From d9291168cd5aae925382e2441a85bc46f2ecb68d Mon Sep 17 00:00:00 2001
From: Garrett Robinson <grobinson@mozilla.com>
Date: Wed, 4 Jun 2014 15:24:38 -0700
Subject: [PATCH] Bug 988616 - Split CSP tests for CSP (1.0) and X-CSP, and
 update build system files r=sstamm r=ckerschb

---
 .../test/csp/file_csp_redirects_main.html     |  11 +-
 content/base/test/csp/file_csp_report.sjs     |   4 +-
 ...ulti_policy_injection_bypass.html^headers^ |   2 +-
 ...ti_policy_injection_bypass_2.html^headers^ |   2 +-
 .../base/test/csp/file_redirect_content.sjs   |   2 +-
 ...e_subframe_run_js_if_allowed.html^headers^ |   2 +-
 content/base/test/csp/mochitest.ini           |  26 ----
 content/base/test/csp/test_CSP.html           |  22 +--
 .../base/test/csp/test_CSP_evalscript.html    |  11 +-
 .../test_CSP_evalscript_getCRMFRequest.html   |  10 +-
 .../test/csp/test_CSP_frameancestors.html     |  18 +--
 .../base/test/csp/test_CSP_inlinescript.html  |  33 ++---
 .../base/test/csp/test_CSP_inlinestyle.html   | 135 +++++++-----------
 content/base/test/csp/test_csp_bug768029.html |   3 +-
 content/base/test/csp/test_csp_bug773891.html |   5 +-
 content/base/test/csp/test_csp_redirects.html |  20 +--
 content/base/test/moz.build                   |   1 +
 content/base/test/xcsp/file_CSP.css           |   2 +-
 .../test/xcsp/file_CSP_frameancestors_main.js |   6 +-
 .../test/xcsp/file_csp_redirects_main.html    |  11 +-
 content/base/test/xcsp/mochitest.ini          |  96 -------------
 content/base/test/xcsp/test_CSP.html          |  20 ---
 .../base/test/xcsp/test_CSP_evalscript.html   |   9 +-
 .../test_CSP_evalscript_getCRMFRequest.html   |   8 +-
 .../test/xcsp/test_CSP_frameancestors.html    |  16 +--
 .../base/test/xcsp/test_CSP_inlinescript.html |  41 +-----
 .../base/test/xcsp/test_CSP_inlinestyle.html  |  79 +---------
 .../base/test/xcsp/test_csp_redirects.html    |  18 ---
 content/base/test/xcsp/test_csp_report.html   |   2 +-
 29 files changed, 102 insertions(+), 513 deletions(-)

diff --git a/content/base/test/csp/file_csp_redirects_main.html b/content/base/test/csp/file_csp_redirects_main.html
index 102f74692821..44d28a99ff74 100644
--- a/content/base/test/csp/file_csp_redirects_main.html
+++ b/content/base/test/csp/file_csp_redirects_main.html
@@ -11,16 +11,7 @@ var thisSite = "http://mochi.test:8888";
 var otherSite = "http://example.com";
 var page = "/tests/content/base/test/csp/file_csp_redirects_page.sjs";
 
-var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
-              "frame-src": thisSite+page+"?testid=frame-src&csp=1",
-              "img-src":  thisSite+page+"?testid=img-src&csp=1",
-              "media-src":  thisSite+page+"?testid=media-src&csp=1",
-              "object-src":  thisSite+page+"?testid=object-src&csp=1",
-              "script-src":  thisSite+page+"?testid=script-src&csp=1",
-              "style-src":  thisSite+page+"?testid=style-src&csp=1",
-              "worker":  thisSite+page+"?testid=worker&csp=1",
-              "xhr-src":  thisSite+page+"?testid=xhr-src&csp=1",
-              "font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
+var tests = { "font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
               "frame-src-spec-compliant": thisSite+page+"?testid=frame-src-spec-compliant&csp=1&spec=1",
               "img-src-spec-compliant":  thisSite+page+"?testid=img-src-spec-compliant&csp=1&spec=1",
               "media-src-spec-compliant":  thisSite+page+"?testid=media-src-spec-compliant&csp=1&spec=1",
diff --git a/content/base/test/csp/file_csp_report.sjs b/content/base/test/csp/file_csp_report.sjs
index baf88b02d4a6..deffff4079e7 100644
--- a/content/base/test/csp/file_csp_report.sjs
+++ b/content/base/test/csp/file_csp_report.sjs
@@ -14,8 +14,8 @@ function handleRequest(request, response)
   response.setHeader("Cache-Control", "no-cache", false);
 
   // set CSP header
-  response.setHeader("X-Content-Security-Policy",
-                     "allow 'self'; report-uri http://mochi.test:8888/csp-report.cgi",
+  response.setHeader("Content-Security-Policy",
+                     "default-src 'self'; report-uri http://mochi.test:8888/csp-report.cgi",
                      false);
 
   // content which will trigger a violation report
diff --git a/content/base/test/csp/file_multi_policy_injection_bypass.html^headers^ b/content/base/test/csp/file_multi_policy_injection_bypass.html^headers^
index fc46a167c3df..e1b64a9220c1 100644
--- a/content/base/test/csp/file_multi_policy_injection_bypass.html^headers^
+++ b/content/base/test/csp/file_multi_policy_injection_bypass.html^headers^
@@ -1 +1 @@
-X-Content-Security-Policy: default-src 'self', allow *
+Content-Security-Policy: default-src 'self', default-src *
diff --git a/content/base/test/csp/file_multi_policy_injection_bypass_2.html^headers^ b/content/base/test/csp/file_multi_policy_injection_bypass_2.html^headers^
index 772246e1247e..bb6e88837891 100644
--- a/content/base/test/csp/file_multi_policy_injection_bypass_2.html^headers^
+++ b/content/base/test/csp/file_multi_policy_injection_bypass_2.html^headers^
@@ -1 +1 @@
-X-Content-Security-Policy: default-src 'self'   ,    allow *
+X-Content-Security-Policy: default-src 'self'   ,    default-src *
diff --git a/content/base/test/csp/file_redirect_content.sjs b/content/base/test/csp/file_redirect_content.sjs
index 9a6461d69bbf..f06315098d2d 100644
--- a/content/base/test/csp/file_redirect_content.sjs
+++ b/content/base/test/csp/file_redirect_content.sjs
@@ -25,7 +25,7 @@ function handleRequest(request, response) {
 
   var csp = "default-src \'self\';report-uri http://mochi.test:8888/tests/content/base/test/csp/file_redirect_report.sjs?" + redirect;
 
-  response.setHeader("X-Content-Security-Policy", csp, false);
+  response.setHeader("Content-Security-Policy", csp, false);
 
