From 63739feac33fb1c47ba87b9fd21e239cec1462ff Mon Sep 17 00:00:00 2001
From: Chung-Sheng Fu <cfu@mozilla.com>
Date: Wed, 29 Nov 2017 16:55:00 +0200
Subject: [PATCH] Bug 1037335 - Add a pref to enable only within Nightly and
 Early Beta. r=ckerschb,smaug

MozReview-Commit-ID: Bi82dHm53qX

--HG--
extra : rebase_source : 61a7c517afb2759d672a1c486213a73ef505a324
extra : amend_source : 572a2c8613fe36ae1ebd613a361bb23acc019912
---
 dom/security/nsCSPContext.cpp                              | 7 +++++++
 dom/security/nsCSPContext.h                                | 2 ++
 .../test/csp/test_security_policy_violation_event.html     | 5 +++++
 dom/webidl/SecurityPolicyViolationEvent.webidl             | 3 ++-
 modules/libpref/init/all.js                                | 5 +++++
 .../base-uri/base-uri_iframe_sandbox.sub.html.ini          | 1 +
 .../report-uri-does-not-respect-base-uri.sub.html.ini      | 1 +
 .../child-src/child-src-worker-blocked.sub.html.ini        | 1 +
 .../connect-src-xmlhttprequest-blocked.sub.html.ini        | 1 +
 .../font-src/font-stylesheet-font-blocked.sub.html.ini     | 1 +
 .../generic/generic-0_1-img-src.html.ini                   | 1 +
 .../generic/generic-0_1-script-src.html.ini                | 1 +
 .../generic/generic-0_10_1.sub.html.ini                    | 1 +
 .../generic/generic-0_2_2.sub.html.ini                     | 1 +
 .../content-security-policy/generic/generic-0_2_3.html.ini | 1 +
 .../generic/generic-0_8_1.sub.html.ini                     | 1 +
 .../media-src/media-src-7_1_2.sub.html.ini                 | 1 +
 .../media-src/media-src-7_2_2.sub.html.ini                 | 1 +
 .../media-src/media-src-7_3_2.sub.html.ini                 | 1 +
 .../media-src/media-src-blocked.sub.html.ini               | 1 +
 .../navigation/to-javascript-url-script-src.html.ini       | 1 +
 ...port-only-sends-reports-on-violation.https.sub.html.ini | 1 +
 ...api-report-to-overrides-report-uri-1.https.sub.html.ini | 1 +
 ...api-report-to-overrides-report-uri-2.https.sub.html.ini | 1 +
 ...rting-api-sends-reports-on-violation.https.sub.html.ini | 1 +
 .../reporting/securitypolicyviolation-idl.html.ini         | 1 +
 .../script-src/javascript-window-open-blocked.html.ini     | 1 +
 .../script-src/script-src-1_1.html.ini                     | 1 +
 .../script-src/script-src-1_10.html.ini                    | 1 +
 .../script-src/script-src-1_2.html.ini                     | 1 +
 .../script-src/script-src-1_2_1.html.ini                   | 1 +
 .../script-src/script-src-1_4.html.ini                     | 1 +
 .../script-src/script-src-1_4_1.html.ini                   | 1 +
 .../script-src/script-src-1_4_2.html.ini                   | 1 +
 ...rt-only-policy-works-with-external-hash-policy.html.ini | 1 +
 ...-src-report-only-policy-works-with-hash-policy.html.ini | 1 +
 .../script-src-strict_dynamic_discard_whitelist.html.ini   | 1 +
 ...c-strict_dynamic_double_policy_different_nonce.html.ini | 1 +
 ...t-src-strict_dynamic_double_policy_report_only.html.ini | 1 +
 .../script-src/script-src-strict_dynamic_hashes.html.ini   | 1 +
 .../script-src-strict_dynamic_javascript_uri.html.ini      | 1 +
 ...ct_dynamic_non_parser_inserted_incorrect_nonce.html.ini | 1 +
 .../script-src-strict_dynamic_parser_inserted.html.ini     | 1 +
 .../scripthash-unicode-normalization.sub.html.ini          | 1 +
 .../script-src/scriptnonce-and-scripthash.sub.html.ini     | 1 +
 .../scriptnonce-ignore-unsafeinline.sub.html.ini           | 1 +
 .../securitypolicyviolation/blockeduri-inline.html.ini     | 1 +
 .../securitypolicyviolation/idl.html.ini                   | 1 +
