diff --git a/content/base/test/xcsp/chrome.ini b/content/base/test/xcsp/chrome.ini
new file mode 100644
index 00000000000..fb55f3e1272
--- /dev/null
+++ b/content/base/test/xcsp/chrome.ini
@@ -0,0 +1,4 @@
+[DEFAULT]
+
+[test_csp_bug768029.html]
+[test_csp_bug773891.html]
diff --git a/content/base/test/xcsp/file_CSP.css b/content/base/test/xcsp/file_CSP.css
new file mode 100644
index 00000000000..f83930e541c
--- /dev/null
+++ b/content/base/test/xcsp/file_CSP.css
@@ -0,0 +1,20 @@
+/*
+ * Moved this CSS from an inline stylesheet to an external file when we added
+ * inline-style blocking in bug 763879.
+ * This test may hang if the load for this .css file is blocked due to a
+ * malfunction of CSP, but should pass if the style_good test passes.
+ */
+
+/* CSS font embedding tests */
+@font-face {
+  font-family: "arbitrary_good";
+  src: url('file_CSP.sjs?testid=font_good&type=application/octet-stream');
+}
+@font-face {
+  font-family: "arbitrary_bad";
+  src: url('http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
+}
+
+.div_arbitrary_good { font-family: "arbitrary_good"; }
+.div_arbitrary_bad { font-family: "arbitrary_bad"; }
+
diff --git a/content/base/test/xcsp/file_CSP.sjs b/content/base/test/xcsp/file_CSP.sjs
new file mode 100644
index 00000000000..85c2df3ba47
--- /dev/null
+++ b/content/base/test/xcsp/file_CSP.sjs
@@ -0,0 +1,26 @@
+// SJS file for CSP mochitests
+
+function handleRequest(request, response)
+{
+  var query = {};
+  request.queryString.split('&').forEach(function (val) {
+    var [name, value] = val.split('=');
+    query[name] = unescape(value);
+  });
+
+  var isPreflight = request.method == "OPTIONS";
+
+
+  //avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  if ("type" in query) {
+    response.setHeader("Content-Type", unescape(query['type']), false);
+  } else {
+    response.setHeader("Content-Type", "text/html", false);
+  }
+
+  if ("content" in query) {
+    response.write(unescape(query['content']));
+  }
+}
diff --git a/content/base/test/xcsp/file_CSP_evalscript_main.js b/content/base/test/xcsp/file_CSP_evalscript_main.js
new file mode 100644
index 00000000000..a00fbb8362e
--- /dev/null
+++ b/content/base/test/xcsp/file_CSP_evalscript_main.js
@@ -0,0 +1,126 @@
+// some javascript for the CSP eval() tests
+
+function logResult(str, passed) {
+  var elt = document.createElement('div');
+  var color = passed ? "#cfc;" : "#fcc";
+  elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
+  elt.innerHTML = str;
+  document.body.appendChild(elt);
+}
+
+window._testResults = {};
+
+// callback for when stuff is allowed by CSP
+var onevalexecuted = (function(window) {
+    return function(shouldrun, what, data) {
+      window._testResults[what] = "ran";
+      window.parent.scriptRan(shouldrun, what, data);
+      logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
+    };})(window);
+
+// callback for when stuff is blocked
+var onevalblocked = (function(window) {
+    return function(shouldrun, what, data) {
+      window._testResults[what] = "blocked";
+      window.parent.scriptBlocked(shouldrun, what, data);
+      logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
+    };})(window);
+
+
+// Defer until document is loaded so that we can write the pretty result boxes
+// out.
+addEventListener('load', function() {
+  // setTimeout(String) test -- mutate something in the window._testResults
+  // obj, then check it.
+  {
+    var str_setTimeoutWithStringRan = 'onevalexecuted(false, "setTimeout(String)", "setTimeout with a string was enabled.");';
+    function fcn_setTimeoutWithStringCheck() {
+      if (this._testResults["setTimeout(String)"] !== "ran") {
+        onevalblocked(false, "setTimeout(String)",
+                      "setTimeout with a string was blocked");
+      }
+    }
+    setTimeout(fcn_setTimeoutWithStringCheck.bind(window), 10);
+    setTimeout(str_setTimeoutWithStringRan, 10);
+  }
+
+  // setTimeout(function) test -- mutate something in the window._testResults
+  // obj, then check it.
+  {
+    function fcn_setTimeoutWithFunctionRan() {
+      onevalexecuted(true, "setTimeout(function)",
+                    "setTimeout with a function was enabled.")
+    }
+    function fcn_setTimeoutWithFunctionCheck() {
+      if (this._testResults["setTimeout(function)"] !== "ran") {
+        onevalblocked(true, "setTimeout(function)",
+                      "setTimeout with a function was blocked");
+      }
+    }
+    setTimeout(fcn_setTimeoutWithFunctionRan.bind(window), 10);
+    setTimeout(fcn_setTimeoutWithFunctionCheck.bind(window), 10);
+  }
+
+  // eval() test -- should throw exception as per spec
+  try {
+    eval('onevalexecuted(false, "eval(String)", "eval() was enabled.");');
+  } catch (e) {
+    onevalblocked(false, "eval(String)",
+                  "eval() was blocked");
+  }
+
+  // eval(foo,bar) test -- should throw exception as per spec
+  try {
+    eval('onevalexecuted(false, "eval(String,scope)", "eval() was enabled.");',1);
+  } catch (e) {
+    onevalblocked(false, "eval(String,object)",
+                  "eval() with scope was blocked");
+  }
+
+  // [foo,bar].sort(eval) test -- should throw exception as per spec
+  try {
+    ['onevalexecuted(false, "[String, obj].sort(eval)", "eval() was enabled.");',1].sort(eval);
+  } catch (e) {
+    onevalblocked(false, "[String, obj].sort(eval)",
+                  "eval() with scope via sort was blocked");
+  }
+
+  // [].sort.call([foo,bar], eval) test -- should throw exception as per spec
+  try {
+    [].sort.call(['onevalexecuted(false, "[String, obj].sort(eval)", "eval() was enabled.");',1], eval);
+  } catch (e) {
+    onevalblocked(false, "[].sort.call([String, obj], eval)",
+                  "eval() with scope via sort/call was blocked");
+  }
+
+  // new Function() test -- should throw exception as per spec
+  try {
+    var fcn = new Function('onevalexecuted(false, "new Function(String)", "new Function(String) was enabled.");');
+    fcn();
+  } catch (e) {
+    onevalblocked(false, "new Function(String)",
+                  "new Function(String) was blocked.");
+  }
+
+  // setTimeout(eval, 0, str)
+  {
+    // error is not catchable here, instead, we're going to side-effect
+    // 'worked'.
+    var worked = false;
+
+    setTimeout(eval, 0, 'worked = true');
+    setTimeout(function(worked) {
+                  if (worked) {
+                    onevalexecuted(false, "setTimeout(eval, 0, str)",
+                                    "setTimeout(eval, 0, string) was enabled.");
+                  } else {
+                    onevalblocked(false, "setTimeout(eval, 0, str)",
+                                        "setTimeout(eval, 0, str) was blocked.");
+                  }
+                }, 0, worked);
+  }
+
+}, false);
+
+
+
diff --git a/content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.html b/content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.html
new file mode 100644
index 00000000000..7b122389be5
--- /dev/null
+++ b/content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.html
@@ -0,0 +1,12 @@
+<html>
+  <head>
+    <title>CSP eval script tests</title>
+    <script type="application/javascript"
+             src="file_CSP_evalscript_main_getCRMFRequest.js"></script>
+  </head>
+  <body>
+
+    Foo.
+
+  </body>
+</html>
diff --git a/content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.html^headers^ b/content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.html^headers^
new file mode 100644
index 00000000000..a9c761cfc14
--- /dev/null
+++ b/content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.html^headers^
@@ -0,0 +1,2 @@
+Cache-Control: no-cache
+X-Content-Security-Policy: default-src 'self'
diff --git a/content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.js b/content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.js
new file mode 100644
index 00000000000..90826e3bc9d
--- /dev/null
+++ b/content/base/test/xcsp/file_CSP_evalscript_main_getCRMFRequest.js
@@ -0,0 +1,48 @@
+// some javascript for the CSP eval() tests
+
+function logResult(str, passed) {
+  var elt = document.createElement('div');
+  var color = passed ? "#cfc;" : "#fcc";
+  elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
+  elt.innerHTML = str;
+  document.body.appendChild(elt);
+}
+
+window._testResults = {};
+
+// callback for when stuff is allowed by CSP
+var onevalexecuted = (function(window) {
+    return function(shouldrun, what, data) {
+      window._testResults[what] = "ran";
+      window.parent.scriptRan(shouldrun, what, data);
+      logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
+    };})(window);
+
+// callback for when stuff is blocked
+var onevalblocked = (function(window) {
+    return function(shouldrun, what, data) {
+      window._testResults[what] = "blocked";
+      window.parent.scriptBlocked(shouldrun, what, data);
+      logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
+    };})(window);
+
+
+// Defer until document is loaded so that we can write the pretty result boxes
+// out.
+addEventListener('load', function() {
+  // generateCRMFRequest test -- make sure we cannot eval the callback if CSP is in effect
+  try {
+    var script = 'console.log("dynamic script eval\'d in crypto.generateCRMFRequest should be disallowed")';
+    crypto.generateCRMFRequest('CN=0', 0, 0, null, script, 384, null, 'rsa-dual-use');
+    onevalexecuted(false, "crypto.generateCRMFRequest()",
+                   "crypto.generateCRMFRequest() should not run!");
+  } catch (e) {
+    onevalblocked(false, "eval(script) inside crypto.generateCRMFRequest",
+                  "eval was blocked during crypto.generateCRMFRequest");
+  }
+
+
+}, false);
+
+
+
diff --git a/content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.html b/content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.html
new file mode 100644
index 00000000000..d36aeaaf106
--- /dev/null
+++ b/content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.html
@@ -0,0 +1,12 @@
+<html>
+  <head>
+    <title>CSP eval script tests: no CSP specified</title>
+    <script type="application/javascript"
+             src="file_CSP_evalscript_no_CSP_at_all.js"></script>
+  </head>
+  <body>
+
+    Foo. See bug 824652
+
+  </body>
+</html>
diff --git a/content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.html^headers^ b/content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.html^headers^
new file mode 100644
index 00000000000..9e23c73b7ff
--- /dev/null
+++ b/content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.html^headers^
@@ -0,0 +1 @@
+Cache-Control: no-cache
diff --git a/content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.js b/content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.js
new file mode 100644
index 00000000000..520491fb8ef
--- /dev/null
+++ b/content/base/test/xcsp/file_CSP_evalscript_no_CSP_at_all.js
@@ -0,0 +1,42 @@
+// some javascript for the CSP eval() tests
+// all of these evals should succeed, as the document loading this script
+// has script-src 'self' 'unsafe-eval'
+
+function logResult(str, passed) {
+  var elt = document.createElement('div');
+  var color = passed ? "#cfc;" : "#fcc";
+  elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
+  elt.innerHTML = str;
+  document.body.appendChild(elt);
+}
+
+// callback for when stuff is allowed by CSP
+var onevalexecuted = (function(window) {
+    return function(shouldrun, what, data) {
+      window.parent.scriptRan(shouldrun, what, data);
+      logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
+    };})(window);
+
+// callback for when stuff is blocked
+var onevalblocked = (function(window) {
+    return function(shouldrun, what, data) {
+      window.parent.scriptBlocked(shouldrun, what, data);
+      logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
+    };})(window);
+
+
+// Defer until document is loaded so that we can write the pretty result boxes
+// out.
+addEventListener('load', function() {
+  // test that allows crypto.generateCRMFRequest eval to run when there is no CSP at all in place
+  try {
+      var script =
+        'console.log("dynamic script passed to crypto.generateCRMFRequest should execute")';
+      crypto.generateCRMFRequest('CN=0', 0, 0, null, script, 384, null, 'rsa-dual-use');
+      onevalexecuted(true, "eval(script) inside crypto.generateCRMFRequest: no CSP at all",
+                     "eval executed during crypto.generateCRMFRequest where no CSP is set at all");
+  } catch (e) {
+    onevalblocked(true, "eval(script) inside crypto.generateCRMFRequest",
+                  "eval was blocked during crypto.generateCRMFRequest");
+  }
+}, false);
diff --git a/content/base/test/xcsp/file_csp_bug768029.html b/content/base/test/xcsp/file_csp_bug768029.html
new file mode 100644
index 00000000000..d7f2730e6c7
--- /dev/null
+++ b/content/base/test/xcsp/file_csp_bug768029.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+  https://bugzilla.mozilla.org/show_bug.cgi?id=768029
+-->
+<head>
+  <meta charset="utf-8">
+    <title>This is an app for testing</title>
+
+    <link rel="stylesheet" type="text/css"
+          href="file_csp_bug768029.sjs?type=style&origin=same_origin" />
+    <link rel="stylesheet" type="text/css"
+          href="http://example.com/tests/content/base/test/csp/file_csp_bug768029.sjs?type=style&origin=cross_origin" />
+  </head>
+  <body>
+
+    <script src="file_csp_bug768029.sjs?type=script&origin=same_origin"></script>
+    <script src="http://example.com/tests/content/base/test/csp/file_csp_bug768029.sjs?type=script&origin=cross_origin"></script>
+    <img src="file_csp_bug768029.sjs?type=img&origin=same_origin" />
+    <img src="http://example.com/tests/content/base/test/csp/file_csp_bug768029.sjs?type=img&origin=cross_origin" />
+
+    Test for CSP applied to (simulated) app.
