Implement CSP hash reporting for scripts

https://bugs.webkit.org/show_bug.cgi?id=285292

Reviewed by Darin Adler.

CSP was recently added new `report-sha256`, `report-sha384` and `report-sha512` keywords - https://github.com/w3c/webappsec-csp/pull/693/files

These new keywords trigger a new reporting type "hash-report".
It reports hashes for (same-origin or CORS enabled) scripts that are loaded in the context of the document (regardless of their "integrity" attribute), and sends reports about them.

Those reports enable developers to:

* Create inventory of the scripts running on their page. (critical for PCI-DSS v4 - context.)
* Have certainty that they can enable SRI or CSP hash-based enforcement without breaking their sites. The current PR only covers external scripts. We may want to extend the feature in the future to cover inline scripts, evals, event handlers and javascript URLs.

This PR implements that feature.

* LayoutTests/TestExpectations: Stop skipping the relevant tests.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/default-src.https.window-expected.txt: progression.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/default-src.https.window.js.sub.headers: Avoid domains.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/multiple-policies.https.sub-expected.txt: progression.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/multiple-policies.https.sub.html.sub.headers: Avoid domains.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-default-src.https.window-expected.txt: progression.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-default-src.https.window.js.sub.headers: Avoid domains.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src-elem.https.window-expected.txt: progression.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src-elem.https.window.js.sub.headers: Avoid domains.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src-none.https.window-expected.txt: progression.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src-none.https.window.js.sub.headers: Avoid domains.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src.https.window-expected.txt: progression.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src.https.window.js.sub.headers: Avoid domains.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/resources/report-hash-test-runner.sub.js:
(report_hash_test): Avoid domains and add error handling.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src-elem.https.window-expected.txt: progression.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src-elem.https.window.js.sub.headers: Avoid domains.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src-sha512.https.window-expected.txt: progression.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src-sha512.https.window.js.sub.headers: Avoid domains.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src.https.window-expected.txt: progression.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src.https.window.js.sub.headers: Avoid domains.
* LayoutTests/platform/mac-wk1/TestExpectations: Expect failures on wk1 - https://bugs.webkit.org/show_bug.cgi?id=285098.
* Source/WebCore/Modules/reporting/ViolationReportType.h: Add
  CSPHashReport type.
* Source/WebCore/bindings/js/ScriptModuleLoader.cpp:
(WebCore::ScriptModuleLoader::notifyFinished): rename
matchIntegrityMetadata call.
* Source/WebCore/dom/LoadableClassicScript.cpp:
(WebCore::LoadableNonModuleScriptBase::notifyFinished): rename
matchIntegrityMetadata call.
* Source/WebCore/html/HTMLLinkElement.cpp:
(WebCore::HTMLLinkElement::setCSSStyleSheet): rename
matchIntegrityMetadata call.
* Source/WebCore/loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::didFinishLoading): rename
matchIntegrityMetadata call.
* Source/WebCore/loader/PingLoader.cpp:
(WebCore::PingLoader::sendViolationReport): Handle CSPHashReport.
* Source/WebCore/loader/SubresourceIntegrity.cpp:
(WebCore::createReportFormData): Create a report.
(WebCore::addHashPrefix): Add a prefix to the reported value, based on
the algorithm enum value.
(WebCore::findStrongestAlgorithm): Get the strongest algorithm is
a HashAlgorithmSet.
(WebCore::reportHashesIfNeeded): Potentially report hashes for a resource.
(WebCore::matchIntegrityMetadataSlow): implements the
matchIntegrityMetadata logic.
* Source/WebCore/loader/SubresourceIntegrity.h:
(WebCore::matchIntegrityMetadata): Adjust condition and call hash
reporting.
* Source/WebCore/loader/cache/CachedResource.h:
(WebCore::CachedResource::loader const): Make it a const.
(WebCore::CachedResource::setIsHashReportingNeeded): Setter for
isHashReportingNeeded.
(WebCore::CachedResource::isHashReportingNeeded const): Getter for
isHashReportingNeeded.
(WebCore::CachedResource::loader): Deleted.
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestResource): Set
isHashReportingNeeded on the resource.
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::hashesToReport): Get the hashes to
report from the different CSP policies.
* Source/WebCore/page/csp/ContentSecurityPolicy.h: Define
  HashAlgorithmSet and HashAlgorithmSetCollection.
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::hashReportDirectiveForScript const): Get the directives for script hash reporting.
(WebCore::ContentSecurityPolicyDirectiveList::reportHash const): Return
the HashAlgorithmSet for the script reporting directive.
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h: Add
  reportHash and hashReportDirectiveForScript.
* Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::parseSource): Parse the hash
reporting keywords and set the appropriate algorithms in the
HashAlgorithmSet.
* Source/WebCore/page/csp/ContentSecurityPolicySourceList.h: Add
  a HashAlgorithmSet.
(WebCore::ContentSecurityPolicySourceList::reportHash const): Getter for
the HashAlgorithmSet.
* Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h:
(WebCore::ContentSecurityPolicySourceListDirective::reportHash const):
Pipe the HashAlgorithmSet from the sourceList.