 .../img-src-redirect-upgrade-reporting.https.html.ini      | 1 +
 ...ation-block-cross-origin-image-from-script.sub.html.ini | 1 +
 ...typolicyviolation-block-cross-origin-image.sub.html.ini | 1 +
 ...itypolicyviolation-block-image-from-script.sub.html.ini | 1 +
 .../securitypolicyviolation-block-image.sub.html.ini       | 1 +
 .../securitypolicyviolation/targeting.html.ini             | 2 +-
 ...inline-style-allowed-while-cloning-objects.sub.html.ini | 1 +
 .../style-src/style-src-hash-blocked.html.ini              | 1 +
 .../style-src-injected-inline-style-blocked.html.ini       | 1 +
 .../style-src-injected-stylesheet-blocked.sub.html.ini     | 1 +
 .../style-src-inline-style-attribute-blocked.html.ini      | 1 +
 .../style-src/style-src-inline-style-blocked.html.ini      | 1 +
 ...yle-src-inline-style-nonce-blocked-error-event.html.ini | 1 +
 .../style-src-inline-style-nonce-blocked.html.ini          | 1 +
 .../style-src/style-src-none-blocked.html.ini              | 1 +
 .../style-src/style-src-stylesheet-nonce-blocked.html.ini  | 1 +
 .../style-src/stylehash-basic-blocked.sub.html.ini         | 1 +
 .../style-src/stylenonce-allowed.sub.html.ini              | 1 +
 .../style-src/stylenonce-blocked.sub.html.ini              | 1 +
 .../svg/object-in-svg-foreignobject.sub.html.ini           | 1 +
 .../content-security-policy/svg/svg-inline.sub.html.ini    | 1 +
 .../script_event_handlers_allowed.html.ini                 | 1 +
 ...enied_matching_hash_no_unsafe_inline_attribute.html.ini | 1 +
 ...script_event_handlers_denied_not_matching_hash.html.ini | 1 +
 72 files changed, 88 insertions(+), 2 deletions(-)

diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp
index 34bce29005f8..50b7d2b8457b 100644
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -273,6 +273,7 @@ NS_IMPL_ISUPPORTS_CI(nsCSPContext,
                      nsISerializable)
 
 int32_t nsCSPContext::sScriptSampleMaxLength;
+bool nsCSPContext::sViolationEventsEnabled = false;
 
 nsCSPContext::nsCSPContext()
   : mInnerWindowID(0)
@@ -285,6 +286,8 @@ nsCSPContext::nsCSPContext()
     Preferences::AddIntVarCache(&sScriptSampleMaxLength,
                                 "security.csp.reporting.script-sample.max-length",
                                 40);
+    Preferences::AddBoolVarCache(&sViolationEventsEnabled,
+                                 "security.csp.enable_violation_events");
     sInitialized = true;
   }
 
@@ -1137,6 +1140,10 @@ nsresult
 nsCSPContext::FireViolationEvent(
   const mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit)
 {
+  if (!sViolationEventsEnabled) {
+    return NS_OK;
+  }
+
   nsCOMPtr<nsIDocument> doc = do_QueryReferent(mLoadingContext);
   if (!doc) {
     return NS_OK;
diff --git a/dom/security/nsCSPContext.h b/dom/security/nsCSPContext.h
index 1f63b583b1e2..90e16f99e5ea 100644
--- a/dom/security/nsCSPContext.h
+++ b/dom/security/nsCSPContext.h
@@ -144,6 +144,8 @@ class nsCSPContext : public nsIContentSecurityPolicy
       return std::max(sScriptSampleMaxLength, 0);
     }
 
+    static bool sViolationEventsEnabled;
+
     nsString                                   mReferrer;
     uint64_t                                   mInnerWindowID; // used for web console logging
     nsTArray<nsCSPPolicy*>                     mPolicies;
diff --git a/dom/security/test/csp/test_security_policy_violation_event.html b/dom/security/test/csp/test_security_policy_violation_event.html
index 04034ac8f0b3..db1ae9fa7a13 100644
--- a/dom/security/test/csp/test_security_policy_violation_event.html
+++ b/dom/security/test/csp/test_security_policy_violation_event.html