+
+  </body>
+</html>
diff --git a/content/base/test/xcsp/file_csp_bug768029.sjs b/content/base/test/xcsp/file_csp_bug768029.sjs
new file mode 100644
index 00000000000..9ae353055ef
--- /dev/null
+++ b/content/base/test/xcsp/file_csp_bug768029.sjs
@@ -0,0 +1,29 @@
+function handleRequest(request, response) {
+
+  var query = {};
+
+  request.queryString.split('&').forEach(function(val) {
+    var [name, value] = val.split('=');
+    query[name] = unescape(value);
+  });
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  if ("type" in query) {
+    switch (query.type) {
+      case "script":
+        response.setHeader("Content-Type", "application/javascript");
+        response.write("\n\ndocument.write('<pre>script loaded\\n</pre>');\n\n");
+        return;
+      case "style":
+        response.setHeader("Content-Type", "text/css");
+        response.write("\n\n.cspfoo { color:red; }\n\n");
+        return;
+      case "img":
+        response.setHeader("Content-Type", "image/png");
+        return;
+    }
+  }
+
+  response.setHeader("Content-Type", "text/plain");
+  response.write("ohnoes!");
+}
diff --git a/content/base/test/xcsp/file_csp_bug773891.html b/content/base/test/xcsp/file_csp_bug773891.html
new file mode 100644
index 00000000000..563e5f1699c
--- /dev/null
+++ b/content/base/test/xcsp/file_csp_bug773891.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+  https://bugzilla.mozilla.org/show_bug.cgi?id=773891
+-->
+<head>
+  <meta charset="utf-8">
+    <title>This is an app for csp testing</title>
+
+    <link rel="stylesheet" type="text/css"
+          href="file_csp_bug773891.sjs?type=style&origin=same_origin" />
+    <link rel="stylesheet" type="text/css"
+          href="http://example.com/tests/content/base/test/csp/file_csp_bug773891.sjs?type=style&origin=cross_origin" />
+  </head>
+  <body>
+
+    <script src="file_csp_bug773891.sjs?type=script&origin=same_origin"></script>
+    <script src="http://example.com/tests/content/base/test/csp/file_csp_bug773891.sjs?type=script&origin=cross_origin"></script>
+    <img src="file_csp_bug773891.sjs?type=img&origin=same_origin" />
+    <img src="http://example.com/tests/content/base/test/csp/file_csp_bug773891.sjs?type=img&origin=cross_origin" />
+
+    Test for CSP applied to (simulated) app.
+
+  </body>
+</html>
diff --git a/content/base/test/xcsp/file_csp_bug773891.sjs b/content/base/test/xcsp/file_csp_bug773891.sjs
new file mode 100644
index 00000000000..9ae353055ef
--- /dev/null
+++ b/content/base/test/xcsp/file_csp_bug773891.sjs
@@ -0,0 +1,29 @@
+function handleRequest(request, response) {
+
+  var query = {};
+
+  request.queryString.split('&').forEach(function(val) {
+    var [name, value] = val.split('=');
+    query[name] = unescape(value);
+  });
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  if ("type" in query) {
+    switch (query.type) {
+      case "script":
+        response.setHeader("Content-Type", "application/javascript");
+        response.write("\n\ndocument.write('<pre>script loaded\\n</pre>');\n\n");
+        return;
+      case "style":
+        response.setHeader("Content-Type", "text/css");
+        response.write("\n\n.cspfoo { color:red; }\n\n");
+        return;
+      case "img":
+        response.setHeader("Content-Type", "image/png");
+        return;
+    }
+  }
+
+  response.setHeader("Content-Type", "text/plain");
+  response.write("ohnoes!");
+}
diff --git a/content/base/test/xcsp/file_csp_redirects_main.html b/content/base/test/xcsp/file_csp_redirects_main.html
new file mode 100644
index 00000000000..102f7469282
--- /dev/null
+++ b/content/base/test/xcsp/file_csp_redirects_main.html
@@ -0,0 +1,44 @@
+<html>
+<head>
+<title>CSP redirect tests</title>
+</head>
+<body>
+<div id="container"></div>
+</body>
+
+<script>
+var thisSite = "http://mochi.test:8888";
+var otherSite = "http://example.com";
+var page = "/tests/content/base/test/csp/file_csp_redirects_page.sjs";
+
+var tests = { "font-src": thisSite+page+"?testid=font-src&csp=1",
+              "frame-src": thisSite+page+"?testid=frame-src&csp=1",
+              "img-src":  thisSite+page+"?testid=img-src&csp=1",
+              "media-src":  thisSite+page+"?testid=media-src&csp=1",
+              "object-src":  thisSite+page+"?testid=object-src&csp=1",
+              "script-src":  thisSite+page+"?testid=script-src&csp=1",
+              "style-src":  thisSite+page+"?testid=style-src&csp=1",
+              "worker":  thisSite+page+"?testid=worker&csp=1",
+              "xhr-src":  thisSite+page+"?testid=xhr-src&csp=1",
+              "font-src-spec-compliant": thisSite+page+"?testid=font-src-spec-compliant&csp=1&spec=1",
+              "frame-src-spec-compliant": thisSite+page+"?testid=frame-src-spec-compliant&csp=1&spec=1",
+              "img-src-spec-compliant":  thisSite+page+"?testid=img-src-spec-compliant&csp=1&spec=1",
+              "media-src-spec-compliant":  thisSite+page+"?testid=media-src-spec-compliant&csp=1&spec=1",
+              "object-src-spec-compliant":  thisSite+page+"?testid=object-src-spec-compliant&csp=1&spec=1",
+              "script-src-spec-compliant":  thisSite+page+"?testid=script-src-spec-compliant&csp=1&spec=1",
+              "style-src-spec-compliant":  thisSite+page+"?testid=style-src-spec-compliant&csp=1&spec=1",
+              "worker-spec-compliant":  thisSite+page+"?testid=worker-spec-compliant&csp=1&spec=1",
+              "xhr-src-spec-compliant":  thisSite+page+"?testid=xhr-src-spec-compliant&csp=1&spec=1",
+            };
+
+var container = document.getElementById("container");
+
+// load each test in its own iframe
+for (tid in tests) {
+  var i = document.createElement("iframe");
+  i.id = tid;
+  i.src = tests[tid];
+  container.appendChild(i);
+}
+</script>
+</html>
diff --git a/content/base/test/xcsp/file_csp_redirects_page.sjs b/content/base/test/xcsp/file_csp_redirects_page.sjs
new file mode 100644
index 00000000000..7f5d6bad41e
--- /dev/null
+++ b/content/base/test/xcsp/file_csp_redirects_page.sjs
@@ -0,0 +1,133 @@
+// SJS file for CSP redirect mochitests
+// This file serves pages which can optionally specify a Content Security Policy
+function handleRequest(request, response)
+{
+  var query = {};
+  request.queryString.split('&').forEach(function (val) {
+    var [name, value] = val.split('=');
+    query[name] = unescape(value);
+  });
+
+  response.setHeader("Cache-Control", "no-cache", false);
+  response.setHeader("Content-Type", "text/html", false);
+
+  var resource = "/tests/content/base/test/csp/file_csp_redirects_resource.sjs";
+
+  // CSP header value
+  if (query["csp"] == 1) {
+    if (query["spec"] == 1) {
+      response.setHeader("Content-Security-Policy", "default-src 'self' ; style-src 'self' 'unsafe-inline'", false);
+    } else {
+      response.setHeader("X-Content-Security-Policy", "allow 'self'", false);
+    }
+  }
+
+  // downloadable font that redirects to another site
+  if (query["testid"] == "font-src") {
+    var resp = '<style type="text/css"> @font-face { font-family:' +
+               '"Redirecting Font"; src: url("' + resource +
+               '?res=font&redir=other&id=font-src-redir")} #test{font-family:' +
+               '"Redirecting Font"}</style></head><body>' +
+               '<div id="test">test</div></body>';
+    response.write(resp);
+    return;
+  }
+
+  if (query["testid"] == "font-src-spec-compliant") {
+    var resp = '<style type="text/css"> @font-face { font-family:' +
+               '"Redirecting Font Spec Compliant"; src: url("' + resource +
+               '?res=font-spec-compliant&redir=other&id=font-src-redir-spec-compliant")} #test{font-family:' +
+               '"Redirecting Font Spec Compliant"}</style></head><body>' +
+               '<div id="test">test</div></body>';
+    response.write(resp);
+    return;
+  }
+
+  // iframe that redirects to another site
+  if (query["testid"] == "frame-src") {
+    response.write('<iframe src="'+resource+'?res=iframe&redir=other&id=frame-src-redir"></iframe>');
+    return;
+  }
+
+  if (query["testid"] == "frame-src-spec-compliant") {
+    response.write('<iframe src="'+resource+'?res=iframe&redir=other&id=frame-src-redir-spec-compliant"></iframe>');
+    return;
+  }
+
+  // image that redirects to another site
+  if (query["testid"] == "img-src") {
+    response.write('<img src="'+resource+'?res=image&redir=other&id=img-src-redir" />');
+    return;
+  }
+
+  if (query["testid"] == "img-src-spec-compliant") {
+    response.write('<img src="'+resource+'?res=image&redir=other&id=img-src-redir-spec-compliant" />');
+    return;
+  }
+
+  // video content that redirects to another site
+  if (query["testid"] == "media-src") {
+    response.write('<video src="'+resource+'?res=media&redir=other&id=media-src-redir"></video>');
+    return;
+  }
+
+  if (query["testid"] == "media-src-spec-compliant") {
+    response.write('<video src="'+resource+'?res=media&redir=other&id=media-src-redir-spec-compliant"></video>');
+    return;
+  }
+
+  // object content that redirects to another site
+  if (query["testid"] == "object-src") {
+    response.write('<object type="text/html" data="'+resource+'?res=object&redir=other&id=object-src-redir"></object>');
+    return;
+  }
+
+  if (query["testid"] == "object-src-spec-compliant") {
+    response.write('<object type="text/html" data="'+resource+'?res=object&redir=other&id=object-src-redir-spec-compliant"></object>');
+    return;
+  }
+
+  // external script that redirects to another site
+  if (query["testid"] == "script-src") {
+    response.write('<script src="'+resource+'?res=script&redir=other&id=script-src-redir"></script>');
+    return;
+  }
+
+  if (query["testid"] == "script-src-spec-compliant") {
+    response.write('<script src="'+resource+'?res=script&redir=other&id=script-src-redir-spec-compliant"></script>');
+    return;
+  }
+
+  // external stylesheet that redirects to another site
+  if (query["testid"] == "style-src") {
+    response.write('<link rel="stylesheet" type="text/css" href="'+resource+'?res=style&redir=other&id=style-src-redir"></script>');
+    return;
+  }
+
+  if (query["testid"] == "style-src-spec-compliant") {
+    response.write('<link rel="stylesheet" type="text/css" href="'+resource+'?res=style&redir=other&id=style-src-redir-spec-compliant"></script>');
+    return;
+  }
+
+  // worker script resource that redirects to another site
+  if (query["testid"] == "worker") {
+    response.write('<script src="'+resource+'?res=worker&redir=other&id=worker-redir"></script>');
+    return;
+  }
+
+  if (query["testid"] == "worker-spec-compliant") {
+    response.write('<script src="'+resource+'?res=worker&redir=other&id=worker-redir-spec-compliant"></script>');
+    return;
+  }
+
+  // script that XHR's to a resource that redirects to another site
+  if (query["testid"] == "xhr-src") {
+    response.write('<script src="'+resource+'?res=xhr"></script>');
+    return;
+  }
+
+  if (query["testid"] == "xhr-src-spec-compliant") {
+    response.write('<script src="'+resource+'?res=xhr-spec-compliant"></script>');
+    return;
+  }
+}
diff --git a/content/base/test/xcsp/file_csp_redirects_resource.sjs b/content/base/test/xcsp/file_csp_redirects_resource.sjs
new file mode 100644
index 00000000000..60924ee09da
--- /dev/null
+++ b/content/base/test/xcsp/file_csp_redirects_resource.sjs
@@ -0,0 +1,128 @@
+// SJS file to serve resources for CSP redirect tests
+// This file mimics serving resources, e.g. fonts, images, etc., which a CSP
+// can include. The resource may redirect to a different resource, if specified.