   // the actual file content.
   // this image load will (intentionally) fail due to the CSP policy of default-src: 'self'
diff --git a/content/base/test/csp/file_subframe_run_js_if_allowed.html^headers^ b/content/base/test/csp/file_subframe_run_js_if_allowed.html^headers^
index 426d8738c602..233b3593106b 100644
--- a/content/base/test/csp/file_subframe_run_js_if_allowed.html^headers^
+++ b/content/base/test/csp/file_subframe_run_js_if_allowed.html^headers^
@@ -1 +1 @@
-X-Content-Security-Policy: default-src *; options inline-script
+Content-Security-Policy: default-src *; script-src 'unsafe-inline'
diff --git a/content/base/test/csp/mochitest.ini b/content/base/test/csp/mochitest.ini
index 7fdf90e83b55..d865284014fb 100644
--- a/content/base/test/csp/mochitest.ini
+++ b/content/base/test/csp/mochitest.ini
@@ -17,15 +17,9 @@ support-files =
   file_CSP_bug885433_blocks.html^headers^
   file_CSP_bug888172.html
   file_CSP_bug888172.sjs
-  file_CSP_bug916446.html
-  file_CSP_bug916446.html^headers^
-  file_CSP_evalscript_main.html
-  file_CSP_evalscript_main.html^headers^
   file_CSP_evalscript_main.js
   file_CSP_evalscript_main_allowed.js
   file_CSP_evalscript_main_allowed_getCRMFRequest.js
-  file_CSP_evalscript_main_getCRMFRequest.html
-  file_CSP_evalscript_main_getCRMFRequest.html^headers^
   file_CSP_evalscript_main_getCRMFRequest.js
   file_CSP_evalscript_main_spec_compliant.html
   file_CSP_evalscript_main_spec_compliant.html^headers^
@@ -38,32 +32,20 @@ support-files =
   file_CSP_evalscript_no_CSP_at_all.html
   file_CSP_evalscript_no_CSP_at_all.html^headers^
   file_CSP_evalscript_no_CSP_at_all.js
-  file_CSP_frameancestors.sjs
-  file_CSP_frameancestors_main.html
-  file_CSP_frameancestors_main.js
   file_CSP_frameancestors_main_spec_compliant.html
   file_CSP_frameancestors_main_spec_compliant.js
   file_CSP_frameancestors_spec_compliant.sjs
-  file_CSP_inlinescript_main.html
-  file_CSP_inlinescript_main.html^headers^
   file_CSP_inlinescript_main_spec_compliant.html
   file_CSP_inlinescript_main_spec_compliant.html^headers^
   file_CSP_inlinescript_main_spec_compliant_allowed.html
   file_CSP_inlinescript_main_spec_compliant_allowed.html^headers^
-  file_CSP_inlinestyle_main.html
-  file_CSP_inlinestyle_main.html^headers^
   file_CSP_inlinestyle_main_spec_compliant.html
   file_CSP_inlinestyle_main_spec_compliant.html^headers^
   file_CSP_inlinestyle_main_spec_compliant_allowed.html
   file_CSP_inlinestyle_main_spec_compliant_allowed.html^headers^
-  file_CSP_main.html
-  file_CSP_main.html^headers^
-  file_CSP_main.js
   file_CSP_main_spec_compliant.html
   file_CSP_main_spec_compliant.html^headers^
   file_CSP_main_spec_compliant.js
-  file_bothCSPheaders.html
-  file_bothCSPheaders.html^headers^
   file_bug836922_npolicies.html
   file_bug836922_npolicies.html^headers^
   file_bug836922_npolicies_ro_violation.sjs
@@ -104,8 +86,6 @@ support-files =
   file_CSP_bug941404_xhr.html^headers^
   file_hash_source.html
   file_hash_source.html^headers^
-  file_dual_headers_warning.html
-  file_dual_headers_warning.html^headers^
   file_self_none_as_hostname_confusion.html
   file_self_none_as_hostname_confusion.html^headers^
   file_csp_testserver.sjs
@@ -114,8 +94,6 @@ support-files =
   file_report_uri_missing_in_report_only_header.html
   file_report_uri_missing_in_report_only_header.html^headers^
   file_csp_report.sjs
-  file_policyuri_async_fetch.html
-  file_policyuri_async_fetch.html^headers^
   file_redirect_content.sjs
   file_redirect_report.sjs
   file_subframe_run_js_if_allowed.html
@@ -130,7 +108,6 @@ support-files =
 [test_CSP_bug802872.html]
 [test_CSP_bug885433.html]
 [test_CSP_bug888172.html]
-[test_CSP_bug916446.html]
 [test_CSP_evalscript.html]
 [test_CSP_evalscript_getCRMFRequest.html]
 skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s # no (deprecated) window.crypto support in multiprocess (bug 824652)
@@ -138,7 +115,6 @@ skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s # no (deprecated) wi
 skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'android' # Times out, not sure why (bug 1008445)
 [test_CSP_inlinescript.html]
 [test_CSP_inlinestyle.html]
-[test_bothCSPheaders.html]
 [test_bug836922_npolicies.html]
 [test_bug886164.html]
 [test_csp_redirects.html]
@@ -149,14 +125,12 @@ skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'and
 [test_CSP_bug941404.html]
 [test_hash_source.html]
 skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
-[test_dual_headers_warning.html]
 [test_self_none_as_hostname_confusion.html]
 [test_bug949549.html]
 [test_csp_regexp_parsing.html]
 [test_report_uri_missing_in_report_only_header.html]
 [test_csp_report.html]
 skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
-[test_policyuri_async_fetch.html]
 [test_301_redirect.html]
 [test_302_redirect.html]
 [test_303_redirect.html]
diff --git a/content/base/test/csp/test_CSP.html b/content/base/test/csp/test_CSP.html
index 24a1d711ba21..79b452be0ce1 100644
--- a/content/base/test/csp/test_CSP.html
+++ b/content/base/test/csp/test_CSP.html
@@ -10,30 +10,11 @@
 <div id="content" style="display: none">
 </div>
 <iframe style="width:200px;height:200px;" id='cspframe'></iframe>
-<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
 // These are test results: -1 means it hasn't run,
 // true/false is the pass/fail result.
 window.tests = {
-  img_good: -1,
-  img_bad: -1,
-  style_good: -1,
-  style_bad: -1,
-  frame_good: -1,
-  frame_bad: -1,
-  script_good: -1,
-  script_bad: -1,
-  xhr_good: -1,
-  xhr_bad: -1,
-  media_good: -1,
-  media_bad: -1,
-  font_good: -1,
-  font_bad: -1,
-  object_good: -1,
-  object_bad: -1,
   img_spec_compliant_good: -1,
   img_spec_compliant_bad: -1,
   style_spec_compliant_good: -1,
@@ -130,8 +111,7 @@ SpecialPowers.pushPrefEnv(
     function() {
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
-      document.getElementById('cspframe').src = 'file_CSP_main.html';
-      document.getElementById('cspframe2').src = 'file_CSP_main_spec_compliant.html';
+      document.getElementById('cspframe').src = 'file_CSP_main_spec_compliant.html';
     });
 </script>
 </pre>
diff --git a/content/base/test/csp/test_CSP_evalscript.html b/content/base/test/csp/test_CSP_evalscript.html
index 6857277e25b7..c758d8670a34 100644
--- a/content/base/test/csp/test_CSP_evalscript.html
+++ b/content/base/test/csp/test_CSP_evalscript.html
@@ -11,14 +11,11 @@
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
 var evalScriptsThatRan = 0;
 var evalScriptsBlocked = 0;
-var evalScriptsTotal = 24;
+var evalScriptsTotal = 16;
 