Canonical link: https://commits.webkit.org/288506@main

LayoutTests/TestExpectations

@@ -6184,9 +6184,6 @@ imported/w3c/web-platform-tests/import-maps/acquiring/modulepreload-link-header.
 
 imported/w3c/web-platform-tests/import-maps/ [ DumpJSConsoleLogInStdErr ]
 
-# Imported tests that are timing out because the feature is not yet implemented.
-imported/w3c/web-platform-tests/content-security-policy/report-hash [ Skip ]
-
 # WebKit2 Only
 fullscreen/fullscreen-enter-bottom-padding-animation.html [ Skip ]
 

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/default-src.https.window-expected.txt

@@ -1,12 +1,10 @@
 
-Harness Error (TIMEOUT), message = null
-
-FAIL Reporting endpoints received hash for same-origin CORS script. assert_unreached: A report of csp-hash from https://localhost:9443/content-security-policy/report-hash/default-src.https.window.html is not found. Reached unreachable code
-FAIL Reporting endpoints received hash for same-origin no-CORS script. assert_unreached: A report of csp-hash from https://localhost:9443/content-security-policy/report-hash/default-src.https.window.html is not found. Reached unreachable code
-TIMEOUT Reporting endpoints received hash for cross-origin CORS script. Test timed out
-NOTRUN Reporting endpoints received no hash for cross-origin no-CORS script.
-NOTRUN Reporting endpoints received the right hash for same-origin CORS script with integrity.
-NOTRUN Reporting endpoints received no report for failed integrity check with sha256.
-NOTRUN Reporting endpoints received no report for failed integrity check with sha512.
-NOTRUN Reporting endpoints received no report for CORS stylesheet.
+PASS Reporting endpoints received hash for same-origin CORS script.
+PASS Reporting endpoints received hash for same-origin no-CORS script.
+PASS Reporting endpoints received hash for cross-origin CORS script.
+PASS Reporting endpoints received no hash for cross-origin no-CORS script.
+PASS Reporting endpoints received the right hash for same-origin CORS script with integrity.
+PASS Reporting endpoints received no report for failed integrity check with sha256.
+PASS Reporting endpoints received no report for failed integrity check with sha512.
+PASS Reporting endpoints received no report for CORS stylesheet.
 