+function handleRequest(request, response)
+{
+  var query = {};
+  request.queryString.split('&').forEach(function (val) {
+    var [name, value] = val.split('=');
+    query[name] = unescape(value);
+  });
+
+  var thisSite = "http://mochi.test:8888";
+  var otherSite = "http://example.com";
+  var resource = "/tests/content/base/test/csp/file_csp_redirects_resource.sjs";
+
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  // redirect to a resource on this site
+  if (query["redir"] == "same") {
+    var loc = thisSite+resource+"?res="+query["res"]+"&testid="+query["id"];
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location", loc, false);
+    return;
+  }
+
+  // redirect to a resource on a different site
+  else if (query["redir"] == "other") {
+    var loc = otherSite+resource+"?res="+query["res"]+"&testid="+query["id"];
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location", loc, false);
+    return;
+  }
+
+  // not a redirect.  serve some content.
+  // the content doesn't have to be valid, since we're only checking whether
+  // the request for the content was sent or not.
+
+  // downloadable font
+  if (query["res"] == "font") {
+    response.setHeader("Access-Control-Allow-Origin", "*", false);
+    response.setHeader("Content-Type", "text/plain", false);
+    response.write("font data...");
+    return;
+  }
+
+  if (query["res"] == "font-spec-compliant") {
+    response.setHeader("Access-Control-Allow-Origin", "*", false);
+    response.setHeader("Content-Type", "text/plain", false);
+    response.write("font data...");
+    return;
+  }
+
+  // iframe with arbitrary content
+  if (query["res"] == "iframe") {
+    response.setHeader("Content-Type", "text/html", false);
+    response.write("iframe content...");
+    return;
+  }
+
+  // image
+  if (query["res"] == "image") {
+    response.setHeader("Content-Type", "image/gif", false);
+    response.write("image data...");
+    return;
+  }
+
+  // media content, e.g. Ogg video
+  if (query["res"] == "media") {
+    response.setHeader("Content-Type", "video/ogg", false);
+    response.write("video data...");
+    return;
+  }
+
+  // plugin content, e.g. <object>
+  if (query["res"] == "object") {
+    response.setHeader("Content-Type", "text/html", false);
+    response.write("object data...");
+    return;
+  }
+
+  // script
+  if (query["res"] == "script") {
+    response.setHeader("Content-Type", "application/javascript", false);
+    response.write("some script...");
+    return;
+  }
+
+  // external stylesheet
+  if (query["res"] == "style") {
+    response.setHeader("Content-Type", "text/css", false);
+    response.write("css data...");
+    return;
+  }
+
+  // web worker resource
+  if (query["res"] == "worker") {
+    response.setHeader("Content-Type", "application/javascript", false);
+    response.write("worker script data...");
+    return;
+  }
+
+  // script that invokes XHR
+  if (query["res"] == "xhr") {
+    response.setHeader("Content-Type", "text/html", false);
+    var resp = 'var x = new XMLHttpRequest(); x.open("GET", "' + otherSite +
+               resource+'?res=xhr-resp&testid=xhr-src-redir", false); ' +
+               'x.send(null);';
+    response.write(resp);
+    return;
+  }
+
+  if (query["res"] == "xhr-spec-compliant") {
+    response.setHeader("Content-Type", "text/html", false);
+    var resp = 'var x = new XMLHttpRequest(); x.open("GET", "' + otherSite +
+               resource+'?res=xhr-resp-spec-compliant&testid=xhr-src-redir-spec-compliant", false); ' +
+               'x.send(null);';
+    response.write(resp);
+    return;
+  }
+
+  // response to XHR
+  if (query["res"] == "xhr-resp-spec-compliant") {
+    response.setHeader("Access-Control-Allow-Origin", "*", false);
+    response.setHeader("Content-Type", "text/html", false);
+    response.write('XHR response...');
+    return;
+  }
+}
diff --git a/content/base/test/xcsp/file_csp_report.sjs b/content/base/test/xcsp/file_csp_report.sjs
new file mode 100644
index 00000000000..baf88b02d4a
--- /dev/null
+++ b/content/base/test/xcsp/file_csp_report.sjs
@@ -0,0 +1,25 @@
+// SJS file for CSP violation report test
+// https://bugzilla.mozilla.org/show_bug.cgi?id=548193
+function handleRequest(request, response)
+{
+  var query = {};
+  request.queryString.split('&').forEach(function (val) {
+    var [name, value] = val.split('=');
+    query[name] = unescape(value);
+  });
+
+  response.setHeader("Content-Type", "text/html", false);
+
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  // set CSP header
+  response.setHeader("X-Content-Security-Policy",
+                     "allow 'self'; report-uri http://mochi.test:8888/csp-report.cgi",
+                     false);
+
+  // content which will trigger a violation report
+  response.write('<html><body>');
+  response.write('<img src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png"> </img>');
+  response.write('</body></html>');
+}
diff --git a/content/base/test/xcsp/file_multi_policy_injection_bypass.html b/content/base/test/xcsp/file_multi_policy_injection_bypass.html
new file mode 100644
index 00000000000..82eed84570a
--- /dev/null
+++ b/content/base/test/xcsp/file_multi_policy_injection_bypass.html
@@ -0,0 +1,15 @@
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=717511
+-->
+  <body>
+    <!-- these should be stopped by CSP after fixing bug 717511.  :) -->
+    <img src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png"> </img>
+    <script src='http://example.org/tests/content/base/test/file_CSP.sjs?testid=script_bad&type=text/javascript'></script>
+
+    <!-- these should load ok after fixing bug 717511.  :) -->
+    <img src="file_CSP.sjs?testid=img_good&type=img/png" />
+    <script src='file_CSP.sjs?testid=script_good&type=text/javascript'></script>
+
+  </body>
+</html>
diff --git a/content/base/test/xcsp/file_multi_policy_injection_bypass.html^headers^ b/content/base/test/xcsp/file_multi_policy_injection_bypass.html^headers^
new file mode 100644
index 00000000000..fc46a167c3d
--- /dev/null
+++ b/content/base/test/xcsp/file_multi_policy_injection_bypass.html^headers^
@@ -0,0 +1 @@
+X-Content-Security-Policy: default-src 'self', allow *
diff --git a/content/base/test/xcsp/file_multi_policy_injection_bypass_2.html b/content/base/test/xcsp/file_multi_policy_injection_bypass_2.html
new file mode 100644
index 00000000000..6f27a043fb8
--- /dev/null
+++ b/content/base/test/xcsp/file_multi_policy_injection_bypass_2.html
@@ -0,0 +1,15 @@
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=717511
+-->
+  <body>
+    <!-- these should be stopped by CSP after fixing bug 717511.  :) -->
+    <img src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=img2_bad&type=img/png"> </img>
+    <script src='http://example.org/tests/content/base/test/file_CSP.sjs?testid=script2_bad&type=text/javascript'></script>
+
+    <!-- these should load ok after fixing bug 717511.  :) -->
+    <img src="file_CSP.sjs?testid=img2_good&type=img/png" />
+    <script src='file_CSP.sjs?testid=script2_good&type=text/javascript'></script>
+
+  </body>
+</html>
diff --git a/content/base/test/xcsp/file_multi_policy_injection_bypass_2.html^headers^ b/content/base/test/xcsp/file_multi_policy_injection_bypass_2.html^headers^
new file mode 100644
index 00000000000..772246e1247
--- /dev/null
+++ b/content/base/test/xcsp/file_multi_policy_injection_bypass_2.html^headers^
@@ -0,0 +1 @@
+X-Content-Security-Policy: default-src 'self'   ,    allow *
diff --git a/content/base/test/xcsp/file_redirect_content.sjs b/content/base/test/xcsp/file_redirect_content.sjs
new file mode 100644
index 00000000000..9a6461d69bb
--- /dev/null
+++ b/content/base/test/xcsp/file_redirect_content.sjs
@@ -0,0 +1,38 @@
+// https://bugzilla.mozilla.org/show_bug.cgi?id=650386
+// This SJS file serves file_redirect_content.html
+// with a CSP that will trigger a violation and that will report it
+// to file_redirect_report.sjs
+//
+// This handles 301, 302, 303 and 307 redirects. The HTTP status code
+// returned/type of redirect to do comes from the query string
+// parameter passed in from the test_bug650386_* files and then also
+// uses that value in the report-uri parameter of the CSP
+function handleRequest(request, response) {
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  // this gets used in the CSP as part of the report URI.
+  var redirect = request.queryString;
+
+  if (redirect < 301 || (redirect > 303 && redirect <= 306) || redirect > 307) {
+    // if we somehow got some bogus redirect code here,
+    // do a 302 redirect to the same URL as the report URI
+    // redirects to - this will fail the test.
+    var loc = "http://example.com/some/fake/path";
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location", loc, false);
+    return;
+  }
+
+  var csp = "default-src \'self\';report-uri http://mochi.test:8888/tests/content/base/test/csp/file_redirect_report.sjs?" + redirect;
+
+  response.setHeader("X-Content-Security-Policy", csp, false);
+
+  // the actual file content.
+  // this image load will (intentionally) fail due to the CSP policy of default-src: 'self'
+  // specified by the CSP string above.
+  var content = "<!DOCTYPE HTML><html><body><img src = \"http://some.other.domain.example.com\"></body></html>";
+
+  response.write(content);
+
+  return;
+}
diff --git a/content/base/test/xcsp/file_redirect_report.sjs b/content/base/test/xcsp/file_redirect_report.sjs
new file mode 100644
index 00000000000..9cc7e654863
--- /dev/null
+++ b/content/base/test/xcsp/file_redirect_report.sjs
@@ -0,0 +1,17 @@
+// https://bugzilla.mozilla.org/show_bug.cgi?id=650386
+// This SJS file serves as CSP violation report target
+// and issues a redirect, to make sure the browser does not post to the target
+// of the redirect, per CSP spec.
+// This handles 301, 302, 303 and 307 redirects. The HTTP status code
+// returned/type of redirect to do comes from the query string
+// parameter
+function handleRequest(request, response) {
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  var redirect = request.queryString;
+
+  var loc = "http://example.com/some/fake/path";
+  response.setStatusLine("1.1", redirect, "Found");
+  response.setHeader("Location", loc, false);
+  return;
+}
diff --git a/content/base/test/xcsp/file_subframe_run_js_if_allowed.html b/content/base/test/xcsp/file_subframe_run_js_if_allowed.html
new file mode 100644
index 00000000000..3ba970ce846
--- /dev/null
+++ b/content/base/test/xcsp/file_subframe_run_js_if_allowed.html
@@ -0,0 +1,13 @@
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=702439
+
+This document is a child frame of a CSP document and the
+test verifies that it is permitted to run javascript: URLs
+if the parent has a policy that allows them.