 // called by scripts that run
 var scriptRan = function(shouldrun, testname, data) {
@@ -54,10 +51,8 @@ SpecialPowers.pushPrefEnv(
     function() {
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
-      document.getElementById('cspframe').src = 'file_CSP_evalscript_main.html';
-      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant.html';
-      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
-      // document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
+      document.getElementById('cspframe').src = 'file_CSP_evalscript_main_spec_compliant.html';
+      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
     });
 </script>
 </pre>
diff --git a/content/base/test/csp/test_CSP_evalscript_getCRMFRequest.html b/content/base/test/csp/test_CSP_evalscript_getCRMFRequest.html
index c3eee193b178..326bbf136dfe 100644
--- a/content/base/test/csp/test_CSP_evalscript_getCRMFRequest.html
+++ b/content/base/test/csp/test_CSP_evalscript_getCRMFRequest.html
@@ -12,14 +12,13 @@
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe4'></iframe>
 <script class="testbody" type="text/javascript">
 
 var path = "/tests/content/base/test/csp/";
 
 var evalScriptsThatRan = 0;
 var evalScriptsBlocked = 0;
-var evalScriptsTotal = 4;
+var evalScriptsTotal = 3;
 
 // called by scripts that run
 var scriptRan = function(shouldrun, testname, data) {
@@ -54,10 +53,9 @@ SpecialPowers.pushPrefEnv(
     function() {
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
-      document.getElementById('cspframe').src = 'file_CSP_evalscript_main_getCRMFRequest.html';
-      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
-      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
-      document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
+      document.getElementById('cspframe').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
+      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
+      document.getElementById('cspframe3').src = 'file_CSP_evalscript_no_CSP_at_all.html';
     });
 </script>
 </pre>
diff --git a/content/base/test/csp/test_CSP_frameancestors.html b/content/base/test/csp/test_CSP_frameancestors.html
index b294ac153fba..2cad1b20a863 100644
--- a/content/base/test/csp/test_CSP_frameancestors.html
+++ b/content/base/test/csp/test_CSP_frameancestors.html
@@ -10,24 +10,11 @@
 <div id="content" style="display: none">
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
 // These are test results: -1 means it hasn't run,
 // true/false is the pass/fail result.
 var framesThatShouldLoad = {
-  aa_allow: -1,    /* innermost frame allows a */
-  //aa_block: -1,    /* innermost frame denies a */
-  ab_allow: -1,    /* innermost frame allows a */
-  //ab_block: -1,    /* innermost frame denies a */
-  aba_allow: -1,   /* innermost frame allows b,a */
-  //aba_block: -1,   /* innermost frame denies b */
-  //aba2_block: -1,  /* innermost frame denies a */
-  abb_allow: -1,   /* innermost frame allows b,a */
-  //abb_block: -1,   /* innermost frame denies b */
-  //abb2_block: -1,  /* innermost frame denies a */
   aa_allow_spec_compliant: -1,    /* innermost frame allows a *
   //aa_block_spec_compliant: -1,    /* innermost frame denies a */
   ab_allow_spec_compliant: -1,    /* innermost frame allows a */
@@ -40,7 +27,7 @@ var framesThatShouldLoad = {
   //abb2_block_spec_compliant: -1,  /* innermost frame denies a */
 };
 
-var expectedViolationsLeft = 12;
+var expectedViolationsLeft = 6;
 
 // This is used to watch the blocked data bounce off CSP and allowed data
 // get sent out to the wire.
@@ -126,8 +113,7 @@ SpecialPowers.pushPrefEnv(
   function() {
     // save this for last so that our listeners are registered.
     // ... this loads the testbed of good and bad requests.
-    document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
-    document.getElementById('cspframe2').src = 'file_CSP_frameancestors_main_spec_compliant.html';
+    document.getElementById('cspframe').src = 'file_CSP_frameancestors_main_spec_compliant.html';
   });
 
 </script>
diff --git a/content/base/test/csp/test_CSP_inlinescript.html b/content/base/test/csp/test_CSP_inlinescript.html
index f8ec16bf533d..216d5ab1d3fa 100644
--- a/content/base/test/csp/test_CSP_inlinescript.html
+++ b/content/base/test/csp/test_CSP_inlinescript.html
@@ -11,16 +11,13 @@
 <div id="content" style="display: none">
 </div>
 
-<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe1'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
 var inlineScriptsThatRan = 0;
 var inlineScriptsBlocked = 0;
-var inlineScriptsTotal = 12;
+var inlineScriptsTotal = 8;
 
 // This is used to watch the blocked data bounce off CSP and allowed data
 // get sent out to the wire.
@@ -79,8 +76,8 @@ var checkTestResults = function() {
   // The four scripts in the page with 'unsafe-inline' should run.
   is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
 
-  // The other eight scripts in the other two pages should be blocked.
-  is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked");
+  // The four scripts in the other page should be blocked.
+  is(inlineScriptsBlocked, 4, "there should be 4 inline scripts that were blocked");
 
   // ... otherwise, finish
   window.examiner.remove();
@@ -92,10 +89,10 @@ var checkTestResults = function() {
 window.examiner = new examiner();
 SimpleTest.waitForExplicitFinish();
 
-function clickit() {
-  var cspframe = document.getElementById('cspframe');
-  var a = cspframe.contentDocument.getElementById('anchortoclick');
-  sendMouseEvent({type:'click'}, a, cspframe.contentWindow);
+function clickit1() {
+  var cspframe1 = document.getElementById('cspframe1');
+  var a = cspframe1.contentDocument.getElementById('anchortoclick');
+  sendMouseEvent({type:'click'}, a, cspframe1.contentWindow);
 }
 
 function clickit2() {
@@ -104,23 +101,15 @@ function clickit2() {
   sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
 }
 