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/default-src.https.window.js.sub.headers

@@ -1,3 +1,3 @@
 Reporting-Endpoints: csp-endpoint="/reporting/resources/report.py?reportID={{$id:uuid()}}"
-Content-Security-Policy: default-src 'self' {{hosts[alt][www]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha256'; report-to csp-endpoint
+Content-Security-Policy: default-src 'self' {{hosts[alt][]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha256'; report-to csp-endpoint
 Server-Timing: uuid;desc="{{$id}}",hash;desc="sha256-1XF/E08XndkoxwN6eIa5J89hYn3OVZ/UyB8BrU5jgzk="

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/multiple-policies.https.sub-expected.txt

@@ -1,12 +1,10 @@
 
-Harness Error (TIMEOUT), message = null
-
-FAIL Reporting endpoints received hash for same-origin CORS script. assert_unreached: A report of csp-hash from https://localhost:9443/content-security-policy/report-hash/multiple-policies.https.sub.html is not found. Reached unreachable code
-FAIL Reporting endpoints received hash for same-origin no-CORS script. assert_unreached: A report of csp-hash from https://localhost:9443/content-security-policy/report-hash/multiple-policies.https.sub.html is not found. Reached unreachable code
-TIMEOUT Reporting endpoints received hash for cross-origin CORS script. Test timed out
-NOTRUN Reporting endpoints received no hash for cross-origin no-CORS script.
-NOTRUN Reporting endpoints received the right hash for same-origin CORS script with integrity.
-NOTRUN Reporting endpoints received no report for failed integrity check with sha256.
-NOTRUN Reporting endpoints received no report for failed integrity check with sha512.
-NOTRUN Reporting endpoints received no report for CORS stylesheet.
+PASS Reporting endpoints received hash for same-origin CORS script.
+PASS Reporting endpoints received hash for same-origin no-CORS script.
+PASS Reporting endpoints received hash for cross-origin CORS script.
+PASS Reporting endpoints received no hash for cross-origin no-CORS script.
+PASS Reporting endpoints received the right hash for same-origin CORS script with integrity.
+PASS Reporting endpoints received no report for failed integrity check with sha256.
+PASS Reporting endpoints received no report for failed integrity check with sha512.
+PASS Reporting endpoints received no report for CORS stylesheet.
 

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/multiple-policies.https.sub.html.sub.headers

@@ -1,7 +1,7 @@
 Reporting-Endpoints: csp-endpoint="/reporting/resources/report.py?reportID={{$id:uuid()}}"
-Content-Security-Policy: script-src-elem 'self' {{hosts[alt][www]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha256'; report-to csp-endpoint
+Content-Security-Policy: script-src-elem 'self' {{hosts[alt][]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha256'; report-to csp-endpoint
 Reporting-Endpoints: csp-endpoint2="/reporting/resources/report.py?reportID={{$id2:uuid()}}"
-Content-Security-Policy: script-src-elem 'self' {{hosts[alt][www]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha512'; report-to csp-endpoint2
+Content-Security-Policy: script-src-elem 'self' {{hosts[alt][]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha512'; report-to csp-endpoint2
 Server-Timing: uuid;desc="{{$id}}",hash;desc="sha256-1XF/E08XndkoxwN6eIa5J89hYn3OVZ/UyB8BrU5jgzk="
 Server-Timing: uuid2;desc="{{$id2}}",hash2;desc="sha512-hG4x56V5IhUUepZdYU/lX7UOQJ2M7f6ud2EI7os4JV3OwXSZ002P3zkb9tXQkjpOO8UbtjuEufvdcU67Qt2tlw=="
 

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-default-src.https.window-expected.txt