+-->
+<body onload="document.getElementById('a').click()">
+<a id="a" href="javascript:parent.javascript_link_ran = true;
+                parent.checkResult();">click</a>
+</body>
+</html>
diff --git a/content/base/test/xcsp/file_subframe_run_js_if_allowed.html^headers^ b/content/base/test/xcsp/file_subframe_run_js_if_allowed.html^headers^
new file mode 100644
index 00000000000..426d8738c60
--- /dev/null
+++ b/content/base/test/xcsp/file_subframe_run_js_if_allowed.html^headers^
@@ -0,0 +1 @@
+X-Content-Security-Policy: default-src *; options inline-script
diff --git a/content/base/test/xcsp/mochitest.ini b/content/base/test/xcsp/mochitest.ini
new file mode 100644
index 00000000000..7fdf90e83b5
--- /dev/null
+++ b/content/base/test/xcsp/mochitest.ini
@@ -0,0 +1,165 @@
+[DEFAULT]
+support-files =
+  file_CSP.css
+  file_CSP.sjs
+  file_CSP_bug663567.xsl
+  file_CSP_bug663567_allows.xml
+  file_CSP_bug663567_allows.xml^headers^
+  file_CSP_bug663567_blocks.xml
+  file_CSP_bug663567_blocks.xml^headers^
+  file_CSP_bug802872.html
+  file_CSP_bug802872.html^headers^
+  file_CSP_bug802872.js
+  file_CSP_bug802872.sjs
+  file_CSP_bug885433_allows.html
+  file_CSP_bug885433_allows.html^headers^
+  file_CSP_bug885433_blocks.html
+  file_CSP_bug885433_blocks.html^headers^
+  file_CSP_bug888172.html
+  file_CSP_bug888172.sjs
+  file_CSP_bug916446.html
+  file_CSP_bug916446.html^headers^
+  file_CSP_evalscript_main.html
+  file_CSP_evalscript_main.html^headers^
+  file_CSP_evalscript_main.js
+  file_CSP_evalscript_main_allowed.js
+  file_CSP_evalscript_main_allowed_getCRMFRequest.js
+  file_CSP_evalscript_main_getCRMFRequest.html
+  file_CSP_evalscript_main_getCRMFRequest.html^headers^
+  file_CSP_evalscript_main_getCRMFRequest.js
+  file_CSP_evalscript_main_spec_compliant.html
+  file_CSP_evalscript_main_spec_compliant.html^headers^
+  file_CSP_evalscript_main_spec_compliant_allowed.html
+  file_CSP_evalscript_main_spec_compliant_allowed.html^headers^
+  file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html
+  file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html^headers^
+  file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html
+  file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html^headers^
+  file_CSP_evalscript_no_CSP_at_all.html
+  file_CSP_evalscript_no_CSP_at_all.html^headers^
+  file_CSP_evalscript_no_CSP_at_all.js
+  file_CSP_frameancestors.sjs
+  file_CSP_frameancestors_main.html
+  file_CSP_frameancestors_main.js
+  file_CSP_frameancestors_main_spec_compliant.html
+  file_CSP_frameancestors_main_spec_compliant.js
+  file_CSP_frameancestors_spec_compliant.sjs
+  file_CSP_inlinescript_main.html
+  file_CSP_inlinescript_main.html^headers^
+  file_CSP_inlinescript_main_spec_compliant.html
+  file_CSP_inlinescript_main_spec_compliant.html^headers^
+  file_CSP_inlinescript_main_spec_compliant_allowed.html
+  file_CSP_inlinescript_main_spec_compliant_allowed.html^headers^
+  file_CSP_inlinestyle_main.html
+  file_CSP_inlinestyle_main.html^headers^
+  file_CSP_inlinestyle_main_spec_compliant.html
+  file_CSP_inlinestyle_main_spec_compliant.html^headers^
+  file_CSP_inlinestyle_main_spec_compliant_allowed.html
+  file_CSP_inlinestyle_main_spec_compliant_allowed.html^headers^
+  file_CSP_main.html
+  file_CSP_main.html^headers^
+  file_CSP_main.js
+  file_CSP_main_spec_compliant.html
+  file_CSP_main_spec_compliant.html^headers^
+  file_CSP_main_spec_compliant.js
+  file_bothCSPheaders.html
+  file_bothCSPheaders.html^headers^
+  file_bug836922_npolicies.html
+  file_bug836922_npolicies.html^headers^
+  file_bug836922_npolicies_ro_violation.sjs
+  file_bug836922_npolicies_violation.sjs
+  file_bug886164.html
+  file_bug886164.html^headers^
+  file_bug886164_2.html
+  file_bug886164_2.html^headers^
+  file_bug886164_3.html
+  file_bug886164_3.html^headers^
+  file_bug886164_4.html
+  file_bug886164_4.html^headers^
+  file_bug886164_5.html
+  file_bug886164_5.html^headers^
+  file_bug886164_6.html
+  file_bug886164_6.html^headers^
+  file_csp_bug768029.html
+  file_csp_bug768029.sjs
+  file_csp_bug773891.html
+  file_csp_bug773891.sjs
+  file_csp_redirects_main.html
+  file_csp_redirects_page.sjs
+  file_csp_redirects_resource.sjs
+  file_CSP_bug910139.sjs
+  file_CSP_bug910139.xml
+  file_CSP_bug910139.xsl
+  file_CSP_bug909029_star.html
+  file_CSP_bug909029_star.html^headers^
+  file_CSP_bug909029_none.html
+  file_CSP_bug909029_none.html^headers^
+  file_policyuri_regression_from_multipolicy.html
+  file_policyuri_regression_from_multipolicy.html^headers^
+  file_policyuri_regression_from_multipolicy_policy
+  file_nonce_source.html
+  file_nonce_source.html^headers^
+  file_CSP_bug941404.html
+  file_CSP_bug941404_xhr.html
+  file_CSP_bug941404_xhr.html^headers^
+  file_hash_source.html
+  file_hash_source.html^headers^
+  file_dual_headers_warning.html
+  file_dual_headers_warning.html^headers^
+  file_self_none_as_hostname_confusion.html
+  file_self_none_as_hostname_confusion.html^headers^
+  file_csp_testserver.sjs
+  file_csp_regexp_parsing.html
+  file_csp_regexp_parsing.js
+  file_report_uri_missing_in_report_only_header.html
+  file_report_uri_missing_in_report_only_header.html^headers^
+  file_csp_report.sjs
+  file_policyuri_async_fetch.html
+  file_policyuri_async_fetch.html^headers^
+  file_redirect_content.sjs
+  file_redirect_report.sjs
+  file_subframe_run_js_if_allowed.html
+  file_subframe_run_js_if_allowed.html^headers^
+  file_multi_policy_injection_bypass.html
+  file_multi_policy_injection_bypass.html^headers^
+  file_multi_policy_injection_bypass_2.html
+  file_multi_policy_injection_bypass_2.html^headers^
+
+[test_CSP.html]
+[test_CSP_bug663567.html]
+[test_CSP_bug802872.html]
+[test_CSP_bug885433.html]
+[test_CSP_bug888172.html]
+[test_CSP_bug916446.html]
+[test_CSP_evalscript.html]
+[test_CSP_evalscript_getCRMFRequest.html]
+skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s # no (deprecated) window.crypto support in multiprocess (bug 824652)
+[test_CSP_frameancestors.html]
+skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'android' # Times out, not sure why (bug 1008445)
+[test_CSP_inlinescript.html]
+[test_CSP_inlinestyle.html]
+[test_bothCSPheaders.html]
+[test_bug836922_npolicies.html]
+[test_bug886164.html]
+[test_csp_redirects.html]
+[test_CSP_bug910139.html]
+[test_CSP_bug909029.html]
+[test_policyuri_regression_from_multipolicy.html]
+[test_nonce_source.html]
+[test_CSP_bug941404.html]
+[test_hash_source.html]
+skip-if = e10s || buildapp == 'b2g' # can't compute hashes in child process (bug 958702)
+[test_dual_headers_warning.html]
+[test_self_none_as_hostname_confusion.html]
+[test_bug949549.html]
+[test_csp_regexp_parsing.html]
+[test_report_uri_missing_in_report_only_header.html]
+[test_csp_report.html]
+skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
+[test_policyuri_async_fetch.html]
+[test_301_redirect.html]
+[test_302_redirect.html]
+[test_303_redirect.html]
+[test_307_redirect.html]
+[test_subframe_run_js_if_allowed.html]
+[test_multi_policy_injection_bypass.html]
diff --git a/content/base/test/xcsp/moz.build b/content/base/test/xcsp/moz.build
new file mode 100644
index 00000000000..99b068bc92a
--- /dev/null
+++ b/content/base/test/xcsp/moz.build
@@ -0,0 +1,10 @@
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+MOCHITEST_MANIFESTS += ['mochitest.ini']
+
+MOCHITEST_CHROME_MANIFESTS += ['chrome.ini']
+
diff --git a/content/base/test/xcsp/test_301_redirect.html b/content/base/test/xcsp/test_301_redirect.html
new file mode 100644
index 00000000000..4625918d0d4
--- /dev/null
+++ b/content/base/test/xcsp/test_301_redirect.html
@@ -0,0 +1,77 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=650386
+Test that CSP violation reports are not sent when a 301 redirect is encountered
+-->
+<head>
+  <title>Test for Bug 650386</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=650386">Mozilla Bug 650386</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+<iframe id = "content_iframe"></iframe>
+</div>
+<pre id="test">
+<script type="application/javascript">
+
+/** Test for Bug 650386 **/
+
+// This is used to watch the redirect of the report POST get blocked
+function examiner() {
+  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
+  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
+}
+
+examiner.prototype  = {
+  observe: function(subject, topic, data) {
+    // subject should be an nsURI
+    if(!SpecialPowers.can_QI(subject))
+       return;
+
+    if (topic === "specialpowers-http-notify-request") {
+      // this is used to fail the test - if we see the POST to the target of the redirect
+      // we know this is a fail
+      var uri = data;
+      if (uri == "http://example.com/some/fake/path")
+        window.done(false);
+    }
+
+    if(topic === "csp-on-violate-policy") {
+      // something was blocked, but we are looking specifically for the redirect being blocked
+      if (data == "denied redirect while sending violation report")
+        window.done(true);
+    }
+  },
+
+  // must eventually call this to remove the listener,
+  // or mochitests might get borked.
+  remove: function() {
+    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
+  }
+}
+
+window.examiner = new examiner();
+
+// result == true if we saw the redirect blocked notify, false if we saw the post
+// to the redirect target go out
+window.done = function(result) {
+  ok(result, "a 301 redirect when posting violation report should be blocked");
+
+  // clean up observers and finish the test
+  window.examiner.remove();
+  SimpleTest.finish();
+}
+
+SimpleTest.waitForExplicitFinish();
+
+// save this for last so that our listeners are registered.
+document.getElementById('content_iframe').src = 'file_redirect_content.sjs?301';
+</script>
+</pre>
+</body>
+</html>
diff --git a/content/base/test/xcsp/test_302_redirect.html b/content/base/test/xcsp/test_302_redirect.html
new file mode 100644
index 00000000000..f0794da6e84
--- /dev/null
+++ b/content/base/test/xcsp/test_302_redirect.html
@@ -0,0 +1,77 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=650386
+Test that CSP violation reports are not sent when a 302 redirect is encountered
+-->
+<head>
+  <title>Test for Bug 650386</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=650386">Mozilla Bug 650386</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+<iframe id = "content_iframe"></iframe>
+</div>
+<pre id="test">
+<script type="application/javascript">
+
+/** Test for Bug 650386 **/
+
+// This is used to watch the redirect of the report POST get blocked
+function examiner() {
+  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
+  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
+}
+
+examiner.prototype  = {
+  observe: function(subject, topic, data) {
+    // subject should be an nsURI
+    if(!SpecialPowers.can_QI(subject))
+       return;
+
+    if (topic === "specialpowers-http-notify-request") {
+      // this is used to fail the test - if we see the POST to the target of the redirect
+      // we know this is a fail
+      var uri = data;
+      if (uri == "http://example.com/some/fake/path")
+        window.done(false);
+    }
+
+    if(topic === "csp-on-violate-policy") {
+      // something was blocked, but we are looking specifically for the redirect being blocked
+      if (data == "denied redirect while sending violation report")
+        window.done(true);
+    }
+  },
+
+  // must eventually call this to remove the listener,
+  // or mochitests might get borked.
+  remove: function() {
+    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
+  }
+}
+
+window.examiner = new examiner();
+
+// result == true if we saw the redirect blocked notify, false if we saw the post
+// to the redirect target go out
+window.done = function(result) {
+  ok(result, "a 302 redirect when posting violation report should be blocked");
+
+  // clean up observers and finish the test
+  window.examiner.remove();
+  SimpleTest.finish();
+}
+
+SimpleTest.waitForExplicitFinish();
+
+// save this for last so that our listeners are registered.
+document.getElementById('content_iframe').src = 'file_redirect_content.sjs?302';
+</script>
+</pre>
+</body>
+</html>
diff --git a/content/base/test/xcsp/test_303_redirect.html b/content/base/test/xcsp/test_303_redirect.html
new file mode 100644
index 00000000000..3afd1317d36
--- /dev/null
+++ b/content/base/test/xcsp/test_303_redirect.html
@@ -0,0 +1,77 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=650386
+Test that CSP violation reports are not sent when a 303 redirect is encountered
+-->
+<head>
+  <title>Test for Bug 650386</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=650386">Mozilla Bug 650386</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+<iframe id = "content_iframe"></iframe>
+</div>
+<pre id="test">
+<script type="application/javascript">
+
+/** Test for Bug 650386 **/
+
+// This is used to watch the redirect of the report POST get blocked
+function examiner() {
+  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
+  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
+}
+
+examiner.prototype  = {
+  observe: function(subject, topic, data) {
+    // subject should be an nsURI
+    if(!SpecialPowers.can_QI(subject))
+       return;
+
+    if (topic === "specialpowers-http-notify-request") {
+      // this is used to fail the test - if we see the POST to the target of the redirect
+      // we know this is a fail
+      var uri = data;
+      if (uri == "http://example.com/some/fake/path")
+        window.done(false);
+    }
+
+    if(topic === "csp-on-violate-policy") {
+      // something was blocked, but we are looking specifically for the redirect being blocked
+      if (data == "denied redirect while sending violation report")
+        window.done(true);
+    }
+  },
+
+  // must eventually call this to remove the listener,
+  // or mochitests might get borked.
+  remove: function() {
+    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
+  }
+}
+
+window.examiner = new examiner();
+
+// result == true if we saw the redirect blocked notify, false if we saw the post
+// to the redirect target go out
+window.done = function(result) {
+  ok(result, "a 303 redirect when posting violation report should be blocked");
+
+  // clean up observers and finish the test
+  window.examiner.remove();
+  SimpleTest.finish();
+}
+
+SimpleTest.waitForExplicitFinish();
+
+// save this for last so that our listeners are registered.