@@ -4,6 +4,11 @@
 <script src="/tests/SimpleTest/SimpleTest.js"></script>
 <script>
 SimpleTest.waitForExplicitFinish();
+SpecialPowers.pushPrefEnv({
+  set: [
+    ["security.csp.enable_violation_events", true]
+  ]
+});
 document.addEventListener("securitypolicyviolation", (e) => {
   SimpleTest.is(e.blockedURI, "http://mochi.test:8888/foo/bar.jpg", "blockedURI");
   SimpleTest.todo_is(e.violatedDirective, "img-src", "violatedDirective")
diff --git a/dom/webidl/SecurityPolicyViolationEvent.webidl b/dom/webidl/SecurityPolicyViolationEvent.webidl
index d7b691d30459..59755ca97788 100644
--- a/dom/webidl/SecurityPolicyViolationEvent.webidl
+++ b/dom/webidl/SecurityPolicyViolationEvent.webidl
@@ -7,7 +7,8 @@ enum SecurityPolicyViolationEventDisposition
   "enforce", "report"
 };
 
-[Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)]
+[Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict),
+ Pref="security.csp.enable_violation_events"]
 interface SecurityPolicyViolationEvent : Event
 {
     readonly attribute DOMString      documentURI;
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index b1da4dcc4a0e..23ff33d4efa0 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2532,6 +2532,11 @@ pref("security.notification_enable_delay", 500);
 pref("security.csp.enable", true);
 pref("security.csp.experimentalEnabled", false);
 pref("security.csp.enableStrictDynamic", true);
+#ifdef EARLY_BETA_OR_EARLIER
+pref("security.csp.enable_violation_events", true);
+#else
+pref("security.csp.enable_violation_events", false);
+#endif
 
 // Default Content Security Policy to apply to signed contents.
 pref("security.signed_content.CSP.default", "script-src 'self'; style-src 'self'");
diff --git a/testing/web-platform/meta/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html.ini b/testing/web-platform/meta/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html.ini
index 82ab9a4d5102..4e5c4443d0fd 100644
--- a/testing/web-platform/meta/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html.ini
@@ -1,4 +1,5 @@
 [base-uri_iframe_sandbox.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   expected: ERROR
 
diff --git a/testing/web-platform/meta/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.ini b/testing/web-platform/meta/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.ini
index 955c83af778b..66aefa9bd9f5 100644
--- a/testing/web-platform/meta/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.ini
@@ -1,4 +1,5 @@
 [report-uri-does-not-respect-base-uri.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Event is fired]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/child-src/child-src-worker-blocked.sub.html.ini b/testing/web-platform/meta/content-security-policy/child-src/child-src-worker-blocked.sub.html.ini
index 8a93be9c810d..8585879e873e 100644
--- a/testing/web-platform/meta/content-security-policy/child-src/child-src-worker-blocked.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/child-src/child-src-worker-blocked.sub.html.ini
@@ -1,5 +1,6 @@
 [child-src-worker-blocked.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should throw a securitypolicyviolation event]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html.ini b/testing/web-platform/meta/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html.ini
index e40a87e00de6..3beef937cfe7 100644
--- a/testing/web-platform/meta/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html.ini
@@ -1,5 +1,6 @@
 [connect-src-xmlhttprequest-blocked.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [XHR should fire onerror.]