-function clickit3() {
-  var cspframe3 = document.getElementById('cspframe3');
-  var a = cspframe3.contentDocument.getElementById('anchortoclick');
-  sendMouseEvent({type:'click'}, a, cspframe3.contentWindow);
-}
-
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
   function() {
     // save this for last so that our listeners are registered.
     // ... this loads the testbed of good and bad requests.
-    document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';
-    document.getElementById('cspframe').addEventListener('load', clickit, false);
-    document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html';
+    document.getElementById('cspframe1').src = 'file_CSP_inlinescript_main_spec_compliant.html';
+    document.getElementById('cspframe1').addEventListener('load', clickit1, false);
+    document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
     document.getElementById('cspframe2').addEventListener('load', clickit2, false);
-    document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
-    document.getElementById('cspframe3').addEventListener('load', clickit3, false);
   });
 </script>
 </pre>
diff --git a/content/base/test/csp/test_CSP_inlinestyle.html b/content/base/test/csp/test_CSP_inlinestyle.html
index 203bf69d2d17..5b684030fe89 100644
--- a/content/base/test/csp/test_CSP_inlinestyle.html
+++ b/content/base/test/csp/test_CSP_inlinestyle.html
@@ -10,33 +10,68 @@
 <div id="content" style="display: none">
 </div>
 
-<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe1'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
-
 //////////////////////////////////////////////////////////////////////
 // set up and go
 SimpleTest.waitForExplicitFinish();
 
 var done = 0;
 
-// Our original CSP implementation does not block inline styles.
-function checkStyles(evt) {
-  var cspframe = document.getElementById('cspframe');
+// When a CSP 1.0 compliant policy is specified we should block inline
+// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
+// (when it's not explicitly allowed.)
+function checkStylesSpecCompliant(evt) {
+  var cspframe = document.getElementById('cspframe1');
   var color;
 
   // black means the style wasn't applied.  green colors are used for styles
   //expected to be applied.  A color is red if a style is erroneously applied
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (original CSP implementation) (' + color + ')');
+  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (original CSP implementation) (' + color + ')');
+  ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Style Attribute (original CSP implementation) (' + color + ')');
+  ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('csstextstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
+  // SMIL tests
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTest',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
+
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
+
+  checkIfDone();
+}
+
+// When a CSP 1.0 compliant policy is specified we should allow inline
+// styles when it is explicitly allowed.
+function checkStylesSpecCompliantAllowed(evt) {
+  var cspframe = document.getElementById('cspframe2');
+  var color;
+
+  // black means the style wasn't applied.  green colors are used for styles
+  // expected to be applied.  A color is red if a style is erroneously applied
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
+
+  // Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
+  // since it relies on executing script to set .cssText
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('csstextstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
   // SMIL tests
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null))['fill'];
   ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
@@ -46,72 +81,8 @@ function checkStyles(evt) {
   ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
   color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];
   ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
-  checkIfDone();
-}
 
-// When a CSP 1.0 compliant policy is specified we should block inline
-// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
-// (when it's not explicitly allowed.)
-function checkStylesSpecCompliant(evt) {
-  var cspframe = document.getElementById('cspframe2');
-  var color;
-
-  // black means the style wasn't applied.  green colors are used for styles
-  //expected to be applied.  A color is red if a style is erroneously applied
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('linkstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('inlinestylediv'),null)['color'];
-  ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('attrstylediv'),null)['color'];
-  ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('csstextstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
-  // SMIL tests
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('xmlTest',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTest',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssSetTestById',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
-
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
-
-  checkIfDone();
-}
-
-// When a CSP 1.0 compliant policy is specified we should allow inline
-// styles when it is explicitly allowed.
-function checkStylesSpecCompliantAllowed(evt) {
-  var cspframe = document.getElementById('cspframe3');
-  var color;
-
-  // black means the style wasn't applied.  green colors are used for styles
-  // expected to be applied.  A color is red if a style is erroneously applied
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('linkstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('inlinestylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('attrstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
-
-  // Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
-  // since it relies on executing script to set .cssText
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('csstextstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  // SMIL tests
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('xmlTest',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTest',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssSetTestById',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
-
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
   ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
 
   checkIfDone();
@@ -119,7 +90,7 @@ function checkStylesSpecCompliantAllowed(evt) {
 
 function checkIfDone() {
   done++;
-  if (done == 3)
+  if (done == 2)
     SimpleTest.finish();
 }
 
@@ -128,12 +99,10 @@ SpecialPowers.pushPrefEnv(
   function() {
     // save this for last so that our listeners are registered.
     // ... this loads the testbed of good and bad requests.
-    document.getElementById('cspframe').src = 'file_CSP_inlinestyle_main.html';
-    document.getElementById('cspframe').addEventListener('load', checkStyles, false);
-    document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
-    document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliant, false);
-    document.getElementById('cspframe3').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
-    document.getElementById('cspframe3').addEventListener('load', checkStylesSpecCompliantAllowed, false);
+    document.getElementById('cspframe1').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
+    document.getElementById('cspframe1').addEventListener('load', checkStylesSpecCompliant, false);
+    document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
+    document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliantAllowed, false);
   }
 );
 </script>
diff --git a/content/base/test/csp/test_csp_bug768029.html b/content/base/test/csp/test_csp_bug768029.html
index d455326c4cb7..997ce18d9165 100644
--- a/content/base/test/csp/test_csp_bug768029.html
+++ b/content/base/test/csp/test_csp_bug768029.html
@@ -213,7 +213,8 @@ SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
                                    ["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
                                    ["security.apps.certified.CSP.default", DEFAULT_CSP_CERT],
                                    ["security.mixed_content.block_active_content", false],
-                                   ["security.mixed_content.block_display_content", false]]},
+                                   ["security.mixed_content.block_display_content", false],
+                                   ["security.csp.speccompliant", true]]},
                           function() {  gTestRunner.next(); });
 
 
diff --git a/content/base/test/csp/test_csp_bug773891.html b/content/base/test/csp/test_csp_bug773891.html
index 8d0736fb7904..aaec3f3dc371 100644
--- a/content/base/test/csp/test_csp_bug773891.html
+++ b/content/base/test/csp/test_csp_bug773891.html
@@ -1,7 +1,7 @@
 <!DOCTYPE HTML>
 <html>
 <!--
-  https://bugzilla.mozilla.org/show_bug.cgi?id=768029
+  https://bugzilla.mozilla.org/show_bug.cgi?id=773891
 -->
 <head>
   <meta charset="utf-8">
@@ -218,7 +218,8 @@ SpecialPowers.addPermission("browser", true, "https://example.com");
 
 SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
                                    ["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
-                                   ["security.apps.certified.CSP.default", DEFAULT_CSP_CERT]]},
+                                   ["security.apps.certified.CSP.default", DEFAULT_CSP_CERT],
+                                   ["security.csp.speccompliant", true]]},
                           function() {  gTestRunner.next(); });
 
 
diff --git a/content/base/test/csp/test_csp_redirects.html b/content/base/test/csp/test_csp_redirects.html
index b1f603bf2389..a23901c12362 100644
--- a/content/base/test/csp/test_csp_redirects.html
+++ b/content/base/test/csp/test_csp_redirects.html
@@ -68,25 +68,7 @@ examiner.prototype  = {
 window.examiner = new examiner();
 
 // contains { test_frame_id : expected_result }
-var testExpectedResults = { "font-src": true,
-                            "font-src-redir": false,
-                            "frame-src": true,
-                            "frame-src-redir": false,
-                            "img-src": true,
-                            "img-src-redir": false,
-                            "media-src": true,
-                            "media-src-redir": false,
-                            "object-src": true,
-                            "object-src-redir": false,
-                            "script-src": true,
-                            "script-src-redir": false,
-                            "style-src": true,
-                            "style-src-redir": false,
-                            "worker": true,
-                            "worker-redir": false,
-                            "xhr-src": true,
-                            "xhr-src-redir": false,
-                            "font-src-spec-compliant": true,
+var testExpectedResults = { "font-src-spec-compliant": true,
                             "font-src-redir-spec-compliant": false,
                             "frame-src-spec-compliant": true,
                             "frame-src-redir-spec-compliant": false,
diff --git a/content/base/test/moz.build b/content/base/test/moz.build
index 9a8b309ce7eb..f1a059ae904b 100644
--- a/content/base/test/moz.build
+++ b/content/base/test/moz.build
@@ -6,6 +6,7 @@
 
 TEST_TOOL_DIRS += [
     'csp',
+    'xcsp',
     'websocket_hybi',
 ]
 
diff --git a/content/base/test/xcsp/file_CSP.css b/content/base/test/xcsp/file_CSP.css
index f83930e541c6..25e1a5b9dacc 100644
--- a/content/base/test/xcsp/file_CSP.css
+++ b/content/base/test/xcsp/file_CSP.css
@@ -12,7 +12,7 @@
 }
 @font-face {
   font-family: "arbitrary_bad";
-  src: url('http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
+  src: url('http://example.org/tests/content/base/test/xcsp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
 }
 
 .div_arbitrary_good { font-family: "arbitrary_good"; }
diff --git a/content/base/test/xcsp/file_CSP_frameancestors_main.js b/content/base/test/xcsp/file_CSP_frameancestors_main.js
index d32c53a8371f..a819580edcbb 100644
--- a/content/base/test/xcsp/file_CSP_frameancestors_main.js
+++ b/content/base/test/xcsp/file_CSP_frameancestors_main.js
@@ -4,9 +4,9 @@ function setupFrames() {
 
   var $ = function(v) { return document.getElementById(v); }
   var base = {
-        self: '/tests/content/base/test/csp/file_CSP_frameancestors.sjs',
-        a: 'http://mochi.test:8888/tests/content/base/test/csp/file_CSP_frameancestors.sjs',
-        b: 'http://example.com/tests/content/base/test/csp/file_CSP_frameancestors.sjs'
+        self: '/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs',
+        a: 'http://mochi.test:8888/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs',
+        b: 'http://example.com/tests/content/base/test/xcsp/file_CSP_frameancestors.sjs'
   };
 
   var host = { a: 'http://mochi.test:8888', b: 'http://example.com:80' };
diff --git a/content/base/test/xcsp/file_csp_redirects_main.html b/content/base/test/xcsp/file_csp_redirects_main.html
index 102f74692821..a6ee0b0aa26c 100644
--- a/content/base/test/xcsp/file_csp_redirects_main.html
+++ b/content/base/test/xcsp/file_csp_redirects_main.html
@@ -9,7 +9,7 @@
 <script>
 var thisSite = "http://mochi.test:8888";
 var otherSite = "http://example.com";
-var page = "/tests/content/base/test/csp/file_csp_redirects_page.sjs";
+var page = "/tests/content/base/test/xcsp/file_csp_redirects_page.sjs";
 
 var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
               "frame-src": thisSite+page+"?testid=frame-src&csp=1",
@@ -20,15 +20,6 @@ var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
               "style-src":  thisSite+page+"?testid=style-src&csp=1",
               "worker":  thisSite+page+"?testid=worker&csp=1",
               "xhr-src":  thisSite+page+"?testid=xhr-src&csp=1",
-              "font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
-              "frame-src-spec-compliant": thisSite+page+"?testid=frame-src-spec-compliant&csp=1&spec=1",
-              "img-src-spec-compliant":  thisSite+page+"?testid=img-src-spec-compliant&csp=1&spec=1",
-              "media-src-spec-compliant":  thisSite+page+"?testid=media-src-spec-compliant&csp=1&spec=1",
-              "object-src-spec-compliant":  thisSite+page+"?testid=object-src-spec-compliant&csp=1&spec=1",
-              "script-src-spec-compliant":  thisSite+page+"?testid=script-src-spec-compliant&csp=1&spec=1",
-              "style-src-spec-compliant":  thisSite+page+"?testid=style-src-spec-compliant&csp=1&spec=1",
-              "worker-spec-compliant":  thisSite+page+"?testid=worker-spec-compliant&csp=1&spec=1",
-              "xhr-src-spec-compliant":  thisSite+page+"?testid=xhr-src-spec-compliant&csp=1&spec=1",
             };
 