@@ -1,12 +1,10 @@
 
-Harness Error (TIMEOUT), message = null
-
-FAIL Reporting endpoints received hash for same-origin CORS script. assert_unreached: A report of csp-hash from https://localhost:9443/content-security-policy/report-hash/reportonly-default-src.https.window.html is not found. Reached unreachable code
-FAIL Reporting endpoints received hash for same-origin no-CORS script. assert_unreached: A report of csp-hash from https://localhost:9443/content-security-policy/report-hash/reportonly-default-src.https.window.html is not found. Reached unreachable code
-TIMEOUT Reporting endpoints received hash for cross-origin CORS script. Test timed out
-NOTRUN Reporting endpoints received no hash for cross-origin no-CORS script.
-NOTRUN Reporting endpoints received the right hash for same-origin CORS script with integrity.
-NOTRUN Reporting endpoints received no report for failed integrity check with sha256.
-NOTRUN Reporting endpoints received no report for failed integrity check with sha512.
-NOTRUN Reporting endpoints received no report for CORS stylesheet.
+PASS Reporting endpoints received hash for same-origin CORS script.
+PASS Reporting endpoints received hash for same-origin no-CORS script.
+PASS Reporting endpoints received hash for cross-origin CORS script.
+PASS Reporting endpoints received no hash for cross-origin no-CORS script.
+PASS Reporting endpoints received the right hash for same-origin CORS script with integrity.
+PASS Reporting endpoints received no report for failed integrity check with sha256.
+PASS Reporting endpoints received no report for failed integrity check with sha512.
+PASS Reporting endpoints received no report for CORS stylesheet.
 

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-default-src.https.window.js.sub.headers

@@ -1,3 +1,3 @@
 Reporting-Endpoints: csp-endpoint="/reporting/resources/report.py?reportID={{$id:uuid()}}"
-Content-Security-Policy-Report-Only: default-src 'self' {{hosts[alt][www]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha256'; report-to csp-endpoint
+Content-Security-Policy-Report-Only: default-src 'self' {{hosts[alt][]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha256'; report-to csp-endpoint
 Server-Timing: uuid;desc="{{$id}}",hash;desc="sha256-1XF/E08XndkoxwN6eIa5J89hYn3OVZ/UyB8BrU5jgzk="

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src-elem.https.window-expected.txt

@@ -1,12 +1,10 @@
 
-Harness Error (TIMEOUT), message = null
-
-FAIL Reporting endpoints received hash for same-origin CORS script. assert_unreached: A report of csp-hash from https://localhost:9443/content-security-policy/report-hash/reportonly-script-src-elem.https.window.html is not found. Reached unreachable code
-FAIL Reporting endpoints received hash for same-origin no-CORS script. assert_unreached: A report of csp-hash from https://localhost:9443/content-security-policy/report-hash/reportonly-script-src-elem.https.window.html is not found. Reached unreachable code
-TIMEOUT Reporting endpoints received hash for cross-origin CORS script. Test timed out
-NOTRUN Reporting endpoints received no hash for cross-origin no-CORS script.
-NOTRUN Reporting endpoints received the right hash for same-origin CORS script with integrity.
-NOTRUN Reporting endpoints received no report for failed integrity check with sha256.
-NOTRUN Reporting endpoints received no report for failed integrity check with sha512.
-NOTRUN Reporting endpoints received no report for CORS stylesheet.
+PASS Reporting endpoints received hash for same-origin CORS script.
+PASS Reporting endpoints received hash for same-origin no-CORS script.
+PASS Reporting endpoints received hash for cross-origin CORS script.
+PASS Reporting endpoints received no hash for cross-origin no-CORS script.
+PASS Reporting endpoints received the right hash for same-origin CORS script with integrity.
+PASS Reporting endpoints received no report for failed integrity check with sha256.
+PASS Reporting endpoints received no report for failed integrity check with sha512.
+PASS Reporting endpoints received no report for CORS stylesheet.
 

