i2);
+</script>
+
+<script async defer src='../support/checkReport.sub.js?reportExists=false&reportID={{$id}}'></script>
+
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/delayed_frame.py
@@ -0,0 +1,12 @@
+import time
+def main(request, response):
+    time.sleep(1)
+    headers = [("Content-Type", "text/html")]
+    return headers, '''
+<!DOCTYPE html>
+<head>
+</head>
+<body>
+    DELAYED FRAME
+</body
+'''
--- a/testing/web-platform/tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html
@@ -1,13 +1,17 @@
 <!DOCTYPE html>
 <head>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
 <script>
+  window.addEventListener('securitypolicyviolation', function(e) {
+    opener.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*');
+  });
+
   try {
     location.href = "{{GET[target]}}";
   } catch(ex) {}
 </script>
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html
@@ -2,11 +2,15 @@
 <head>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
 </head>
 
 <body>
 <a href="{{GET[target]}}" id="link">dummy link</a>
 <script>
+  window.addEventListener('securitypolicyviolation', function(e) {
+    top.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*');
+  });
+
   document.getElementById('link').click();
 </script>
 </body>
\ No newline at end of file
--- a/testing/web-platform/tests/content-security-policy/navigate-to/support/redirect_to_post_message_to_frame_owner.py
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/redirect_to_post_message_to_frame_owner.py
@@ -1,6 +1,6 @@
 def main(request, response):
     response.status = 302
     if "location" in request.GET:
         response.headers.set("Location", request.GET["location"])
     else:
-        response.headers.set("Location", "post_message_to_frame_owner.html")
\ No newline at end of file
+        response.headers.set("Location", "post_message_to_frame_owner.html")
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<head>
+  <script>
+    window.onmessage = function(e) {
+      if (e.data == "start_test") {
+        document.getElementById('link').click();
+        location.href = "{{location[server]}}/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html";
+      }
+    }
+    window.addEventListener('securitypolicyviolation', function(e) {
+      top.postMessage({iframe: 'iframe1', violatedDirective: e.violatedDirective}, '*');
+    });
+  </script>
+</head>
+
+<body>
+  <a href="{{location[server]}}/content-security-policy/navigate-to/support/delayed_frame.py" id="link" target="iframe2">dummy link</a>
+  IFRAME 1
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html.sub.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: navigate-to {{location[server]}}/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html 'unsafe-allow-redirects'; report-uri /content-security-policy/support/report.py?op=put&reportID={{GET[report_id]}}
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe2.sub.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<head>
+</head>
+<body>
+  <script>
+    window.addEventListener('securitypolicyviolation', function(e) {
+      top.postMessage({iframe: 'iframe1', violatedDirective: e.violatedDirective}, '*');
+    });
+    setTimeout(function() {
+      top.postMessage("end_test", "*");
+    }, 4000);
+  </script>
+  IFRAME 2
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<head>
+  <script>
+    window.addEventListener('securitypolicyviolation', function(e) {
+      top.postMessage({iframe: 'iframe3', violatedDirective: e.violatedDirective}, '*');
+    });
+  </script>
+</head>
+
+<body>
+  IFRAME 3
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+
+  // the iframe will navigate to:
+  //    [www2]/..../redirect.py (which is not in the navigate-to source list) which will in turn navigate to
+  //    [www1]/..../post_message_to_frame_owner.html which is not exactly in
+  // the list but the check should be reduced to an origin check since there has been a redirect.
+  // Because of 'unsafe-allow-redirects' only the second one is checked since the first is a redirect
+
+  var i = document.createElement('iframe');
+  i.src = "../support/link_click_navigation.sub.html" +
+    "?csp=" + encodeURIComponent("navigate-to {{location[scheme]}}://{{domains[www1]}}:{{location[port]}}/some-path/ 'unsafe-allow-redirects'") +
+    "&target=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/common/redirect.py?location=" +
+                                     encodeURIComponent("{{location[scheme]}}://{{domains[www1]}}:{{location[port]}}/content-security-policy/navigate-to/support/post_message_to_frame_owner.html"));
+  document.body.appendChild(i);
+</script>
+
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is allowed");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'success');
+  });
+
+  // the iframe will navigate to:
+  //    [www2]/..../redirect.py (which is not in the navigate-to source list) which will in turn navigate to
+  //    [www1]/..../post_message_to_frame_owner.html which is in the list
+  // because of 'unsafe-allow-redirects' only the second one is checked since the first is a redirect
+
+  var i = document.createElement('iframe');
+  i.src = "../support/link_click_navigation.sub.html" +
+    "?csp=" + encodeURIComponent("navigate-to {{location[scheme]}}://{{domains[www1]}}:{{location[port]}} 'unsafe-allow-redirects'") +
+    "&target=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/common/redirect.py?location=" +
+                                     encodeURIComponent("{{location[scheme]}}://{{domains[www1]}}:{{location[port]}}/content-security-policy/navigate-to/support/post_message_to_frame_owner.html"));
+  document.body.appendChild(i);
+</script>
+
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+<script>
+  var t = async_test("Test that the child iframe navigation is blocked");
+  window.onmessage = t.step_func_done(function(e) {
+    assert_equals(e.data.result, 'fail');
+    assert_equals(e.data.violatedDirective, 'navigate-to');
+  });
+
+  // the iframe will navigate to:
+  //    [www2]/..../redirect.py (which is not in the navigate-to source list) which will in turn navigate to
+  //    [www2]/..../post_message_to_frame_owner.html which is also not in the list
+  // because of 'unsafe-allow-redirects' only the second one is checked since the first is a redirect
+
+  var i = document.createElement('iframe');
+  i.src = "../support/link_click_navigation.sub.html" +
+    "?csp=" + encodeURIComponent("navigate-to {{location[scheme]}}://{{domains[www1]}}:{{location[port]}} 'unsafe-allow-redirects'") +
+    "&target=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/common/redirect.py?location=" +
+                                     encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/content-security-policy/navigate-to/support/post_message_to_frame_owner.html"));
+  document.body.appendChild(i);
+</script>
+
+</body>