+document.getElementById('content_iframe').src = 'file_redirect_content.sjs?303';
+</script>
+</pre>
+</body>
+</html>
diff --git a/content/base/test/xcsp/test_307_redirect.html b/content/base/test/xcsp/test_307_redirect.html
new file mode 100644
index 00000000000..e200accfefc
--- /dev/null
+++ b/content/base/test/xcsp/test_307_redirect.html
@@ -0,0 +1,77 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=650386
+Test that CSP violation reports are not sent when a 307 redirect is encountered
+-->
+<head>
+  <title>Test for Bug 650386</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=650386">Mozilla Bug 650386</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+<iframe id = "content_iframe"></iframe>
+</div>
+<pre id="test">
+<script type="application/javascript">
+
+/** Test for Bug 650386 **/
+
+// This is used to watch the redirect of the report POST get blocked
+function examiner() {
+  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
+  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
+}
+
+examiner.prototype  = {
+  observe: function(subject, topic, data) {
+    // subject should be an nsURI
+    if(!SpecialPowers.can_QI(subject))
+       return;
+
+    if (topic === "specialpowers-http-notify-request") {
+      // this is used to fail the test - if we see the POST to the target of the redirect
+      // we know this is a fail
+      var uri = data;
+      if (uri == "http://example.com/some/fake/path")
+        window.done(false);
+    }
+
+    if(topic === "csp-on-violate-policy") {
+      // something was blocked, but we are looking specifically for the redirect being blocked
+      if (data == "denied redirect while sending violation report")
+        window.done(true);
+    }
+  },
+
+  // must eventually call this to remove the listener,
+  // or mochitests might get borked.
+  remove: function() {
+    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
+  }
+}
+
+window.examiner = new examiner();
+
+// result == true if we saw the redirect blocked notify, false if we saw the post
+// to the redirect target go out
+window.done = function(result) {
+  ok(result, "a 307 redirect when posting violation report should be blocked");
+
+  // clean up observers and finish the test
+  window.examiner.remove();
+  SimpleTest.finish();
+}
+
+SimpleTest.waitForExplicitFinish();
+
+// save this for last so that our listeners are registered.
+document.getElementById('content_iframe').src = 'file_redirect_content.sjs?307';
+</script>
+</pre>
+</body>
+</html>
diff --git a/content/base/test/xcsp/test_CSP.html b/content/base/test/xcsp/test_CSP.html
new file mode 100644
index 00000000000..24a1d711ba2
--- /dev/null
+++ b/content/base/test/xcsp/test_CSP.html
@@ -0,0 +1,139 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for Content Security Policy Connections</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
+<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
+<script class="testbody" type="text/javascript">
+
+var path = "/tests/content/base/test/csp/";
+
+// These are test results: -1 means it hasn't run,
+// true/false is the pass/fail result.
+window.tests = {
+  img_good: -1,
+  img_bad: -1,
+  style_good: -1,
+  style_bad: -1,
+  frame_good: -1,
+  frame_bad: -1,
+  script_good: -1,
+  script_bad: -1,
+  xhr_good: -1,
+  xhr_bad: -1,
+  media_good: -1,
+  media_bad: -1,
+  font_good: -1,
+  font_bad: -1,
+  object_good: -1,
+  object_bad: -1,
+  img_spec_compliant_good: -1,
+  img_spec_compliant_bad: -1,
+  style_spec_compliant_good: -1,
+  style_spec_compliant_bad: -1,
+  frame_spec_compliant_good: -1,
+  frame_spec_compliant_bad: -1,
+  script_spec_compliant_good: -1,
+  script_spec_compliant_bad: -1,
+  xhr_spec_compliant_good: -1,
+  xhr_spec_compliant_bad: -1,
+  media_spec_compliant_good: -1,
+  media_spec_compliant_bad: -1,
+  font_spec_compliant_good: -1,
+  font_spec_compliant_bad: -1,
+  object_spec_compliant_good: -1,
+  object_spec_compliant_bad: -1,
+};
+
+// This is used to watch the blocked data bounce off CSP and allowed data
+// get sent out to the wire.
+function examiner() {
+  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
+  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
+}
+examiner.prototype  = {
+  observe: function(subject, topic, data) {
+    var testpat = new RegExp("testid=([a-z0-9_]+)");
+
+    //_good things better be allowed!
+    //_bad things better be stopped!
+
+    // This is a special observer topic that is proxied from
+    // http-on-modify-request in the parent process to inform us when a URI is
+    // loaded
+    if (topic === "specialpowers-http-notify-request") {
+      var uri = data;
+      if (!testpat.test(uri)) return;
+      var testid = testpat.exec(uri)[1];
+
+      window.testResult(testid,
+                        /_good/.test(testid),
+                        uri + " allowed by csp");
+    }
+
+    if (topic === "csp-on-violate-policy") {
+      // these were blocked... record that they were blocked
+      var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
+      if (!testpat.test(asciiSpec)) return;
+      var testid = testpat.exec(asciiSpec)[1];
+      window.testResult(testid,
+                        /_bad/.test(testid),
+                        asciiSpec + " blocked by \"" + data + "\"");
+    }
+  },
+
+  // must eventually call this to remove the listener,
+  // or mochitests might get borked.
+  remove: function() {
+    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
+  }
+}
+
+window.examiner = new examiner();
+
+window.testResult = function(testname, result, msg) {
+  //test already complete.... forget it... remember the first result.
+  if (window.tests[testname] != -1)
+    return;
+
+  window.tests[testname] = result;
+  is(result, true, testname + ' test: ' + msg);
+
+  // if any test is incomplete, keep waiting
+  for (var v in window.tests)
+    if(tests[v] == -1)
+      return;
+
+  // ... otherwise, finish
+  window.examiner.remove();
+  SimpleTest.finish();
+}
+
+SimpleTest.waitForExplicitFinish();
+
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true],
+          // This defaults to 0 ("preload none") on mobile (B2G/Android), which
+          // blocks loading the resource until the user interacts with a
+          // corresponding widget, which breaks the media_* tests. We set it
+          // back to the default used by desktop Firefox to get consistent
+          // behavior.
+          ["media.preload.default", 2]]},
+    function() {
+      // save this for last so that our listeners are registered.
+      // ... this loads the testbed of good and bad requests.
+      document.getElementById('cspframe').src = 'file_CSP_main.html';
+      document.getElementById('cspframe2').src = 'file_CSP_main_spec_compliant.html';
+    });
+</script>
+</pre>
+</body>
+</html>
diff --git a/content/base/test/xcsp/test_CSP_evalscript.html b/content/base/test/xcsp/test_CSP_evalscript.html
new file mode 100644
index 00000000000..6857277e25b
--- /dev/null
+++ b/content/base/test/xcsp/test_CSP_evalscript.html
@@ -0,0 +1,65 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for Content Security Policy "no eval" base restriction</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
+<script class="testbody" type="text/javascript">
+
+var path = "/tests/content/base/test/csp/";
+
+var evalScriptsThatRan = 0;
+var evalScriptsBlocked = 0;
+var evalScriptsTotal = 24;
+
+// called by scripts that run
+var scriptRan = function(shouldrun, testname, data) {
+  evalScriptsThatRan++;
+  ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
+  checkTestResults();
+}
+
+// called when a script is blocked
+var scriptBlocked = function(shouldrun, testname, data) {
+  evalScriptsBlocked++;
+  ok(!shouldrun, 'EVAL SCRIPT BLOCKED: ' + testname + '(' + data + ')');
+  checkTestResults();
+}
+
+
+// Check to see if all the tests have run
+var checkTestResults = function() {
+  // if any test is incomplete, keep waiting
+  if (evalScriptsTotal - evalScriptsBlocked - evalScriptsThatRan > 0)
+    return;
+
+  // ... otherwise, finish
+  SimpleTest.finish();
+}
+
+//////////////////////////////////////////////////////////////////////
+// set up and go
+SimpleTest.waitForExplicitFinish();
+
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+    function() {
+      // save this for last so that our listeners are registered.
+      // ... this loads the testbed of good and bad requests.
+      document.getElementById('cspframe').src = 'file_CSP_evalscript_main.html';
+      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant.html';
+      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
+      // document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
+    });
+</script>
+</pre>
+</body>
+</html>
diff --git a/content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html b/content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html
new file mode 100644
index 00000000000..c3eee193b17
--- /dev/null
+++ b/content/base/test/xcsp/test_CSP_evalscript_getCRMFRequest.html
@@ -0,0 +1,65 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for Content Security Policy "no eval" in crypto.getCRMFRequest()</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe4'></iframe>
+<script class="testbody" type="text/javascript">
+
+var path = "/tests/content/base/test/csp/";
+
+var evalScriptsThatRan = 0;
+var evalScriptsBlocked = 0;
+var evalScriptsTotal = 4;
+
+// called by scripts that run
+var scriptRan = function(shouldrun, testname, data) {
+  evalScriptsThatRan++;
+  ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
+  checkTestResults();
+}
+
+// called when a script is blocked
+var scriptBlocked = function(shouldrun, testname, data) {
+  evalScriptsBlocked++;
+  ok(!shouldrun, 'EVAL SCRIPT BLOCKED: ' + testname + '(' + data + ')');
+  checkTestResults();
+}
+
+// Check to see if all the tests have run
+var checkTestResults = function() {
+  // if any test is incomplete, keep waiting
+  if (evalScriptsTotal - evalScriptsBlocked - evalScriptsThatRan > 0)
+    return;
+
+  // ... otherwise, finish
+  SimpleTest.finish();
+}
+
+//////////////////////////////////////////////////////////////////////
+// set up and go
+SimpleTest.waitForExplicitFinish();
+
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+    function() {
+      // save this for last so that our listeners are registered.
+      // ... this loads the testbed of good and bad requests.
+      document.getElementById('cspframe').src = 'file_CSP_evalscript_main_getCRMFRequest.html';
+      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant_getCRMFRequest.html';
+      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed_getCRMFRequest.html';
+      document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
+    });
+</script>
+</pre>
+</body>
+</html>
diff --git a/content/base/test/xcsp/test_CSP_frameancestors.html b/content/base/test/xcsp/test_CSP_frameancestors.html
new file mode 100644
index 00000000000..b294ac153fb
--- /dev/null
+++ b/content/base/test/xcsp/test_CSP_frameancestors.html
@@ -0,0 +1,136 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for Content Security Policy Frame Ancestors directive</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
+<script class="testbody" type="text/javascript">
+
+var path = "/tests/content/base/test/csp/";
+
+// These are test results: -1 means it hasn't run,
+// true/false is the pass/fail result.
+var framesThatShouldLoad = {
+  aa_allow: -1,    /* innermost frame allows a */
+  //aa_block: -1,    /* innermost frame denies a */
+  ab_allow: -1,    /* innermost frame allows a */
+  //ab_block: -1,    /* innermost frame denies a */
+  aba_allow: -1,   /* innermost frame allows b,a */
+  //aba_block: -1,   /* innermost frame denies b */
+  //aba2_block: -1,  /* innermost frame denies a */
+  abb_allow: -1,   /* innermost frame allows b,a */
+  //abb_block: -1,   /* innermost frame denies b */
+  //abb2_block: -1,  /* innermost frame denies a */
+  aa_allow_spec_compliant: -1,    /* innermost frame allows a *
+  //aa_block_spec_compliant: -1,    /* innermost frame denies a */
+  ab_allow_spec_compliant: -1,    /* innermost frame allows a */
+  //ab_block_spec_compliant: -1,    /* innermost frame denies a */
+  aba_allow_spec_compliant: -1,   /* innermost frame allows b,a */
+  //aba_block_spec_compliant: -1,   /* innermost frame denies b */
+  //aba2_block_spec_compliant: -1,  /* innermost frame denies a */
+  abb_allow_spec_compliant: -1,   /* innermost frame allows b,a */
+  //abb_block_spec_compliant: -1,   /* innermost frame denies b */
+  //abb2_block_spec_compliant: -1,  /* innermost frame denies a */
+};
+
+var expectedViolationsLeft = 12;
+
+// This is used to watch the blocked data bounce off CSP and allowed data
+// get sent out to the wire.
+function examiner() {
+  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
+}
+examiner.prototype  = {
+  observe: function(subject, topic, data) {
+    // subject should be an nsURI, and should be either allowed or blocked.
+    if (!SpecialPowers.can_QI(subject))
+      return;
+
+    if (topic === "csp-on-violate-policy") {
+      //these were blocked... record that they were blocked
+      var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
+      window.frameBlocked(asciiSpec, data);
+    }
+  },
+
+  // must eventually call this to remove the listener,
+  // or mochitests might get borked.
+  remove: function() {
+    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+  }
+}
+
+// called when a frame is loaded
+// -- if it's not enumerated above, it should not load!
+var frameLoaded = function(testname, uri) {
+  //test already complete.... forget it... remember the first result.
+  if (window.framesThatShouldLoad[testname] != -1)
+    return;
+
+  if (typeof window.framesThatShouldLoad[testname] === 'undefined') {
+    // uh-oh, we're not expecting this frame to load!
