From 3b99c00cca6c2f8db8e357dc9777711bc26bee63 Mon Sep 17 00:00:00 2001
From: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Tue, 31 May 2022 04:25:14 +0000
Subject: [PATCH] Bug 1771355 [wpt PR 34219] - [WPT] Fix and extend
 content-security-policy/unsafe-hashes/, a=testonly

Automatic update from web-platform-tests
[WPT] Fix and extend content-security-policy/unsafe-hashes/

The tests using `<a>` elements were largely broken:

- Some tests execute `t.unreached_func()` instead of
  `t.unreached_func()()`, and thus didn't terminate
  tests on failures.
- `target="_blank"`, `rel="opener"` and `opener` in
  JavaScript URL should be used together but weren't.
  `javascript_src_denied_wrong_hash-href_blank.html` had
  `target="_blank"` but not other two.
- Filenames and test contents didn't match. For example,
  javascript_src_denied_missing_unsafe_hashes-href_blank.html
  had actually wrong hashes while
  javascript_src_denied_wrong_hash-href_blank.html
  missed 'unsafe-hash'.

This CL refactors and fixes these tests.
The common parts are moved into `helper.js` and
only two javascript: URLs are used to simplify
CSP hashes:
- `javascript:opener.navigated();`
- `javascript:navigated();`

This CL also adds tests to confirm that
`script-src-elem` is used, not `script-src-attr`.

Bug: 941246
Change-Id: Ieb6e665b34abced26fcc6cc2bbefe3c3eb6749b8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3669066
Reviewed-by: Antonio Sartori <antoniosartori@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1008357}

--

wpt-commits: ba1428c9e542762d0dc61c6e0f7bb761c8363be5
wpt-pr: 34219
---
 .../javascript_src_allowed-href.html          | 23 +++--------
 ...rc_allowed-href_blank-script-src-attr.html | 18 +++++++++
 ...rc_allowed-href_blank-script-src-elem.html | 15 +++++++
 .../javascript_src_allowed-href_blank.html    | 23 +++--------
 ...src_denied_missing_unsafe_hashes-href.html | 26 +++---------
 ...afe_hashes-href_blank-script-src-attr.html | 18 +++++++++
 ...afe_hashes-href_blank-script-src-elem.html | 15 +++++++
 ...nied_missing_unsafe_hashes-href_blank.html | 28 ++++---------
 ...javascript_src_denied_wrong_hash-href.html | 26 +++---------
 ...wrong_hash-href_blank-script-src-attr.html | 18 +++++++++
 ...wrong_hash-href_blank-script-src-elem.html | 15 +++++++
 ...ript_src_denied_wrong_hash-href_blank.html | 28 ++++---------
 .../unsafe-hashes/support/helper.js           | 40 +++++++++++++++++++
 13 files changed, 177 insertions(+), 116 deletions(-)
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js

diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html
index 76e9576e8b118..0c2a43a6e653b 100644
--- a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html
@@ -1,26 +1,15 @@
 <!DOCTYPE HTML>
 <html>
-
 <head>
     <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
-    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';">
-    <!--
-    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=' ==> 'javascript:t1.done();'
-    -->
-    <script src='/resources/testharness.js' nonce='abc'></script>
-    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+    'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
 </head>
-
 <body>
-    <div id='log'></div>
-    <a href='javascript:t1.done();' id='test'>
-    <script nonce='abc'>
-        var t1 = async_test("Test that the javascript: src is allowed to run");
-
-        window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
-
-        document.getElementById('test').click();
+    <script nonce="abc">
+    runTest(true, '<a href>', '');
     </script>
 </body>
-
 </html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html
new file mode 100644
index 0000000000000..f2b3e1ff72c4d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-hashes' 'nonce-abc'
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    // script-src-attr CSP should not have effects because navigation CSP
+    // checks are done against script-src-elem.
+    // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
+    runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html
new file mode 100644
index 0000000000000..642d9768a5135
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'unsafe-hashes' 'nonce-abc'
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    runTest(true, '<a href target=_blank>', '');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html
index 007338bc45eb8..a321521e04315 100644
--- a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html
@@ -1,26 +1,15 @@
 <!DOCTYPE HTML>
 <html>
-
 <head>
     <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
-    'sha256-WZYVPzLjoxd1Cbc8gcx07ChlPmT3WP+KxkOiY0s4h8g=';">
-    <!--
-    'sha256-WZYVPzLjoxd1Cbc8gcx07ChlPmT3WP+KxkOiY0s4h8g=' ==> 'javascript:opener.t1.done();'
-    -->
-    <script src='/resources/testharness.js' nonce='abc'></script>
-    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
 </head>
-
 <body>
-    <div id='log'></div>
-    <a target="_blank" rel="opener" href='javascript:opener.t1.done();' id='test'>
-    <script nonce='abc'>
-        var t1 = async_test("Test that the javascript: src is allowed to run");
-
-        window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
-
-        document.getElementById('test').click();
+    <script nonce="abc">
+    runTest(true, '<a href target=_blank>', '');
     </script>
 </body>
-
 </html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html
index 991200ac0daaa..0f0dc67aa3176 100644
--- a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html
@@ -1,29 +1,15 @@
 <!DOCTYPE HTML>
 <html>
-
 <head>
     <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
-    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=';">
-    <!--
-    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL");
-    -->
-    <script src='/resources/testharness.js' nonce='abc'></script>
-    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+    'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
 </head>
-
 <body>
-    <div id='log'></div>
-    <a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'>
-    <script nonce='abc'>
-        var t1 = async_test("Test that the javascript: src is not allowed to run");
-
-        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-            assert_equals(e.violatedDirective, 'script-src-elem');
-            assert_equals(e.blockedURI, 'inline');
-        }));
-
-        document.getElementById('test').click();
+    <script nonce="abc">
+    runTest(false, '<a href>', ' due to missing unsafe-hashes');
     </script>
 </body>
-
 </html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html
new file mode 100644
index 0000000000000..6b863e7a99d0b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-attr 'nonce-abc'
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    // script-src-attr CSP should not have effects because navigation CSP
+    // checks are done against script-src-elem.
+    // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
+    runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html
new file mode 100644
index 0000000000000..23e9bdc1875ef
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc'
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    runTest(false, '<a href target=_blank>', ' due to missing unsafe-hashes');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html
index 66ec9e1678c6a..81805a1f870cd 100644
--- a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html
@@ -1,29 +1,15 @@
 <!DOCTYPE HTML>
 <html>
-
 <head>
-    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
-    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';">
-    <!--
-    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL");
-    -->
-    <script src='/resources/testharness.js' nonce='abc'></script>
-    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
+    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
 </head>
-
 <body>
-    <div id='log'></div>
-    <a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'>
-    <script nonce='abc'>
-        var t1 = async_test("Test that the javascript: src is not allowed to run");
-
-        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-             assert_equals(e.violatedDirective, 'script-src-elem');
-             assert_equals(e.blockedURI, 'inline');
-        }));
-
-        document.getElementById('test').click();
+    <script nonce="abc">
+    runTest(false, '<a href target=_blank>', ' due to missing unsafe-hashes');
     </script>
 </body>
-
 </html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html
index 944b72774c8b1..6558a03aeddde 100644
--- a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html
@@ -1,29 +1,15 @@
 <!DOCTYPE HTML>
 <html>
-
 <head>
     <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
-    'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';">
-    <!--
-    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL");
-    -->
-    <script src='/resources/testharness.js' nonce='abc'></script>
-    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+    'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
 </head>
-
 <body>
-    <div id='log'></div>
-    <a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'>
-    <script nonce='abc'>
-        var t1 = async_test("Test that the javascript: src is not allowed to run");
-
-        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-            assert_equals(e.violatedDirective, 'script-src-elem');
-            assert_equals(e.blockedURI, 'inline');
-        }));
-
-        document.getElementById('test').click();
+    <script nonce="abc">
+    runTest(false, '<a href>', ' due to wrong hash');
     </script>
 </body>
-
 </html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html
new file mode 100644
index 0000000000000..fa394b1d0ae7d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-hashes' 'nonce-abc'
+    'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    // script-src-attr CSP should not have effects because navigation CSP
+    // checks are done against script-src-elem.
+    // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
+    runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html
new file mode 100644
index 0000000000000..8ca49da7754d6
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'unsafe-hashes' 'nonce-abc'
+    'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
+</head>
+<body>
+    <script nonce="abc">
+    runTest(false, '<a href target=_blank>', ' due to wrong hash');
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html
index 84491f83fbb1f..257899af29cab 100644
--- a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html
@@ -1,29 +1,15 @@
 <!DOCTYPE HTML>
 <html>
-
 <head>
-    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'
-    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=';">
-    <!--
-    'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL");
-    -->
-    <script src='/resources/testharness.js' nonce='abc'></script>
-    <script src='/resources/testharnessreport.js' nonce='abc'></script>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc'
+    'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
+    <script src="/resources/testharness.js" nonce="abc"></script>
+    <script src="/resources/testharnessreport.js" nonce="abc"></script>
+    <script src="support/helper.js" nonce="abc"></script>
 </head>
-
 <body>
-    <div id='log'></div>
-    <a target="_blank" href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'>
-    <script nonce='abc'>
-        var t1 = async_test("Test that the javascript: src is not allowed to run");
-
-        window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
-             assert_equals(e.violatedDirective, 'script-src-elem');
-             assert_equals(e.blockedURI, 'inline');
-        }));
-
-        document.getElementById('test').click();
+    <script nonce="abc">
+    runTest(false, '<a href target=_blank>', ' due to wrong hash');
     </script>
 </body>
-
 </html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js
new file mode 100644
index 0000000000000..26db3289ea3fb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js
@@ -0,0 +1,40 @@
+// Typical CSP hashes are:
+// 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=' ==> javascript:opener.navigated();
+// 'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=' ==> javascript:navigated();
+
+function runTest(navigationShouldAllowed, navigationMethod, description) {
+  const t1 = async_test(
+    'javascript: navigation using ' + navigationMethod + ' should be ' +
+    (navigationShouldAllowed ? 'allowed' : 'refused') + description);
+
+  if (navigationShouldAllowed) {
+    window.navigated = () => t1.done();
+    window.addEventListener('securitypolicyviolation',
+        t1.unreached_func('Should have not raised any event'));
+  } else {
+    window.navigated =
+        t1.unreached_func('Should not have run javascript: URL');
+    window.addEventListener('securitypolicyviolation',
+        t1.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, 'script-src-elem');
+            assert_equals(e.blockedURI, 'inline');
+        }));
+  }
+
+  if (navigationMethod === '<a href target=_blank>') {
+    const a = document.createElement('a');
+    a.setAttribute('target', '_blank');
+    a.setAttribute('rel', 'opener');
+    a.setAttribute('href', 'javascript:opener.navigated();');
+    document.body.appendChild(a);
+    a.click();
+  }
+  else if (navigationMethod === '<a href>') {
+    const a = document.createElement('a');
+    a.setAttribute('href', 'javascript:navigated();');
+    document.body.appendChild(a);
+    a.click();
+  } else {
+    t1.unreached_func('Invalid navigationMethod: ' + navigationMethod)();
+  }
+}