     expected: TIMEOUT
 
diff --git a/testing/web-platform/meta/content-security-policy/font-src/font-stylesheet-font-blocked.sub.html.ini b/testing/web-platform/meta/content-security-policy/font-src/font-stylesheet-font-blocked.sub.html.ini
index 9a0418139c43..f0552077d9c9 100644
--- a/testing/web-platform/meta/content-security-policy/font-src/font-stylesheet-font-blocked.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/font-src/font-stylesheet-font-blocked.sub.html.ini
@@ -1,5 +1,6 @@
 [font-stylesheet-font-blocked.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Test font does not load if it does not match font-src.]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/generic/generic-0_1-img-src.html.ini b/testing/web-platform/meta/content-security-policy/generic/generic-0_1-img-src.html.ini
index b8bcd475bf27..9625beb26303 100644
--- a/testing/web-platform/meta/content-security-policy/generic/generic-0_1-img-src.html.ini
+++ b/testing/web-platform/meta/content-security-policy/generic/generic-0_1-img-src.html.ini
@@ -1,5 +1,6 @@
 [generic-0_1-img-src.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Violation report status OK.]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/generic/generic-0_1-script-src.html.ini b/testing/web-platform/meta/content-security-policy/generic/generic-0_1-script-src.html.ini
index 2d8691cf30df..62b6f2bed142 100644
--- a/testing/web-platform/meta/content-security-policy/generic/generic-0_1-script-src.html.ini
+++ b/testing/web-platform/meta/content-security-policy/generic/generic-0_1-script-src.html.ini
@@ -1,5 +1,6 @@
 [generic-0_1-script-src.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Violation report status OK.]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/generic/generic-0_10_1.sub.html.ini b/testing/web-platform/meta/content-security-policy/generic/generic-0_10_1.sub.html.ini
index cbe8723cec4f..49c8cdf32458 100644
--- a/testing/web-platform/meta/content-security-policy/generic/generic-0_10_1.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/generic/generic-0_10_1.sub.html.ini
@@ -1,4 +1,5 @@
 [generic-0_10_1.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire violation events for every failed violation]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/generic/generic-0_2_2.sub.html.ini b/testing/web-platform/meta/content-security-policy/generic/generic-0_2_2.sub.html.ini
index fdc27e33cc6a..66a72f6b0f5c 100644
--- a/testing/web-platform/meta/content-security-policy/generic/generic-0_2_2.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/generic/generic-0_2_2.sub.html.ini
@@ -1,4 +1,5 @@
 [generic-0_2_2.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire violation events for every failed violation]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/generic/generic-0_2_3.html.ini b/testing/web-platform/meta/content-security-policy/generic/generic-0_2_3.html.ini
index 6a50e7741191..d6b857c21948 100644
--- a/testing/web-platform/meta/content-security-policy/generic/generic-0_2_3.html.ini
+++ b/testing/web-platform/meta/content-security-policy/generic/generic-0_2_3.html.ini
@@ -1,4 +1,5 @@
 [generic-0_2_3.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire violation events for every failed violation]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/generic/generic-0_8_1.sub.html.ini b/testing/web-platform/meta/content-security-policy/generic/generic-0_8_1.sub.html.ini
index eabfd6196983..03a1db9f4f34 100644
--- a/testing/web-platform/meta/content-security-policy/generic/generic-0_8_1.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/generic/generic-0_8_1.sub.html.ini
@@ -1,4 +1,5 @@
 [generic-0_8_1.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire violation events for every failed violation]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/media-src/media-src-7_1_2.sub.html.ini b/testing/web-platform/meta/content-security-policy/media-src/media-src-7_1_2.sub.html.ini
index d08fe125c549..d9ff5155d0c6 100644
--- a/testing/web-platform/meta/content-security-policy/media-src/media-src-7_1_2.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/media-src/media-src-7_1_2.sub.html.ini
@@ -1,4 +1,5 @@
 [media-src-7_1_2.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that securitypolicyviolation events are fired]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/media-src/media-src-7_2_2.sub.html.ini b/testing/web-platform/meta/content-security-policy/media-src/media-src-7_2_2.sub.html.ini
index e4b35bae287c..d2f93bb83f97 100644
--- a/testing/web-platform/meta/content-security-policy/media-src/media-src-7_2_2.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/media-src/media-src-7_2_2.sub.html.ini
@@ -1,4 +1,5 @@
 [media-src-7_2_2.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that securitypolicyviolation events are fired]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/media-src/media-src-7_3_2.sub.html.ini b/testing/web-platform/meta/content-security-policy/media-src/media-src-7_3_2.sub.html.ini
index cd02dea03260..7397cc938a11 100644
--- a/testing/web-platform/meta/content-security-policy/media-src/media-src-7_3_2.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/media-src/media-src-7_3_2.sub.html.ini
@@ -1,4 +1,5 @@
 [media-src-7_3_2.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that securitypolicyviolation events are fired]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/media-src/media-src-blocked.sub.html.ini b/testing/web-platform/meta/content-security-policy/media-src/media-src-blocked.sub.html.ini
index 5dfca0e88b38..536ed928be31 100644
--- a/testing/web-platform/meta/content-security-policy/media-src/media-src-blocked.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/media-src/media-src-blocked.sub.html.ini
@@ -1,4 +1,5 @@
 [media-src-blocked.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that securitypolicyviolation events are fired]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/navigation/to-javascript-url-script-src.html.ini b/testing/web-platform/meta/content-security-policy/navigation/to-javascript-url-script-src.html.ini
index f1fc0e234b51..e5e2d7da58a4 100644
--- a/testing/web-platform/meta/content-security-policy/navigation/to-javascript-url-script-src.html.ini
+++ b/testing/web-platform/meta/content-security-policy/navigation/to-javascript-url-script-src.html.ini
@@ -1,6 +1,7 @@
 [to-javascript-url-script-src.html]
   type: testharness
   expected: TIMEOUT
+  prefs: [security.csp.enable_violation_events:true]
   [<iframe src='javascript:'> blocked without 'unsafe-inline'.]