+    ok(false, testname + ' framed site should not have loaded: ' + uri);
+  } else {
+    framesThatShouldLoad[testname] = true;
+    ok(true, testname + ' framed site when allowed by csp (' + uri + ')');
+  }
+  checkTestResults();
+}
+
+// called when a frame is blocked
+// -- we can't determine *which* frame was blocked, but at least we can count them
+var frameBlocked = function(uri, policy) {
+  ok(true, 'a CSP policy blocked frame from being loaded: ' + policy);
+  expectedViolationsLeft--;
+  checkTestResults();
+}
+
+
+// Check to see if all the tests have run
+var checkTestResults = function() {
+  // if any test is incomplete, keep waiting
+  for (var v in framesThatShouldLoad)
+    if(window.framesThatShouldLoad[v] == -1)
+      return;
+
+  if (window.expectedViolationsLeft > 0)
+    return;
+
+  // ... otherwise, finish
+  window.examiner.remove();
+  SimpleTest.finish();
+}
+
+window.addEventListener("message", receiveMessage, false);
+
+function receiveMessage(event) {
+  if (event.data.call && event.data.call == 'frameLoaded')
+    frameLoaded(event.data.testname, event.data.uri);
+}
+
+//////////////////////////////////////////////////////////////////////
+// set up and go
+window.examiner = new examiner();
+SimpleTest.waitForExplicitFinish();
+
+// added this so the tests run even if we don't flip the pref on by default.
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+  function() {
+    // save this for last so that our listeners are registered.
+    // ... this loads the testbed of good and bad requests.
+    document.getElementById('cspframe').src = 'file_CSP_frameancestors_main.html';
+    document.getElementById('cspframe2').src = 'file_CSP_frameancestors_main_spec_compliant.html';
+  });
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/content/base/test/xcsp/test_CSP_inlinescript.html b/content/base/test/xcsp/test_CSP_inlinescript.html
new file mode 100644
index 00000000000..f8ec16bf533
--- /dev/null
+++ b/content/base/test/xcsp/test_CSP_inlinescript.html
@@ -0,0 +1,128 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for Content Security Policy Frame Ancestors directive</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+
+<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
+<script class="testbody" type="text/javascript">
+
+var path = "/tests/content/base/test/csp/";
+
+var inlineScriptsThatRan = 0;
+var inlineScriptsBlocked = 0;
+var inlineScriptsTotal = 12;
+
+// This is used to watch the blocked data bounce off CSP and allowed data
+// get sent out to the wire.
+function examiner() {
+  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
+}
+examiner.prototype  = {
+  observe: function(subject, topic, data) {
+    // subject should be an nsURI, and should be either allowed or blocked.
+    if (!SpecialPowers.can_QI(subject))
+      return;
+
+    if (topic === "csp-on-violate-policy") {
+      var what = null;
+      try {
+        //these were blocked... record that they were blocked
+        what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
+      } catch(e) {
+        //if that fails, the subject is probably a string
+        what = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data");
+      }
+      window.scriptBlocked(what, data);
+    }
+  },
+
+  // must eventually call this to remove the listener,
+  // or mochitests might get borked.
+  remove: function() {
+    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+  }
+}
+
+// called by scripts that run
+// the first argument is whether the script expects to be allowed or not.
+var scriptRan = function(result, testname, data) {
+  inlineScriptsThatRan++;
+  ok(result, 'INLINE SCRIPT RAN: ' + testname + '(' + data + ')');
+  checkTestResults();
+}
+
+// called when a script is blocked
+// -- we can't determine *which* frame was blocked, but at least we can count them
+var scriptBlocked = function(testname, data) {
+  inlineScriptsBlocked++;
+  ok(true, 'INLINE SCRIPT BLOCKED: ' + testname + '(' + data + ')');
+  checkTestResults();
+}
+
+
+// Check to see if all the tests have run
+var checkTestResults = function() {
+  // if any test is incomplete, keep waiting
+  if (inlineScriptsThatRan + inlineScriptsBlocked < inlineScriptsTotal)
+    return;
+
+  // The four scripts in the page with 'unsafe-inline' should run.
+  is(inlineScriptsThatRan, 4, "there should be 4 inline scripts that ran");
+
+  // The other eight scripts in the other two pages should be blocked.
+  is(inlineScriptsBlocked, 8, "there should be 8 inline scripts that were blocked");
+
+  // ... otherwise, finish
+  window.examiner.remove();
+  SimpleTest.finish();
+}
+
+//////////////////////////////////////////////////////////////////////
+// set up and go
+window.examiner = new examiner();
+SimpleTest.waitForExplicitFinish();
+
+function clickit() {
+  var cspframe = document.getElementById('cspframe');
+  var a = cspframe.contentDocument.getElementById('anchortoclick');
+  sendMouseEvent({type:'click'}, a, cspframe.contentWindow);
+}
+
+function clickit2() {
+  var cspframe2 = document.getElementById('cspframe2');
+  var a = cspframe2.contentDocument.getElementById('anchortoclick');
+  sendMouseEvent({type:'click'}, a, cspframe2.contentWindow);
+}
+
+function clickit3() {
+  var cspframe3 = document.getElementById('cspframe3');
+  var a = cspframe3.contentDocument.getElementById('anchortoclick');
+  sendMouseEvent({type:'click'}, a, cspframe3.contentWindow);
+}
+
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+  function() {
+    // save this for last so that our listeners are registered.
+    // ... this loads the testbed of good and bad requests.
+    document.getElementById('cspframe').src = 'file_CSP_inlinescript_main.html';
+    document.getElementById('cspframe').addEventListener('load', clickit, false);
+    document.getElementById('cspframe2').src = 'file_CSP_inlinescript_main_spec_compliant.html';
+    document.getElementById('cspframe2').addEventListener('load', clickit2, false);
+    document.getElementById('cspframe3').src = 'file_CSP_inlinescript_main_spec_compliant_allowed.html';
+    document.getElementById('cspframe3').addEventListener('load', clickit3, false);
+  });
+</script>
+</pre>
+</body>
+</html>
diff --git a/content/base/test/xcsp/test_CSP_inlinestyle.html b/content/base/test/xcsp/test_CSP_inlinestyle.html
new file mode 100644
index 00000000000..203bf69d2d1
--- /dev/null
+++ b/content/base/test/xcsp/test_CSP_inlinestyle.html
@@ -0,0 +1,142 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for Content Security Policy inline stylesheets stuff</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+
+<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
+<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
+<script class="testbody" type="text/javascript">
+
+var path = "/tests/content/base/test/csp/";
+
+
+//////////////////////////////////////////////////////////////////////
+// set up and go
+SimpleTest.waitForExplicitFinish();
+
+var done = 0;
+
+// Our original CSP implementation does not block inline styles.
+function checkStyles(evt) {
+  var cspframe = document.getElementById('cspframe');
+  var color;
+
+  // black means the style wasn't applied.  green colors are used for styles
+  //expected to be applied.  A color is red if a style is erroneously applied
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('linkstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (original CSP implementation) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('inlinestylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (original CSP implementation) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('attrstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Style Attribute (original CSP implementation) (' + color + ')');
+  // SMIL tests
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('xmlTest',null))['fill'];
+  ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTest',null))['fill'];
+  ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
+  ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe.contentDocument.getElementById('cssSetTestById',null))['fill'];
+  ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
+  checkIfDone();
+}
+
+// When a CSP 1.0 compliant policy is specified we should block inline
+// styles applied by <style> element, style attribute, and SMIL <animate> and <set> tags
+// (when it's not explicitly allowed.)
+function checkStylesSpecCompliant(evt) {
+  var cspframe = document.getElementById('cspframe2');
+  var color;
+
+  // black means the style wasn't applied.  green colors are used for styles
+  //expected to be applied.  A color is red if a style is erroneously applied
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('linkstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('inlinestylediv'),null)['color'];
+  ok('rgb(0, 0, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('attrstylediv'),null)['color'];
+  ok('rgb(0, 0, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('csstextstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'cssText (CSP 1.0 spec compliant) (' + color + ')');
+  // SMIL tests
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('xmlTest',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTest',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('cssSetTestById',null))['fill'];
+  ok('rgb(0, 0, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
+
+  color = window.getComputedStyle(cspframe2.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
+
+  checkIfDone();
+}
+
+// When a CSP 1.0 compliant policy is specified we should allow inline
+// styles when it is explicitly allowed.
+function checkStylesSpecCompliantAllowed(evt) {
+  var cspframe = document.getElementById('cspframe3');
+  var color;
+
+  // black means the style wasn't applied.  green colors are used for styles
+  // expected to be applied.  A color is red if a style is erroneously applied
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('linkstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'External Stylesheet (CSP 1.0 spec compliant, allowed) (' + color + ')');
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('inlinestylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Inline Style TAG (CSP 1.0 spec compliant, allowed) (' + color + ')');
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('attrstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Style Attribute (CSP 1.0 spec compliant, allowed) (' + color + ')');
+
+  // Note that the below test will fail if "script-src: 'unsafe-inline'" breaks,
+  // since it relies on executing script to set .cssText
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('csstextstylediv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'style.cssText (CSP 1.0 spec compliant, allowed) (' + color + ')');
+  // SMIL tests
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('xmlTest',null))['fill'];
+  ok('rgb(0, 255, 0)' === color, 'XML Attribute styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTest',null))['fill'];
+  ok('rgb(0, 255, 0)' === color, 'CSS Override styling (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssOverrideTestById',null))['fill'];
+  ok('rgb(0, 255, 0)' === color, 'CSS Override styling via ID lookup (SMIL) (' + color + ')');
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('cssSetTestById',null))['fill'];
+  ok('rgb(0, 255, 0)' === color, 'CSS Set Element styling via ID lookup (SMIL) (' + color + ')');
+
+  color = window.getComputedStyle(cspframe3.contentDocument.getElementById('modifycsstextdiv'),null)['color'];
+  ok('rgb(0, 255, 0)' === color, 'Modify loaded style sheet via cssText (' + color + ')');
+
+  checkIfDone();
+}
+
+function checkIfDone() {
+  done++;
+  if (done == 3)
+    SimpleTest.finish();
+}
+
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true]]},
+  function() {
+    // save this for last so that our listeners are registered.
+    // ... this loads the testbed of good and bad requests.
+    document.getElementById('cspframe').src = 'file_CSP_inlinestyle_main.html';
+    document.getElementById('cspframe').addEventListener('load', checkStyles, false);
+    document.getElementById('cspframe2').src = 'file_CSP_inlinestyle_main_spec_compliant.html';
+    document.getElementById('cspframe2').addEventListener('load', checkStylesSpecCompliant, false);
+    document.getElementById('cspframe3').src = 'file_CSP_inlinestyle_main_spec_compliant_allowed.html';
+    document.getElementById('cspframe3').addEventListener('load', checkStylesSpecCompliantAllowed, false);
+  }
+);
+</script>
+</pre>
+</body>
+</html>
diff --git a/content/base/test/xcsp/test_csp_bug768029.html b/content/base/test/xcsp/test_csp_bug768029.html
new file mode 100644
index 00000000000..d455326c4cb
--- /dev/null
+++ b/content/base/test/xcsp/test_csp_bug768029.html
@@ -0,0 +1,223 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+  https://bugzilla.mozilla.org/show_bug.cgi?id=768029
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for CSP on trusted/certified apps -- bug 768029</title>
+  <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=768029">Mozilla Bug 768029</a>
+<p id="display"></p>
+<div id="content">
+
+</div>
+<pre id="test">
+<script type="application/javascript;version=1.7">
+
+Components.utils.import("resource://gre/modules/Services.jsm");
+
+/** Test for Bug 768029 **/
+
+// Note: we don't have to inspect all the different operations of CSP,
+// we're just looking for specific differences in behavior that indicate
+// a default CSP got applied.
+const DEFAULT_CSP_PRIV = "default-src *; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'";
+const DEFAULT_CSP_CERT = "default-src *; script-src 'self'; style-src 'self'; object-src 'none'";
+
+SimpleTest.waitForExplicitFinish();
+
+var gData = [
+  {
+    app: "https://example.com/manifest.webapp",
+    appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_INSTALLED,
+    origin: "https://example.com",
+    uri: "https://example.com/tests/content/base/test/csp/file_csp_bug768029.html",
+    statusString: "installed app",
+    expectedTestResults: {
+      max_tests: 7, /* number of bools below plus one for the status check */
+      cross_origin: { img: true,  script: true,  style: true },
+      same_origin:  { img: true,  script: true,  style: true  },
+    },
+  },
+
+  {
+    app: "https://example.com/manifest_priv.webapp",
+    appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_PRIVILEGED,
+    origin: "https://example.com",
+    uri: "https://example.com/tests/content/base/test/csp/file_csp_bug768029.html",
+    statusString: "privileged app",
+    expectedTestResults: {
+      max_tests: 7, /* number of bools below plus one for the status check */
+      cross_origin: { img: true,  script: false, style: false },
+      same_origin:  { img: true,  script: true,  style: true  },
+    },
+  },
+
+  {
+    app: "https://example.com/manifest_cert.webapp",
+    appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_CERTIFIED,
+    origin: "https://example.com",
+    uri: "https://example.com/tests/content/base/test/csp/file_csp_bug768029.html",
+    statusString: "certified app",
+    expectedTestResults: {
+      max_tests: 7, /* number of bools below plus one for the status check */
+      cross_origin: { img: true,  script: false, style: false },
+      same_origin:  { img: true,  script: true,  style: true  },
+    },
+  },
+];
+
+// Observer for watching allowed loads and blocked attempts
+function ThingyListener(app, iframe) {
+  Services.obs.addObserver(this, "csp-on-violate-policy", false);
+  Services.obs.addObserver(this, "http-on-modify-request", false);
+  dump("added observers\n");
+  // keep track of which app ID this test is monitoring.