 var container = document.getElementById("container");
diff --git a/content/base/test/xcsp/mochitest.ini b/content/base/test/xcsp/mochitest.ini
index 7fdf90e83b55..eec01cd447c3 100644
--- a/content/base/test/xcsp/mochitest.ini
+++ b/content/base/test/xcsp/mochitest.ini
@@ -2,84 +2,29 @@
 support-files =
   file_CSP.css
   file_CSP.sjs
-  file_CSP_bug663567.xsl
-  file_CSP_bug663567_allows.xml
-  file_CSP_bug663567_allows.xml^headers^
-  file_CSP_bug663567_blocks.xml
-  file_CSP_bug663567_blocks.xml^headers^
-  file_CSP_bug802872.html
-  file_CSP_bug802872.html^headers^
-  file_CSP_bug802872.js
-  file_CSP_bug802872.sjs
-  file_CSP_bug885433_allows.html
-  file_CSP_bug885433_allows.html^headers^
-  file_CSP_bug885433_blocks.html
-  file_CSP_bug885433_blocks.html^headers^
-  file_CSP_bug888172.html
-  file_CSP_bug888172.sjs
   file_CSP_bug916446.html
   file_CSP_bug916446.html^headers^
   file_CSP_evalscript_main.html
   file_CSP_evalscript_main.html^headers^
   file_CSP_evalscript_main.js
-  file_CSP_evalscript_main_allowed.js
-  file_CSP_evalscript_main_allowed_getCRMFRequest.js
   file_CSP_evalscript_main_getCRMFRequest.html
   file_CSP_evalscript_main_getCRMFRequest.html^headers^
   file_CSP_evalscript_main_getCRMFRequest.js
-  file_CSP_evalscript_main_spec_compliant.html
-  file_CSP_evalscript_main_spec_compliant.html^headers^
-  file_CSP_evalscript_main_spec_compliant_allowed.html
-  file_CSP_evalscript_main_spec_compliant_allowed.html^headers^
-  file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html
-  file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html^headers^
-  file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html
-  file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html^headers^
   file_CSP_evalscript_no_CSP_at_all.html
   file_CSP_evalscript_no_CSP_at_all.html^headers^
   file_CSP_evalscript_no_CSP_at_all.js
   file_CSP_frameancestors.sjs
   file_CSP_frameancestors_main.html
   file_CSP_frameancestors_main.js
-  file_CSP_frameancestors_main_spec_compliant.html
-  file_CSP_frameancestors_main_spec_compliant.js
-  file_CSP_frameancestors_spec_compliant.sjs
   file_CSP_inlinescript_main.html
   file_CSP_inlinescript_main.html^headers^
-  file_CSP_inlinescript_main_spec_compliant.html
-  file_CSP_inlinescript_main_spec_compliant.html^headers^
-  file_CSP_inlinescript_main_spec_compliant_allowed.html
-  file_CSP_inlinescript_main_spec_compliant_allowed.html^headers^
   file_CSP_inlinestyle_main.html
   file_CSP_inlinestyle_main.html^headers^
-  file_CSP_inlinestyle_main_spec_compliant.html
-  file_CSP_inlinestyle_main_spec_compliant.html^headers^
-  file_CSP_inlinestyle_main_spec_compliant_allowed.html
-  file_CSP_inlinestyle_main_spec_compliant_allowed.html^headers^
   file_CSP_main.html
   file_CSP_main.html^headers^
   file_CSP_main.js
-  file_CSP_main_spec_compliant.html
-  file_CSP_main_spec_compliant.html^headers^
-  file_CSP_main_spec_compliant.js
   file_bothCSPheaders.html
   file_bothCSPheaders.html^headers^
-  file_bug836922_npolicies.html
-  file_bug836922_npolicies.html^headers^
-  file_bug836922_npolicies_ro_violation.sjs
-  file_bug836922_npolicies_violation.sjs
-  file_bug886164.html
-  file_bug886164.html^headers^
-  file_bug886164_2.html
-  file_bug886164_2.html^headers^
-  file_bug886164_3.html
-  file_bug886164_3.html^headers^
-  file_bug886164_4.html
-  file_bug886164_4.html^headers^
-  file_bug886164_5.html
-  file_bug886164_5.html^headers^
-  file_bug886164_6.html
-  file_bug886164_6.html^headers^
   file_csp_bug768029.html
   file_csp_bug768029.sjs
   file_csp_bug773891.html
@@ -87,32 +32,8 @@ support-files =
   file_csp_redirects_main.html
   file_csp_redirects_page.sjs
   file_csp_redirects_resource.sjs
-  file_CSP_bug910139.sjs
-  file_CSP_bug910139.xml
-  file_CSP_bug910139.xsl
-  file_CSP_bug909029_star.html
-  file_CSP_bug909029_star.html^headers^
-  file_CSP_bug909029_none.html
-  file_CSP_bug909029_none.html^headers^
-  file_policyuri_regression_from_multipolicy.html
-  file_policyuri_regression_from_multipolicy.html^headers^
-  file_policyuri_regression_from_multipolicy_policy
-  file_nonce_source.html
-  file_nonce_source.html^headers^
-  file_CSP_bug941404.html
-  file_CSP_bug941404_xhr.html
-  file_CSP_bug941404_xhr.html^headers^
-  file_hash_source.html
-  file_hash_source.html^headers^
   file_dual_headers_warning.html
   file_dual_headers_warning.html^headers^
-  file_self_none_as_hostname_confusion.html
-  file_self_none_as_hostname_confusion.html^headers^
-  file_csp_testserver.sjs
-  file_csp_regexp_parsing.html
-  file_csp_regexp_parsing.js
-  file_report_uri_missing_in_report_only_header.html
-  file_report_uri_missing_in_report_only_header.html^headers^
   file_csp_report.sjs
   file_policyuri_async_fetch.html
   file_policyuri_async_fetch.html^headers^
@@ -126,10 +47,6 @@ support-files =
   file_multi_policy_injection_bypass_2.html^headers^
 
 [test_CSP.html]
-[test_CSP_bug663567.html]
-[test_CSP_bug802872.html]
-[test_CSP_bug885433.html]
-[test_CSP_bug888172.html]
 [test_CSP_bug916446.html]
 [test_CSP_evalscript.html]
 [test_CSP_evalscript_getCRMFRequest.html]
@@ -139,21 +56,8 @@ skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'and
 [test_CSP_inlinescript.html]
 [test_CSP_inlinestyle.html]
 [test_bothCSPheaders.html]
-[test_bug836922_npolicies.html]
-[test_bug886164.html]
 [test_csp_redirects.html]
-[test_CSP_bug910139.html]
-[test_CSP_bug909029.html]
-[test_policyuri_regression_from_multipolicy.html]
-[test_nonce_source.html]
-[test_CSP_bug941404.html]
-[test_hash_source.html]
-skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
 [test_dual_headers_warning.html]
-[test_self_none_as_hostname_confusion.html]
-[test_bug949549.html]
-[test_csp_regexp_parsing.html]
-[test_report_uri_missing_in_report_only_header.html]
 [test_csp_report.html]
 skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
 [test_policyuri_async_fetch.html]
diff --git a/content/base/test/xcsp/test_CSP.html b/content/base/test/xcsp/test_CSP.html
index 24a1d711ba21..865bc54150d2 100644
--- a/content/base/test/xcsp/test_CSP.html
+++ b/content/base/test/xcsp/test_CSP.html
@@ -10,11 +10,8 @@
 <div id="content" style="display: none">
 </div>
 <iframe style="width:200px;height:200px;" id='cspframe'></iframe>
-<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
 // These are test results: -1 means it hasn't run,
 // true/false is the pass/fail result.
 window.tests = {
@@ -34,22 +31,6 @@ window.tests = {
   font_bad: -1,
   object_good: -1,
   object_bad: -1,
-  img_spec_compliant_good: -1,
-  img_spec_compliant_bad: -1,
-  style_spec_compliant_good: -1,
-  style_spec_compliant_bad: -1,
-  frame_spec_compliant_good: -1,
-  frame_spec_compliant_bad: -1,
-  script_spec_compliant_good: -1,
-  script_spec_compliant_bad: -1,
-  xhr_spec_compliant_good: -1,
-  xhr_spec_compliant_bad: -1,
-  media_spec_compliant_good: -1,
-  media_spec_compliant_bad: -1,
-  font_spec_compliant_good: -1,
-  font_spec_compliant_bad: -1,
-  object_spec_compliant_good: -1,
-  object_spec_compliant_bad: -1,
 };
 
