diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html
index 76e9576e8b118..0c2a43a6e653b 100644
--- a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html
@@ -1,26 +1,15 @@
 <!DOCTYPE HTML>
 <html>
-
 <head>
     <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
-    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';">
-    <!--
-    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=' ==> 'javascript:t1.done();'
-    -->
-    <script src='/resources/testharness.js' nonce='abc'></script>
-    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+    'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
 </head>
-
 <body>
-    <div id='log'></div>
-    <a href='javascript:t1.done();' id='test'>
-    <script nonce='abc'>
-        var t1 = async_test("Test that the javascript: src is allowed to run");
-
-        window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
-
-        document.getElementById('test').click();
+    <script nonce="abc">
+    runTest(true, '<a href>', '');
     </script>
 </body>
-
 </html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html
new file mode 100644
index 0000000000000..f2b3e1ff72c4d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-hashes' 'nonce-abc'
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    // script-src-attr CSP should not have effects because navigation CSP
+    // checks are done against script-src-elem.
+    // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
+    runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html
new file mode 100644
index 0000000000000..642d9768a5135
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'unsafe-hashes' 'nonce-abc'
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    runTest(true, '<a href target=_blank>', '');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html
index 007338bc45eb8..a321521e04315 100644
--- a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html
@@ -1,26 +1,15 @@
 <!DOCTYPE HTML>
 <html>
-
 <head>
     <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
-    'sha256-WZYVPzLjoxd1Cbc8gcx07ChlPmT3WP+KxkOiY0s4h8g=';">
-    <!--
-    'sha256-WZYVPzLjoxd1Cbc8gcx07ChlPmT3WP+KxkOiY0s4h8g=' ==> 'javascript:opener.t1.done();'
-    -->
-    <script src='/resources/testharness.js' nonce='abc'></script>
-    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
 </head>
-
 <body>
-    <div id='log'></div>
-    <a target="_blank" rel="opener" href='javascript:opener.t1.done();' id='test'>
-    <script nonce='abc'>
-        var t1 = async_test("Test that the javascript: src is allowed to run");
-
-        window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
-
-        document.getElementById('test').click();
+    <script nonce="abc">
+    runTest(true, '<a href target=_blank>', '');
     </script>
 </body>
-
 </html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html
index 991200ac0daaa..0f0dc67aa3176 100644
--- a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html
@@ -1,29 +1,15 @@
 <!DOCTYPE HTML>
 <html>
-
 <head>
     <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
-    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=';">
-    <!--
-    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL");
-    -->
-    <script src='/resources/testharness.js' nonce='abc'></script>
-    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+    'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
 </head>
-
 <body>
-    <div id='log'></div>
-    <a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'>
-    <script nonce='abc'>
-        var t1 = async_test("Test that the javascript: src is not allowed to run");
-
-        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-            assert_equals(e.violatedDirective, 'script-src-elem');
-            assert_equals(e.blockedURI, 'inline');
-        }));
-
-        document.getElementById('test').click();
+    <script nonce="abc">
+    runTest(false, '<a href>', ' due to missing unsafe-hashes');
     </script>
 </body>
-
 </html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html
new file mode 100644
index 0000000000000..6b863e7a99d0b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-attr 'nonce-abc'
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    // script-src-attr CSP should not have effects because navigation CSP
+    // checks are done against script-src-elem.