+  this._testData = app;
+  this._expectedResults = app.expectedTestResults;
+  this._resultsRecorded = { cross_origin: {}, same_origin: {}};
+  this._iframe = iframe;
+  this._countedTests = 0;
+}
+ThingyListener.prototype = {
+
+  observe: function(subject, topic, data) {
+    // make sure to only observe app-generated calls to the helper for this test.
+    var testpat = new RegExp("file_csp_bug768029\\.sjs");
+
+    // used to extract which kind of load this is (img, script, etc).
+    var typepat = new RegExp("type=([\\_a-z0-9]+)");
+
+    // used to identify whether it's cross-origin or same-origin loads
+    // (the applied CSP allows same-origin loads).
+    var originpat = new RegExp("origin=([\\_a-z0-9]+)");
+
+    if (topic === "http-on-modify-request") {
+      // Matching requests on this topic were allowed by the csp
+      var chan = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
+      var uri = chan.URI;
+      // ignore irrelevent URIs
+      if (!testpat.test(uri.asciiSpec)) return;
+
+      var loadType = typepat.exec(uri.asciiSpec)[1];
+      var originType = originpat.exec(uri.asciiSpec)[1];
+
+      // skip duplicate hits to this topic (potentially document loads
+      // may generate duplicate loads.
+      if (this._resultsRecorded[originType] &&
+          this._resultsRecorded[originType][loadType]) {
+        return;
+      }
+      var message = originType + " : " + loadType + " should be " +
+                    (this._expectedResults[originType][loadType] ? "allowed" : "blocked");
+      ok(this._expectedResults[originType][loadType] == true, message);
+      this._resultsRecorded[originType][loadType] = true;
+      this._countedTests++;
+    }
+    else if (topic === "csp-on-violate-policy") {
+      // Matching hits on this topic were blocked by the csp
+      var uri = subject.QueryInterface(Components.interfaces.nsIURI);
+      // ignore irrelevent URIs
+      if (!testpat.test(uri.asciiSpec)) return;
+
+      var loadType = typepat.exec(uri.asciiSpec)[1];
+      var originType = originpat.exec(uri.asciiSpec)[1];
+
+      // skip duplicate hits to this topic (potentially document loads
+      // may generate duplicate loads.
+      if (this._resultsRecorded[originType] &&
+          this._resultsRecorded[originType][loadType]) {
+        return;
+      }
+
+      var message = originType + " : " + loadType + " should be " +
+                    (this._expectedResults[originType][loadType] ? "allowed" : "blocked");
+      ok(this._expectedResults[originType][loadType] == false, message);
+      this._resultsRecorded[originType][loadType] = true;
+      this._countedTests++;
+    }
+    else {
+      // wrong topic!  Nothing to do.
+      return;
+    }
+
+    this._checkForFinish();
+  },
+
+  _checkForFinish: function() {
+    // check to see if there are load tests still pending.
+    // (All requests triggered by the app should hit one of the
+    // two observer topics.)
+    if (this._countedTests == this._expectedResults.max_tests) {
+      Services.obs.removeObserver(this, "csp-on-violate-policy");
+      Services.obs.removeObserver(this, "http-on-modify-request");
+      dump("removed observers\n");
+      checkedCount++;
+      if (checkedCount == checksTodo) {
+        SpecialPowers.removePermission("browser", "https://example.com");
+        SimpleTest.finish();
+      } else {
+        gTestRunner.next();
+      }
+    }
+  },
+
+  // verify the status of the app
+  checkAppStatus: function() {
+    var principal = this._iframe.contentDocument.nodePrincipal;
+    if (this._testData.app) {
+      is(principal.appStatus, this._testData.appStatus,
+         "iframe principal's app status doesn't match the expected app status.");
+      this._countedTests++;
+      this._checkForFinish();
+    }
+  }
+}
+
+var content = document.getElementById('content');
+var checkedCount = 0; // number of apps checked
+var checksTodo = gData.length;
+
+// quick check to make sure we can test apps:
+is('appStatus' in document.nodePrincipal, true,
+   'appStatus should be present in nsIPrincipal, if not the rest of this test will fail');
+
+function runTest() {
+  for (var i = 0; i < gData.length; i++) {
+    let data = gData[i];
+    var iframe = document.createElement('iframe');
+
+    // watch for successes and failures
+    var examiner = new ThingyListener(data, iframe);
+
+    iframe.setAttribute('mozapp', data.app);
+    iframe.setAttribute('mozbrowser', 'true');
+    iframe.addEventListener('load', examiner.checkAppStatus.bind(examiner));
+    iframe.src = data.uri;
+
+    content.appendChild(iframe);
+
+    yield undefined;
+  }
+}
+
+var gTestRunner = runTest();
+
+// load the default CSP and pref it on
+SpecialPowers.addPermission("browser", true, "https://example.com");
+SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
+                                   ["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
+                                   ["security.apps.certified.CSP.default", DEFAULT_CSP_CERT],
+                                   ["security.mixed_content.block_active_content", false],
+                                   ["security.mixed_content.block_display_content", false]]},
+                          function() {  gTestRunner.next(); });
+
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/content/base/test/xcsp/test_csp_bug773891.html b/content/base/test/xcsp/test_csp_bug773891.html
new file mode 100644
index 00000000000..8d0736fb790
--- /dev/null
+++ b/content/base/test/xcsp/test_csp_bug773891.html
@@ -0,0 +1,228 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+  https://bugzilla.mozilla.org/show_bug.cgi?id=768029
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for CSP on trusted/certified and installed apps -- bug 773891</title>
+  <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=773891">Mozilla Bug 773891</a>
+<p id="display"></p>
+<div id="content">
+
+</div>
+<pre id="test">
+<script type="application/javascript;version=1.7">
+
+Components.utils.import("resource://gre/modules/Services.jsm");
+
+/** Test for Bug 773891 **/
+
+// Note: we don't have to inspect all the different operations of CSP,
+// we're just looking for specific differences in behavior that indicate
+// a default CSP got applied.
+const DEFAULT_CSP_PRIV = "default-src *; script-src *; style-src 'self' 'unsafe-inline'; object-src 'none'";
+const DEFAULT_CSP_CERT = "default-src *; script-src *; style-src 'self'; object-src 'none'";
+
+const MANIFEST_CSP_PRIV = "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'";
+const MANIFEST_CSP_INST = "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'";
+const MANIFEST_CSP_CERT = "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'";
+
+SimpleTest.waitForExplicitFinish();
+
+var gData = [
+
+  {
+    app: "https://example.com/manifest_csp_inst.webapp",
+    appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_INSTALLED,
+    csp: MANIFEST_CSP_INST,
+    origin: "https://example.com",
+    uri: "https://example.com/tests/content/base/test/csp/file_csp_bug773891.html",
+    statusString: "installed app",
+    expectedTestResults: {
+      max_tests: 7, /* number of bools below plus one for the status check */
+      cross_origin: { img: true,  script: false, style: false },
+      same_origin:  { img: true,  script: true,  style: true  },
+    },
+  },
+  {
+    app: "https://example.com/manifest_csp_cert.webapp",
+    appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_CERTIFIED,
+    csp: MANIFEST_CSP_CERT,
+    origin: "https://example.com",
+    uri: "https://example.com/tests/content/base/test/csp/file_csp_bug773891.html",
+    statusString: "certified app",
+    expectedTestResults: {
+      max_tests: 7, /* number of bools below plus one for the status check */
+      cross_origin: { img: true,  script: false, style: false },
+      same_origin:  { img: true,  script: true,  style: true  },
+    },
+  },
+  {
+    app: "https://example.com/manifest_csp_priv.webapp",
+    appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_PRIVILEGED,
+    csp: MANIFEST_CSP_PRIV,
+    origin: "https://example.com",
+    uri: "https://example.com/tests/content/base/test/csp/file_csp_bug773891.html",
+    statusString: "privileged app",
+    expectedTestResults: {
+      max_tests: 7, /* number of bools below plus one for the status check */
+      cross_origin: { img: true,  script: false, style: false },
+      same_origin:  { img: true,  script: true,  style: true  },
+    },
+  },
+];
+
+// Observer for watching allowed loads and blocked attempts
+function ThingyListener(app, iframe) {
+  Services.obs.addObserver(this, "csp-on-violate-policy", false);
+  Services.obs.addObserver(this, "http-on-modify-request", false);
+  dump("added observers\n");
+  // keep track of which app ID this test is monitoring.
+  this._testData = app;
+  this._expectedResults = app.expectedTestResults;
+  this._resultsRecorded = { cross_origin: {}, same_origin: {}};
+  this._iframe = iframe;
+  this._countedTests = 0;
+}
+ThingyListener.prototype = {
+
+  observe: function(subject, topic, data) {
+    // make sure to only observe app-generated calls to the helper for this test.
+    var testpat = new RegExp("file_csp_bug773891\\.sjs");
+
+    // used to extract which kind of load this is (img, script, etc).
+    var typepat = new RegExp("type=([\\_a-z0-9]+)");
+
+    // used to identify whether it's cross-origin or same-origin loads
+    // (the applied CSP allows same-origin loads).
+    var originpat = new RegExp("origin=([\\_a-z0-9]+)");
+
+    if (topic === "http-on-modify-request") {
+      // Matching requests on this topic were allowed by the csp
+      var chan = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
+      var uri = chan.URI;
+      // ignore irrelevent URIs
+      if (!testpat.test(uri.asciiSpec)) return;
+
+      var loadType = typepat.exec(uri.asciiSpec)[1];
+      var originType = originpat.exec(uri.asciiSpec)[1];
+
+      // skip duplicate hits to this topic (potentially document loads
+      // may generate duplicate loads.
+      if (this._resultsRecorded[originType] &&
+          this._resultsRecorded[originType][loadType]) {
+        return;
+      }
+      var message = originType + " : " + loadType + " should be " +
+                    (this._expectedResults[originType][loadType] ? "allowed" : "blocked");
+      ok(this._expectedResults[originType][loadType] == true, message);
+      this._resultsRecorded[originType][loadType] = true;
+      this._countedTests++;
+    }
+    else if (topic === "csp-on-violate-policy") {
+      // Matching hits on this topic were blocked by the csp
+      var uri = subject.QueryInterface(Components.interfaces.nsIURI);
+      // ignore irrelevent URIs
+      if (!testpat.test(uri.asciiSpec)) return;
+
+      var loadType = typepat.exec(uri.asciiSpec)[1];
+      var originType = originpat.exec(uri.asciiSpec)[1];
+
+      // skip duplicate hits to this topic (potentially document loads
+      // may generate duplicate loads.
+      if (this._resultsRecorded[originType] &&
+          this._resultsRecorded[originType][loadType]) {
+        return;
+      }
+
+      var message = originType + " : " + loadType + " should be " +
+                    (this._expectedResults[originType][loadType] ? "allowed" : "blocked");
+      ok(this._expectedResults[originType][loadType] == false, message);
+      this._resultsRecorded[originType][loadType] = true;
+      this._countedTests++;
+    }
+    else {
+      // wrong topic!  Nothing to do.
+      return;
+    }
+
+    this._checkForFinish();
+  },
+
+  _checkForFinish: function() {
+    // check to see if there are load tests still pending.
+    // (All requests triggered by the app should hit one of the
+    // two observer topics.)