 // This is used to watch the blocked data bounce off CSP and allowed data
@@ -131,7 +112,6 @@ SpecialPowers.pushPrefEnv(
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
       document.getElementById('cspframe').src = 'file_CSP_main.html';
-      document.getElementById('cspframe2').src = 'file_CSP_main_spec_compliant.html';
     });
 </script>
 </pre>
diff --git a/content/base/test/xcsp/test_CSP_evalscript.html b/content/base/test/xcsp/test_CSP_evalscript.html
index 6857277e25b7..c55bf309ea48 100644
--- a/content/base/test/xcsp/test_CSP_evalscript.html
+++ b/content/base/test/xcsp/test_CSP_evalscript.html
@@ -10,15 +10,11 @@
 <div id="content" style="display: none">
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
 var evalScriptsThatRan = 0;
 var evalScriptsBlocked = 0;
-var evalScriptsTotal = 24;
+var evalScriptsTotal = 8;
 
 // called by scripts that run
 var scriptRan = function(shouldrun, testname, data) {
@@ -55,9 +51,6 @@ SpecialPowers.pushPrefEnv(
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
       document.getElementById('cspframe').src = 'file_CSP_evalscript_main.html';
-      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant.html';
-      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
-      // document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
     });
 </script>
 </pre>
diff --git a/content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html b/content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html
index c3eee193b178..2c599f973c65 100644
--- a/content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html
+++ b/content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html
@@ -11,15 +11,13 @@
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe4'></iframe>
 <script class="testbody" type="text/javascript">
 
 var path = "/tests/content/base/test/csp/";
 
 var evalScriptsThatRan = 0;
 var evalScriptsBlocked = 0;
-var evalScriptsTotal = 4;
+var evalScriptsTotal = 2;
 
 // called by scripts that run
 var scriptRan = function(shouldrun, testname, data) {
@@ -55,9 +53,7 @@ SpecialPowers.pushPrefEnv(
       // save this for last so that our listeners are registered.
       // ... this loads the testbed of good and bad requests.
       document.getElementById('cspframe').src = 'file_CSP_evalscript_main_getCRMFRequest.html';
-      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
-      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
-      document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
+      document.getElementById('cspframe2').src = 'file_CSP_evalscript_no_CSP_at_all.html';
     });
 </script>
 </pre>
diff --git a/content/base/test/xcsp/test_CSP_frameancestors.html b/content/base/test/xcsp/test_CSP_frameancestors.html
index b294ac153fba..419060b86132 100644
--- a/content/base/test/xcsp/test_CSP_frameancestors.html
+++ b/content/base/test/xcsp/test_CSP_frameancestors.html
@@ -10,11 +10,8 @@
 <div id="content" style="display: none">
 </div>
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
 // These are test results: -1 means it hasn't run,
 // true/false is the pass/fail result.
 var framesThatShouldLoad = {
@@ -28,19 +25,9 @@ var framesThatShouldLoad = {
   abb_allow: -1,   /* innermost frame allows b,a */
   //abb_block: -1,   /* innermost frame denies b */
   //abb2_block: -1,  /* innermost frame denies a */
-  aa_allow_spec_compliant: -1,    /* innermost frame allows a *
-  //aa_block_spec_compliant: -1,    /* innermost frame denies a */
-  ab_allow_spec_compliant: -1,    /* innermost frame allows a */
-  //ab_block_spec_compliant: -1,    /* innermost frame denies a */
-  aba_allow_spec_compliant: -1,   /* innermost frame allows b,a */
-  //aba_block_spec_compliant: -1,   /* innermost frame denies b */
-  //aba2_block_spec_compliant: -1,  /* innermost frame denies a */
-  abb_allow_spec_compliant: -1,   /* innermost frame allows b,a */
-  //abb_block_spec_compliant: -1,   /* innermost frame denies b */
-  //abb2_block_spec_compliant: -1,  /* innermost frame denies a */
 };
 
-var expectedViolationsLeft = 12;
+var expectedViolationsLeft = 6;
 
 // This is used to watch the blocked data bounce off CSP and allowed data
 // get sent out to the wire.
@@ -127,7 +114,6 @@ SpecialPowers.pushPrefEnv(
     // save this for last so that our listeners are registered.
     // ... this loads the testbed of good and bad requests.
     document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
-    document.getElementById('cspframe2').src = 'file_CSP_frameancestors_main_spec_compliant.html';
   });
 
 </script>
diff --git a/content/base/test/xcsp/test_CSP_inlinescript.html b/content/base/test/xcsp/test_CSP_inlinescript.html
index f8ec16bf533d..ed0537700ffc 100644
--- a/content/base/test/xcsp/test_CSP_inlinescript.html
+++ b/content/base/test/xcsp/test_CSP_inlinescript.html
@@ -12,15 +12,10 @@
 </div>
 
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
-var inlineScriptsThatRan = 0;
 var inlineScriptsBlocked = 0;
-var inlineScriptsTotal = 12;
+var inlineScriptsTotal = 4;
 
 // This is used to watch the blocked data bounce off CSP and allowed data
 // get sent out to the wire.
@@ -53,14 +48,6 @@ examiner.prototype  = {
   }
 }
 
-// called by scripts that run
-// the first argument is whether the script expects to be allowed or not.
-var scriptRan = function(result, testname, data) {
-  inlineScriptsThatRan++;
-  ok(result, 'INLINE SCRIPT RAN: ' + testname + '(' + data + ')');
-  checkTestResults();
-}
-
 // called when a script is blocked
 // -- we can't determine *which* frame was blocked, but at least we can count them
 var scriptBlocked = function(testname, data) {
@@ -69,18 +56,14 @@ var scriptBlocked = function(testname, data) {
   checkTestResults();
 }
 