     expected: TIMEOUT
 
diff --git a/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-only-sends-reports-on-violation.https.sub.html.ini b/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-only-sends-reports-on-violation.https.sub.html.ini
index 776eb0d835ad..a0bb8d5088e0 100644
--- a/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-only-sends-reports-on-violation.https.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-only-sends-reports-on-violation.https.sub.html.ini
@@ -1,4 +1,5 @@
 [reporting-api-report-only-sends-reports-on-violation.https.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Event is fired]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-1.https.sub.html.ini b/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-1.https.sub.html.ini
index 4152e6894e0f..8ed7ea7b023c 100644
--- a/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-1.https.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-1.https.sub.html.ini
@@ -1,4 +1,5 @@
 [reporting-api-report-to-overrides-report-uri-1.https.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Event is fired]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-2.https.sub.html.ini b/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-2.https.sub.html.ini
index 01805429360b..0e31e0a254a1 100644
--- a/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-2.https.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-2.https.sub.html.ini
@@ -1,4 +1,5 @@
 [reporting-api-report-to-overrides-report-uri-2.https.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Event is fired]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/reporting/reporting-api-sends-reports-on-violation.https.sub.html.ini b/testing/web-platform/meta/content-security-policy/reporting/reporting-api-sends-reports-on-violation.https.sub.html.ini
index e2f1c3c47a45..11dcca55dd7a 100644
--- a/testing/web-platform/meta/content-security-policy/reporting/reporting-api-sends-reports-on-violation.https.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/reporting/reporting-api-sends-reports-on-violation.https.sub.html.ini
@@ -1,4 +1,5 @@
 [reporting-api-sends-reports-on-violation.https.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Event is fired]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/reporting/securitypolicyviolation-idl.html.ini b/testing/web-platform/meta/content-security-policy/reporting/securitypolicyviolation-idl.html.ini
index 3dd79d3b2826..69bacdab3c04 100644
--- a/testing/web-platform/meta/content-security-policy/reporting/securitypolicyviolation-idl.html.ini
+++ b/testing/web-platform/meta/content-security-policy/reporting/securitypolicyviolation-idl.html.ini
@@ -1,5 +1,6 @@
 [securitypolicyviolation-idl.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [SecurityPolicyViolationEvent IDL Tests]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/javascript-window-open-blocked.html.ini b/testing/web-platform/meta/content-security-policy/script-src/javascript-window-open-blocked.html.ini
index 28e9abf23035..a501dd2bf38b 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/javascript-window-open-blocked.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/javascript-window-open-blocked.html.ini
@@ -1,5 +1,6 @@
 [javascript-window-open-blocked.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Check that a securitypolicyviolation event is fired]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_1.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_1.html.ini
index e5d87f5febbc..cbf4b1d1f108 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_1.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_1.html.ini
@@ -1,4 +1,5 @@
 [script-src-1_1.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Should not fire policy violation events]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_10.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_10.html.ini
index 8f3bb9989af2..710f01a6cd76 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_10.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_10.html.ini
@@ -1,4 +1,5 @@
 [script-src-1_10.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that securitypolicyviolation event is fired]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_2.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_2.html.ini
index 47e85754fbd2..2aae14f5a20f 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_2.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_2.html.ini
@@ -2,6 +2,7 @@
   type: testharness
   disabled:
     if os == "win": bug 1172411
+  prefs: [security.csp.enable_violation_events:true]
   [Should not fire policy violation events]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_2_1.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_2_1.html.ini
index 60e1ba436856..565ac69c4566 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_2_1.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_2_1.html.ini
@@ -2,6 +2,7 @@
   type: testharness
   disabled:
     if os == "win": bug 1094323
+  prefs: [security.csp.enable_violation_events:true]
   [Test that securitypolicyviolation event is fired]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4.html.ini
index cc060b6210b9..9a71103c9684 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4.html.ini
@@ -1,5 +1,6 @@
 [script-src-1_4.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [eval() should throw without 'unsafe-eval' keyword source in script-src directive.]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4_1.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4_1.html.ini