+    if (this._countedTests == this._expectedResults.max_tests) {
+      Services.obs.removeObserver(this, "csp-on-violate-policy");
+      Services.obs.removeObserver(this, "http-on-modify-request");
+      dump("removed observers\n");
+      checkedCount++;
+      if (checkedCount == checksTodo) {
+        SpecialPowers.removePermission("browser", "https://example.com");
+        SimpleTest.finish();
+      } else {
+        gTestRunner.next();
+      }
+    }
+  },
+
+  // verify the status of the app
+  checkAppStatus: function() {
+    var principal = this._iframe.contentDocument.nodePrincipal;
+    if (this._testData.app) {
+      is(principal.appStatus, this._testData.appStatus,
+         "iframe principal's app status doesn't match the expected app status.");
+      this._countedTests++;
+      this._checkForFinish();
+    }
+  }
+}
+
+var content = document.getElementById('content');
+var checkedCount = 0; // number of apps checked
+var checksTodo = gData.length;
+
+// quick check to make sure we can test apps:
+is('appStatus' in document.nodePrincipal, true,
+   'appStatus should be present in nsIPrincipal, if not the rest of this test will fail');
+
+function runTest() {
+  for (var i = 0; i < gData.length; i++) {
+    let data = gData[i];
+    var iframe = document.createElement('iframe');
+
+    // watch for successes and failures
+    var examiner = new ThingyListener(data, iframe);
+
+    iframe.setAttribute('mozapp', data.app);
+    iframe.setAttribute('mozbrowser', 'true');
+    iframe.addEventListener('load', examiner.checkAppStatus.bind(examiner));
+    iframe.src = data.uri;
+
+    content.appendChild(iframe);
+
+    yield undefined;
+  }
+}
+
+var gTestRunner = runTest();
+
+// load the default CSP and pref it on
+SpecialPowers.addPermission("browser", true, "https://example.com");
+
+SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
+                                   ["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
+                                   ["security.apps.certified.CSP.default", DEFAULT_CSP_CERT]]},
+                          function() {  gTestRunner.next(); });
+
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/content/base/test/xcsp/test_csp_redirects.html b/content/base/test/xcsp/test_csp_redirects.html
new file mode 100644
index 00000000000..b1f603bf238
--- /dev/null
+++ b/content/base/test/xcsp/test_csp_redirects.html
@@ -0,0 +1,148 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Tests for Content Security Policy during redirects</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+
+<iframe style="width:100%;height:300px;" id="harness"></iframe>
+<pre id="log"></pre>
+<script class="testbody" type="text/javascript">
+
+var path = "/tests/content/base/test/csp/";
+
+// debugging
+function log(s) {
+  return;
+  dump("**" + s + "\n");
+  var log = document.getElementById("log");
+  log.textContent = log.textContent+s+"\n";
+}
+
+// used to watch if requests are blocked by CSP or allowed through
+function examiner() {
+  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
+  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
+}
+examiner.prototype  = {
+  observe: function(subject, topic, data) {
+    var testpat = new RegExp("testid=([a-z0-9-]+)");
+    var asciiSpec;
+    var testid;
+
+    if (topic === "specialpowers-http-notify-request") {
+      // request was sent
+      var allowedUri = data;
+      if (!testpat.test(allowedUri)) return;
+      testid = testpat.exec(allowedUri)[1];
+      if (testExpectedResults[testid] == "completed") return;
+      log("allowed: "+allowedUri);
+      window.testResult(testid, allowedUri, true);
+    }
+
+    else if (topic === "csp-on-violate-policy") {
+      // request was blocked
+      asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
+      if (!testpat.test(asciiSpec)) return;
+      testid = testpat.exec(asciiSpec)[1];
+      // had to add this check because http-on-modify-request can fire after
+      // csp-on-violate-policy, apparently, even though the request does
+      // not hit the wire.
+      if (testExpectedResults[testid] == "completed") return;
+      log("BLOCKED: "+asciiSpec);
+      window.testResult(testid, asciiSpec, false);
+    }
+  },
+
+  remove: function() {
+    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
+  }
+}
+window.examiner = new examiner();
+
+// contains { test_frame_id : expected_result }
+var testExpectedResults = { "font-src": true,
+                            "font-src-redir": false,
+                            "frame-src": true,
+                            "frame-src-redir": false,
+                            "img-src": true,
+                            "img-src-redir": false,
+                            "media-src": true,
+                            "media-src-redir": false,
+                            "object-src": true,
+                            "object-src-redir": false,
+                            "script-src": true,
+                            "script-src-redir": false,
+                            "style-src": true,
+                            "style-src-redir": false,
+                            "worker": true,
+                            "worker-redir": false,
+                            "xhr-src": true,
+                            "xhr-src-redir": false,
+                            "font-src-spec-compliant": true,
+                            "font-src-redir-spec-compliant": false,
+                            "frame-src-spec-compliant": true,
+                            "frame-src-redir-spec-compliant": false,
+                            "img-src-spec-compliant": true,
+                            "img-src-redir-spec-compliant": false,
+                            "media-src-spec-compliant": true,
+                            "media-src-redir-spec-compliant": false,
+                            "object-src-spec-compliant": true,
+                            "object-src-redir-spec-compliant": false,
+                            "script-src-spec-compliant": true,
+                            "script-src-redir-spec-compliant": false,
+                            "style-src-spec-compliant": true,
+                            "style-src-redir-spec-compliant": false,
+                            "worker-spec-compliant": true,
+                            "worker-redir-spec-compliant": false,
+                            "xhr-src-spec-compliant": true,
+                            "xhr-src-redir-spec-compliant": false,
+                          };
+
+// takes the name of the test, the URL that was tested, and whether the
+// load occurred
+var testResult = function(testName, url, result) {
+  log("  testName: "+testName+", result: "+result+", expected: "+testExpectedResults[testName]+"\n");
+  is(result, testExpectedResults[testName], testName+" test: "+url);
+
+ // mark test as completed
+  testExpectedResults[testName] = "completed";
+
+  // don't finish until we've run all the tests
+  for (var t in testExpectedResults) {
+    if (testExpectedResults[t] != "completed") {
+      return;
+    }
+  }
+
+  window.examiner.remove();
+  SimpleTest.finish();
+}
+
+SimpleTest.waitForExplicitFinish();
+
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", true],
+          // This defaults to 0 ("preload none") on mobile (B2G/Android), which
+          // blocks loading the resource until the user interacts with a
+          // corresponding widget, which breaks the media_* tests. We set it
+          // back to the default used by desktop Firefox to get consistent
+          // behavior.
+          ["media.preload.default", 2]]},
+  function() {
+    // save this for last so that our listeners are registered.
+    // ... this loads the testbed of good and bad requests.
+    document.getElementById("harness").src = "file_csp_redirects_main.html";
+  });
+</script>
+</pre>
+
+</body>
+</html>
diff --git a/content/base/test/xcsp/test_csp_report.html b/content/base/test/xcsp/test_csp_report.html
new file mode 100644
index 00000000000..1462bd85e46
--- /dev/null
+++ b/content/base/test/xcsp/test_csp_report.html
@@ -0,0 +1,108 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=548193
+-->
+<head>
+  <title>Test for Bug 548193</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+
+<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
+<script class="testbody" type="text/javascript">
+// This is used to watch requests go out so we can see if the report is
+// sent correctly
+function examiner() {
+  SpecialPowers.addObserver(this, "http-on-opening-request", false);
+}
+examiner.prototype  = {
+  observe: function(subject, topic, data) {
+    // subject should be an nsURI
+    if (!SpecialPowers.can_QI(subject))
+      return;
+
+    const reportURI = "http://mochi.test:8888/csp-report.cgi";
+
+    if (topic === "http-on-opening-request") {
+      var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIHttpChannel"), "URI.asciiSpec");
+      if (asciiSpec !== reportURI) return;
+
+      // Verify that the report was properly formatted.
+      // We'll parse the report text as JSON and verify that the properties
+      // have expected values.
+      var reportText = "{}";
+      try {
+        var uploadStream = SpecialPowers.wrap(SpecialPowers.do_QueryInterface(subject, "nsIUploadChannel")).uploadStream;
+
+        if (uploadStream) {
+          // get the bytes from the request body
+          var binstream = SpecialPowers.Cc["@mozilla.org/binaryinputstream;1"]
+                                          .createInstance(SpecialPowers.Ci.nsIBinaryInputStream);
+          binstream.setInputStream(uploadStream);
+
+          var segments = [];
+          for (var count = uploadStream.available(); count; count = uploadStream.available()) {
+            var data = binstream.readBytes(count);
+            segments.push(data);
+          }
+
+          var reportText = segments.join("");
+          // rewind stream as we are supposed to - there will be an assertion later if we don't.
+          SpecialPowers.do_QueryInterface(uploadStream, "nsISeekableStream").seek(SpecialPowers.Ci.nsISeekableStream.NS_SEEK_SET, 0);
+        }
+      }
+      catch(e) {}
+
+      var reportObj = JSON.parse(reportText);
+
+      // test for the proper values in the report object
+      window.checkResults(reportObj);
+
+      // finish up
+      window.examiner.remove();
+      SimpleTest.finish();
+    }
+  },
+
+  // remove the listener
+  remove: function() {
+    SpecialPowers.removeObserver(this, "http-on-opening-request");
+  }
+}
+
+// content file that triggers a violation report
+var testFile = "file_csp_report.sjs";
+
+window.checkResults = function(reportObj) {
+  var cspReport = reportObj["csp-report"];
+  // correct violating request
+  is(cspReport["document-uri"],
+     "http://mochi.test:8888/tests/content/base/test/csp/" + testFile,
+     "Incorrect violating request");
+  // correct blocked-uri
+  is(cspReport["blocked-uri"],
+     "http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png",
+     "Incorrect blocked uri");
+  // correct violated-directive
+  is(cspReport["violated-directive"], "default-src http://mochi.test:8888",
+     "Incorrect violated directive");
+  // not practical to test request-headers as header names and values will
+  // change with the trunk
+}
+
+window.examiner = new examiner();
+
+SimpleTest.waitForExplicitFinish();
+
+// load the resource which will generate a CSP violation report
+document.getElementById("cspframe").src = testFile;
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/content/base/test/xcsp/test_multi_policy_injection_bypass.html b/content/base/test/xcsp/test_multi_policy_injection_bypass.html
new file mode 100644
index 00000000000..5a1315b5be6
--- /dev/null
+++ b/content/base/test/xcsp/test_multi_policy_injection_bypass.html
@@ -0,0 +1,121 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=717511
+-->
+<head>
+  <title>Test for Bug 717511</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+
+</div>
+
+<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
+<iframe style="width:200px;height:200px;" id='cspframe2'></iframe>
+<script class="testbody" type="text/javascript">
+
+var path = "/tests/content/base/test/";
+
+// These are test results: -1 means it hasn't run,
+// true/false is the pass/fail result.
+// This is not exhaustive, just double-checking the 'self' vs * policy conflict in the two HTTP headers.
+window.tests = {
+  img_good: -1,
+  img_bad: -1,
+  script_good: -1,
+  script_bad: -1,
+  img2_good: -1,
+  img2_bad: -1,
+  script2_good: -1,
+  script2_bad: -1,
+};
+
+
+// This is used to watch the blocked data bounce off CSP and allowed data
+// get sent out to the wire.
+function examiner() {
+  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
+  SpecialPowers.addObserver(this, "specialpowers-http-notify-request", false);
+}
+examiner.prototype  = {
+  observe: function(subject, topic, data) {
+    var testpat = new RegExp("testid=([a-z0-9_]+)");
+
+    //_good things better be allowed!
+    //_bad things better be stopped!
+
+    if (topic === "specialpowers-http-notify-request") {
+      //these things were allowed by CSP
+      var asciiSpec = data;
+      if (!testpat.test(asciiSpec)) return;
+      var testid = testpat.exec(asciiSpec)[1];
+      window.testResult(testid,
+                        /_good/.test(testid),
+                        asciiSpec + " allowed by csp");
+
+    }
+
+    if(topic === "csp-on-violate-policy") {
+      // subject should be an nsIURI for csp-on-violate-policy
+      if (!SpecialPowers.can_QI(subject)) {
+        return;
+      }
+
+      //these were blocked... record that they were blocked
+      var asciiSpec = SpecialPowers.getPrivilegedProps(
+                        SpecialPowers.do_QueryInterface(subject, "nsIURI"),
+                        "asciiSpec");
+      if (!testpat.test(asciiSpec)) return;
+      var testid = testpat.exec(asciiSpec)[1];
+      window.testResult(testid,
+                        /_bad/.test(testid),
+                        asciiSpec + " blocked by \"" + data + "\"");
+    }
+  },
+
+  // must eventually call this to remove the listener,
+  // or mochitests might get borked.
+  remove: function() {
+    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
+  }
+}
+
+window.examiner = new examiner();
+
+window.testResult = function(testname, result, msg) {
+
+  //test already complete.... forget it... remember the first result.
+  if (window.tests[testname] != -1)
+    return;
+
+  window.tests[testname] = result;
+  is(result, true, testname + ' test: ' + msg);
+
+  // if any test is incomplete, keep waiting
+  for (var v in window.tests)
+    if(tests[v] == -1)
+      return;
+
+  // ... otherwise, finish
+  window.examiner.remove();
+  SimpleTest.finish();
+}
+
+SimpleTest.waitForExplicitFinish();
+
+// save this for last so that our listeners are registered.
+// ... this loads the testbed of good and bad requests.
+
+document.getElementById('cspframe').src = 'file_multi_policy_injection_bypass.html';
+document.getElementById('cspframe2').src = 'file_multi_policy_injection_bypass_2.html';
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/content/base/test/xcsp/test_subframe_run_js_if_allowed.html b/content/base/test/xcsp/test_subframe_run_js_if_allowed.html
new file mode 100644
index 00000000000..96a70b366a9
--- /dev/null
+++ b/content/base/test/xcsp/test_subframe_run_js_if_allowed.html
@@ -0,0 +1,32 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=702439
+
+This test verifies that child iframes of CSP documents are
+permitted to execute javascript: URLs assuming the policy
+allows this.
+-->
+<head>
+  <title>Test for Bug 702439</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<script class="testbody" type="text/javascript">
+var javascript_link_ran = false;
+
+// check that the script in the child frame's javascript: URL ran
+function checkResult()
+{
+  is(javascript_link_ran, true,
+     "javascript URL didn't execute");
+
+  SimpleTest.finish();
+}
+
+SimpleTest.waitForExplicitFinish();
+</script>
+<iframe id="i" src="file_subframe_run_js_if_allowed.html"></iframe>
+</body>
+</html>