-
 // Check to see if all the tests have run
 var checkTestResults = function() {
   // if any test is incomplete, keep waiting
-  if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal)
+  if (inlineScriptsBlocked < inlineScriptsTotal)
     return;
 
-  // The four scripts in the page with 'unsafe-inline' should run.
-  is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
-
-  // The other eight scripts in the other two pages should be blocked.
-  is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked");
+  // The other four scripts in the other two pages should be blocked.
+  is(inlineScriptsBlocked, 4, "there should be 4 inline scripts that were blocked");
 
   // ... otherwise, finish
   window.examiner.remove();
@@ -98,18 +81,6 @@ function clickit() {
   sendMouseEvent({type:'click'}, a, cspframe.contentWindow);
 }
 
-function clickit2() {
-  var cspframe2 = document.getElementById('cspframe2');
-  var a = cspframe2.contentDocument.getElementById('anchortoclick');
-  sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
-}
-
-function clickit3() {
-  var cspframe3 = document.getElementById('cspframe3');
-  var a = cspframe3.contentDocument.getElementById('anchortoclick');
-  sendMouseEvent({type:'click'}, a, cspframe3.contentWindow);
-}
-
 SpecialPowers.pushPrefEnv(
   {'set':[["security.csp.speccompliant", true]]},
   function() {
@@ -117,10 +88,6 @@ SpecialPowers.pushPrefEnv(
     // ... this loads the testbed of good and bad requests.
     document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';
     document.getElementById('cspframe').addEventListener('load', clickit, false);
-    document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html';
-    document.getElementById('cspframe2').addEventListener('load', clickit2, false);
-    document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
-    document.getElementById('cspframe3').addEventListener('load', clickit3, false);
   });
 </script>
 </pre>
diff --git a/content/base/test/xcsp/test_CSP_inlinestyle.html b/content/base/test/xcsp/test_CSP_inlinestyle.html
index 203bf69d2d17..5beef75d77b5 100644
--- a/content/base/test/xcsp/test_CSP_inlinestyle.html
+++ b/content/base/test/xcsp/test_CSP_inlinestyle.html
@@ -11,13 +11,8 @@
 </div>
 
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
 <script class="testbody" type="text/javascript">
 
-var path = "/tests/content/base/test/csp/";
-
-
 //////////////////////////////////////////////////////////////////////
 // set up and go
 SimpleTest.waitForExplicitFinish();
@@ -49,77 +44,9 @@ function checkStyles(evt) {
   checkIfDone();
 }
 
-// When a CSP 1.0 compliant policy is specified we should block inline
-// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
-// (when it's not explicitly allowed.)
-function checkStylesSpecCompliant(evt) {
-  var cspframe = document.getElementById('cspframe2');
-  var color;
-
-  // black means the style wasn't applied.  green colors are used for styles
-  //expected to be applied.  A color is red if a style is erroneously applied
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('linkstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('inlinestylediv'),null)['color'];
-  ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('attrstylediv'),null)['color'];
-  ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('csstextstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
-  // SMIL tests
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('xmlTest',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTest',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssSetTestById',null))['fill'];
-  ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
-
-  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
-
-  checkIfDone();
-}
-
-// When a CSP 1.0 compliant policy is specified we should allow inline
-// styles when it is explicitly allowed.
-function checkStylesSpecCompliantAllowed(evt) {
-  var cspframe = document.getElementById('cspframe3');
-  var color;
-
-  // black means the style wasn't applied.  green colors are used for styles
-  // expected to be applied.  A color is red if a style is erroneously applied
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('linkstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('inlinestylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('attrstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
-
-  // Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
-  // since it relies on executing script to set .cssText
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('csstextstylediv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
-  // SMIL tests
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('xmlTest',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTest',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssSetTestById',null))['fill'];
-  ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
-
-  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
-  ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
-
-  checkIfDone();
-}
-
 function checkIfDone() {
   done++;
-  if (done == 3)
+  if (done == 1)
     SimpleTest.finish();
 }
 
@@ -130,10 +57,6 @@ SpecialPowers.pushPrefEnv(
     // ... this loads the testbed of good and bad requests.
     document.getElementById('cspframe').src = 'file_CSP_inlinestyle_main.html';
     document.getElementById('cspframe').addEventListener('load', checkStyles, false);
-    document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
-    document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliant, false);
-    document.getElementById('cspframe3').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
-    document.getElementById('cspframe3').addEventListener('load', checkStylesSpecCompliantAllowed, false);
   }
 );
 </script>
diff --git a/content/base/test/xcsp/test_csp_redirects.html b/content/base/test/xcsp/test_csp_redirects.html
index b1f603bf2389..40140edb1e8c 100644
--- a/content/base/test/xcsp/test_csp_redirects.html
+++ b/content/base/test/xcsp/test_csp_redirects.html
@@ -86,24 +86,6 @@ var testExpectedResults = { "font-src": true,
                             "worker-redir": false,
                             "xhr-src": true,
                             "xhr-src-redir": false,
-                            "font-src-spec-compliant": true,
-                            "font-src-redir-spec-compliant": false,
-                            "frame-src-spec-compliant": true,
-                            "frame-src-redir-spec-compliant": false,
-                            "img-src-spec-compliant": true,
-                            "img-src-redir-spec-compliant": false,
-                            "media-src-spec-compliant": true,
-                            "media-src-redir-spec-compliant": false,
-                            "object-src-spec-compliant": true,
-                            "object-src-redir-spec-compliant": false,
-                            "script-src-spec-compliant": true,
-                            "script-src-redir-spec-compliant": false,
-                            "style-src-spec-compliant": true,
-                            "style-src-redir-spec-compliant": false,
-                            "worker-spec-compliant": true,
-                            "worker-redir-spec-compliant": false,
-                            "xhr-src-spec-compliant": true,
-                            "xhr-src-redir-spec-compliant": false,
                           };
 
 // takes the name of the test, the URL that was tested, and whether the
diff --git a/content/base/test/xcsp/test_csp_report.html b/content/base/test/xcsp/test_csp_report.html
index 1462bd85e466..b6ca7f433fac 100644
--- a/content/base/test/xcsp/test_csp_report.html
+++ b/content/base/test/xcsp/test_csp_report.html
@@ -82,7 +82,7 @@ window.checkResults = function(reportObj) {
   var cspReport = reportObj["csp-report"];
   // correct violating request
   is(cspReport["document-uri"],
-     "http://mochi.test:8888/tests/content/base/test/csp/" + testFile,
+     "http://mochi.test:8888/tests/content/base/test/xcsp/" + testFile,
      "Incorrect violating request");
   // correct blocked-uri
   is(cspReport["blocked-uri"],