index 908e916bee38..b71c5bbb1ade 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4_1.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4_1.html.ini
@@ -2,6 +2,7 @@
   type: testharness
   disabled:
     if os == "win": bug 1094323
+  prefs: [security.csp.enable_violation_events:true]
   [Test that securitypolicyviolation event is fired]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4_2.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4_2.html.ini
index 171f1ac6c5b1..b16470ef7132 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4_2.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4_2.html.ini
@@ -1,5 +1,6 @@
 [script-src-1_4_2.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Unsafe eval ran in Function() constructor.]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.ini
index e16b7f364517..04ec6076fad6 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.ini
@@ -1,5 +1,6 @@
 [script-src-report-only-policy-works-with-external-hash-policy.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [External script in a script tag with matching SRI hash should run.]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.ini
index 2e08186d0fd2..5af6e8292d42 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.ini
@@ -1,5 +1,6 @@
 [script-src-report-only-policy-works-with-hash-policy.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Test that the securitypolicyviolation event is fired]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html.ini
index 6d29e2185a16..0625d3fb4f4c 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html.ini
@@ -1,5 +1,6 @@
 [script-src-strict_dynamic_discard_whitelist.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.ini
index 4295273708ac..cd77a6065733 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.ini
@@ -1,5 +1,6 @@
 [script-src-strict_dynamic_double_policy_different_nonce.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.ini
index d6981faa8d51..c5de10cd4627 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.ini
@@ -1,4 +1,5 @@
 [script-src-strict_dynamic_double_policy_report_only.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Script injected via `appendChild` is allowed with `strict-dynamic` + Report-Only `script-src \'none\'` policy.]
     expected: FAIL
diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.ini
index 98e19e095bba..de1e67f9fc4c 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.ini
@@ -1,4 +1,5 @@
 [script-src-strict_dynamic_hashes.html]
   type: testharness
   expected: ERROR
+  prefs: [security.csp.enable_violation_events:true]
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.ini
index 8166cac7be1d..c165efd01d1e 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.ini
@@ -1,5 +1,6 @@
 [script-src-strict_dynamic_javascript_uri.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.ini
index b14682c3ac23..97bce428f1f8 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.ini
@@ -1,5 +1,6 @@
 [script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [All the expected CSP violation reports have been fired.]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini
index 98cfa3c1dd0e..f53a0b2e5fd3 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini
@@ -1,6 +1,7 @@
 [script-src-strict_dynamic_parser_inserted.html]
   type: testharness
   expected: TIMEOUT
+  prefs: [security.csp.enable_violation_events:true]
   [Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/scripthash-unicode-normalization.sub.html.ini b/testing/web-platform/meta/content-security-policy/script-src/scripthash-unicode-normalization.sub.html.ini
index 88b997339348..cce73aee9d23 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/scripthash-unicode-normalization.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/scripthash-unicode-normalization.sub.html.ini
@@ -1,4 +1,5 @@
 [scripthash-unicode-normalization.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire securitypolicyviolation]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html.ini b/testing/web-platform/meta/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html.ini
index bf1adfaefb41..a35097aaa127 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html.ini
@@ -1,4 +1,5 @@
 [scriptnonce-and-scripthash.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"\]]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html.ini b/testing/web-platform/meta/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html.ini
index 995cd8d6f8cb..ae69ab9b57b2 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html.ini
@@ -1,4 +1,5 @@
 [scriptnonce-ignore-unsafeinline.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src"\]]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/blockeduri-inline.html.ini b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/blockeduri-inline.html.ini
index 6dfbae90f9f4..4195db27b76b 100644
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/blockeduri-inline.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/blockeduri-inline.html.ini
@@ -1,5 +1,6 @@
 [blockeduri-inline.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Inline violations have a blockedURI of 'inline']
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/idl.html.ini b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/idl.html.ini
index af193b7f1053..8a7dd10ca769 100644
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/idl.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/idl.html.ini