+    // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
+    runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html
new file mode 100644
index 0000000000000..23e9bdc1875ef
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc'
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    runTest(false, '<a href target=_blank>', ' due to missing unsafe-hashes');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html
index 66ec9e1678c6a..81805a1f870cd 100644
--- a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html
@@ -1,29 +1,15 @@
 <!DOCTYPE HTML>
 <html>
-
 <head>
-    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
-    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';">
-    <!--
-    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL");
-    -->
-    <script src='/resources/testharness.js' nonce='abc'></script>
-    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
 </head>
-
 <body>
-    <div id='log'></div>
-    <a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'>
-    <script nonce='abc'>
-        var t1 = async_test("Test that the javascript: src is not allowed to run");
-
-        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-             assert_equals(e.violatedDirective, 'script-src-elem');
-             assert_equals(e.blockedURI, 'inline');
-        }));
-
-        document.getElementById('test').click();
+    <script nonce="abc">
+    runTest(false, '<a href target=_blank>', ' due to missing unsafe-hashes');
     </script>
 </body>
-
 </html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html
index 944b72774c8b1..6558a03aeddde 100644
--- a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html
@@ -1,29 +1,15 @@
 <!DOCTYPE HTML>
 <html>
-
 <head>
     <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
-    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';">
-    <!--
-    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL");
-    -->
-    <script src='/resources/testharness.js' nonce='abc'></script>
-    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+    'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
 </head>
-
 <body>
-    <div id='log'></div>
-    <a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'>
-    <script nonce='abc'>
-        var t1 = async_test("Test that the javascript: src is not allowed to run");
-
-        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-            assert_equals(e.violatedDirective, 'script-src-elem');
-            assert_equals(e.blockedURI, 'inline');
-        }));
-
-        document.getElementById('test').click();
+    <script nonce="abc">
+    runTest(false, '<a href>', ' due to wrong hash');
     </script>
 </body>
-
 </html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html
new file mode 100644
index 0000000000000..fa394b1d0ae7d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-hashes' 'nonce-abc'
+    'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    // script-src-attr CSP should not have effects because navigation CSP
+    // checks are done against script-src-elem.
+    // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
+    runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html
new file mode 100644
index 0000000000000..8ca49da7754d6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'unsafe-hashes' 'nonce-abc'
+    'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    runTest(false, '<a href target=_blank>', ' due to wrong hash');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html
index 84491f83fbb1f..257899af29cab 100644
--- a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html
@@ -1,29 +1,15 @@
 <!DOCTYPE HTML>
 <html>
-
 <head>
-    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
-    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=';">
-    <!--
-    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL");
-    -->
-    <script src='/resources/testharness.js' nonce='abc'></script>
-    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
 </head>
-
 <body>
-    <div id='log'></div>
-    <a target="_blank" href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'>
-    <script nonce='abc'>
-        var t1 = async_test("Test that the javascript: src is not allowed to run");
-
-        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-             assert_equals(e.violatedDirective, 'script-src-elem');
-             assert_equals(e.blockedURI, 'inline');
-        }));
-
-        document.getElementById('test').click();
+    <script nonce="abc">
+    runTest(false, '<a href target=_blank>', ' due to wrong hash');
     </script>
 </body>
-
 </html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js
new file mode 100644
index 0000000000000..26db3289ea3fb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js
@@ -0,0 +1,40 @@
+// Typical CSP hashes are:
+// 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=' ==> javascript:opener.navigated();
+// 'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=' ==> javascript:navigated();
+
+function runTest(navigationShouldAllowed, navigationMethod, description) {
+  const t1 = async_test(
+    'javascript: navigation using ' + navigationMethod + ' should be ' +
+    (navigationShouldAllowed ? 'allowed' : 'refused') + description);
+
+  if (navigationShouldAllowed) {
+    window.navigated = () => t1.done();
+    window.addEventListener('securitypolicyviolation',
+        t1.unreached_func('Should have not raised any event'));
+  } else {
+    window.navigated =
+        t1.unreached_func('Should not have run javascript: URL');
+    window.addEventListener('securitypolicyviolation',
+        t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'script-src-elem');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+  }
+
+  if (navigationMethod === '<a href target=_blank>') {
+    const a = document.createElement('a');
+    a.setAttribute('target', '_blank');
+    a.setAttribute('rel', 'opener');
+    a.setAttribute('href', 'javascript:opener.navigated();');
+    document.body.appendChild(a);
+    a.click();
+  }
+  else if (navigationMethod === '<a href>') {
+    const a = document.createElement('a');
+    a.setAttribute('href', 'javascript:navigated();');
+    document.body.appendChild(a);
+    a.click();
+  } else {
+    t1.unreached_func('Invalid navigationMethod: ' + navigationMethod)();
+  }
+}