@@ -1,3 +1,4 @@
 [idl.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
 
diff --git a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html.ini b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html.ini
index 4c669151add6..c33cf045b1af 100644
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html.ini
@@ -1,3 +1,4 @@
 [img-src-redirect-upgrade-reporting.https.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
 
diff --git a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.ini b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.ini
index 9897405f4ba1..ff1df242a63e 100644
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.ini
@@ -1,5 +1,6 @@
 [securitypolicyviolation-block-cross-origin-image-from-script.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Non-redirected cross-origin URLs are not stripped.]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html.ini b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html.ini
index 935332b40a75..6297148e4a1e 100644
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html.ini
@@ -1,5 +1,6 @@
 [securitypolicyviolation-block-cross-origin-image.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Non-redirected cross-origin URLs are not stripped.]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html.ini b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html.ini
index a5d23657ac3a..aa7b3f4fc310 100644
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html.ini
@@ -1,5 +1,6 @@
 [securitypolicyviolation-block-image-from-script.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Non-redirected cross-origin URLs are not stripped.]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html.ini b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html.ini
index 601bd2bbd593..53bc364f7173 100644
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html.ini
@@ -1,5 +1,6 @@
 [securitypolicyviolation-block-image.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Non-redirected same-origin URLs are not stripped.]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/targeting.html.ini b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/targeting.html.ini
index df039fd00d4c..ae2167e3f159 100644
--- a/testing/web-platform/meta/content-security-policy/securitypolicyviolation/targeting.html.ini
+++ b/testing/web-platform/meta/content-security-policy/securitypolicyviolation/targeting.html.ini
@@ -1,6 +1,6 @@
 [targeting.html]
   type: testharness
-  prefs: [dom.webcomponents.enabled:true]
+  prefs: [dom.webcomponents.enabled:true, security.csp.enable_violation_events:true]
   expected: TIMEOUT
   [These tests should not fail.]
     expected: NOTRUN
diff --git a/testing/web-platform/meta/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html.ini b/testing/web-platform/meta/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html.ini
index 426b76de29d2..4fa1e49c217e 100644
--- a/testing/web-platform/meta/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html.ini
@@ -1,4 +1,5 @@
 [inline-style-allowed-while-cloning-objects.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that violation report event was fired]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/style-src/style-src-hash-blocked.html.ini b/testing/web-platform/meta/content-security-policy/style-src/style-src-hash-blocked.html.ini
index 415c397ec4d9..be96099e9596 100644
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-hash-blocked.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-hash-blocked.html.ini
@@ -1,5 +1,6 @@
 [style-src-hash-blocked.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/style-src/style-src-injected-inline-style-blocked.html.ini b/testing/web-platform/meta/content-security-policy/style-src/style-src-injected-inline-style-blocked.html.ini
index bd4f330a36d1..26a87d38eeff 100644
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-injected-inline-style-blocked.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-injected-inline-style-blocked.html.ini
@@ -1,5 +1,6 @@
 [style-src-injected-inline-style-blocked.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html.ini b/testing/web-platform/meta/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html.ini
index d4ee79134356..a29bd6cbe9b5 100644
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html.ini
@@ -1,5 +1,6 @@
 [style-src-injected-stylesheet-blocked.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html.ini b/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html.ini
index 9cb664e9e05d..f269017e7161 100644
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html.ini
@@ -1,5 +1,6 @@
 [style-src-inline-style-attribute-blocked.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-blocked.html.ini b/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-blocked.html.ini
index f0dec6a2c99d..8b713df61df0 100644
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-blocked.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-blocked.html.ini
@@ -1,5 +1,6 @@
 [style-src-inline-style-blocked.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html.ini b/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html.ini
index 64d761279450..98cecd11dc1d 100644
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html.ini
@@ -1,6 +1,7 @@
 [style-src-inline-style-nonce-blocked-error-event.html]
   type: testharness
   expected: TIMEOUT
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html.ini b/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html.ini
index 6e60ae1079f5..e6322d10d788 100644
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html.ini
@@ -1,5 +1,6 @@
 [style-src-inline-style-nonce-blocked.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/style-src/style-src-none-blocked.html.ini b/testing/web-platform/meta/content-security-policy/style-src/style-src-none-blocked.html.ini
index 6f88f6bff1bb..a1d7b9ea8e8f 100644
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-none-blocked.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-none-blocked.html.ini
@@ -1,5 +1,6 @@
 [style-src-none-blocked.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html.ini b/testing/web-platform/meta/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html.ini
index 8daf1a23d1a4..c049e68a6366 100644
--- a/testing/web-platform/meta/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html.ini
@@ -1,5 +1,6 @@
 [style-src-stylesheet-nonce-blocked.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire a securitypolicyviolation event]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/style-src/stylehash-basic-blocked.sub.html.ini b/testing/web-platform/meta/content-security-policy/style-src/stylehash-basic-blocked.sub.html.ini
index 338d9e32a9d7..2f1635052801 100644
--- a/testing/web-platform/meta/content-security-policy/style-src/stylehash-basic-blocked.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/stylehash-basic-blocked.sub.html.ini
@@ -1,5 +1,6 @@
 [stylehash-basic-blocked.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Expecting alerts: ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src"\]]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/style-src/stylenonce-allowed.sub.html.ini b/testing/web-platform/meta/content-security-policy/style-src/stylenonce-allowed.sub.html.ini
index ba5ca4decbe0..92da8fd173b9 100644
--- a/testing/web-platform/meta/content-security-policy/style-src/stylenonce-allowed.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/stylenonce-allowed.sub.html.ini
@@ -1,4 +1,5 @@
 [stylenonce-allowed.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire securitypolicyviolation]
     expected: FAIL
diff --git a/testing/web-platform/meta/content-security-policy/style-src/stylenonce-blocked.sub.html.ini b/testing/web-platform/meta/content-security-policy/style-src/stylenonce-blocked.sub.html.ini
index 9bdc0f4c4681..369cbe429295 100644
--- a/testing/web-platform/meta/content-security-policy/style-src/stylenonce-blocked.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/style-src/stylenonce-blocked.sub.html.ini
@@ -1,4 +1,5 @@
 [stylenonce-blocked.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire securitypolicyviolation]
     expected: FAIL
diff --git a/testing/web-platform/meta/content-security-policy/svg/object-in-svg-foreignobject.sub.html.ini b/testing/web-platform/meta/content-security-policy/svg/object-in-svg-foreignobject.sub.html.ini
index dcc7adcff388..f10741693074 100644
--- a/testing/web-platform/meta/content-security-policy/svg/object-in-svg-foreignobject.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/svg/object-in-svg-foreignobject.sub.html.ini
@@ -1,5 +1,6 @@
 [object-in-svg-foreignobject.sub.html]
   type: testharness
+  prefs: [security.csp.enable_violation_events:true]
   [Should throw a securitypolicyviolation]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/svg/svg-inline.sub.html.ini b/testing/web-platform/meta/content-security-policy/svg/svg-inline.sub.html.ini
index 04503b1320a9..ca5faf59d25d 100644
--- a/testing/web-platform/meta/content-security-policy/svg/svg-inline.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/svg/svg-inline.sub.html.ini
@@ -1,4 +1,5 @@
 [svg-inline.sub.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Should fire violation event]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_allowed.html.ini b/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_allowed.html.ini
index 4d8a166d5baa..b53fc6512365 100644
--- a/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_allowed.html.ini
+++ b/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_allowed.html.ini
@@ -1,4 +1,5 @@
 [script_event_handlers_allowed.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that the inline event handler is allowed to run]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_matching_hash_no_unsafe_inline_attribute.html.ini b/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_matching_hash_no_unsafe_inline_attribute.html.ini
index 4112891d8378..a06663733e1f 100644
--- a/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_matching_hash_no_unsafe_inline_attribute.html.ini
+++ b/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_matching_hash_no_unsafe_inline_attribute.html.ini
@@ -1,4 +1,5 @@
 [script_event_handlers_denied_matching_hash_no_unsafe_inline_attribute.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that the inline event handler is not allowed to run]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_not_matching_hash.html.ini b/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_not_matching_hash.html.ini
index efc919174c94..b700977fc859 100644
--- a/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_not_matching_hash.html.ini
+++ b/testing/web-platform/meta/content-security-policy/unsafe-hashed-attributes/script_event_handlers_denied_not_matching_hash.html.ini
@@ -1,4 +1,5 @@
 [script_event_handlers_denied_not_matching_hash.html]
+  prefs: [security.csp.enable_violation_events:true]
   [Test that the inline event handler is not allowed to run]
     expected: FAIL