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src-elem.https.window.js.sub.headers

@@ -1,3 +1,3 @@
 Reporting-Endpoints: csp-endpoint="/reporting/resources/report.py?reportID={{$id:uuid()}}"
-Content-Security-Policy-Report-Only: script-src-elem 'self' {{hosts[alt][www]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha256'; report-to csp-endpoint
+Content-Security-Policy-Report-Only: script-src-elem 'self' {{hosts[alt][]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha256'; report-to csp-endpoint
 Server-Timing: uuid;desc="{{$id}}",hash;desc="sha256-1XF/E08XndkoxwN6eIa5J89hYn3OVZ/UyB8BrU5jgzk="

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src-none.https.window-expected.txt

@@ -1,12 +1,10 @@
 
-Harness Error (TIMEOUT), message = null
-
-FAIL Reporting endpoints received hash for same-origin CORS script. assert_unreached: A report of csp-hash from https://localhost:9443/content-security-policy/report-hash/reportonly-script-src-none.https.window.html is not found. Reached unreachable code
-FAIL Reporting endpoints received hash for same-origin no-CORS script. assert_unreached: A report of csp-hash from https://localhost:9443/content-security-policy/report-hash/reportonly-script-src-none.https.window.html is not found. Reached unreachable code
-TIMEOUT Reporting endpoints received hash for cross-origin CORS script. Test timed out
-NOTRUN Reporting endpoints received no hash for cross-origin no-CORS script.
-NOTRUN Reporting endpoints received the right hash for same-origin CORS script with integrity.
-NOTRUN Reporting endpoints received no report for failed integrity check with sha256.
-NOTRUN Reporting endpoints received no report for failed integrity check with sha512.
-NOTRUN Reporting endpoints received no report for CORS stylesheet.
+PASS Reporting endpoints received hash for same-origin CORS script.
+PASS Reporting endpoints received hash for same-origin no-CORS script.
+PASS Reporting endpoints received hash for cross-origin CORS script.
+PASS Reporting endpoints received no hash for cross-origin no-CORS script.
+PASS Reporting endpoints received the right hash for same-origin CORS script with integrity.
+PASS Reporting endpoints received no report for failed integrity check with sha256.
+PASS Reporting endpoints received no report for failed integrity check with sha512.
+PASS Reporting endpoints received no report for CORS stylesheet.
 

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src-none.https.window.js.sub.headers

@@ -1,4 +1,4 @@
 Reporting-Endpoints: csp-endpoint="/reporting/resources/report.py?reportID={{$id:uuid()}}"
-Content-Security-Policy-Report-Only: script-src 'none' {{hosts[alt][www]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha256'; report-to csp-endpoint
+Content-Security-Policy-Report-Only: script-src 'none' {{hosts[alt][]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha256'; report-to csp-endpoint
 Server-Timing: uuid;desc="{{$id}}",hash;desc="sha256-1XF/E08XndkoxwN6eIa5J89hYn3OVZ/UyB8BrU5jgzk="
 

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src.https.window-expected.txt

@@ -1,12 +1,10 @@
 
-Harness Error (TIMEOUT), message = null
-
-FAIL Reporting endpoints received hash for same-origin CORS script. assert_unreached: A report of csp-hash from https://localhost:9443/content-security-policy/report-hash/reportonly-script-src.https.window.html is not found. Reached unreachable code
-FAIL Reporting endpoints received hash for same-origin no-CORS script. assert_unreached: A report of csp-hash from https://localhost:9443/content-security-policy/report-hash/reportonly-script-src.https.window.html is not found. Reached unreachable code
-TIMEOUT Reporting endpoints received hash for cross-origin CORS script. Test timed out
-NOTRUN Reporting endpoints received no hash for cross-origin no-CORS script.
-NOTRUN Reporting endpoints received the right hash for same-origin CORS script with integrity.
-NOTRUN Reporting endpoints received no report for failed integrity check with sha256.
-NOTRUN Reporting endpoints received no report for failed integrity check with sha512.
-NOTRUN Reporting endpoints received no report for CORS stylesheet.
+PASS Reporting endpoints received hash for same-origin CORS script.
+PASS Reporting endpoints received hash for same-origin no-CORS script.
+PASS Reporting endpoints received hash for cross-origin CORS script.
+PASS Reporting endpoints received no hash for cross-origin no-CORS script.
+PASS Reporting endpoints received the right hash for same-origin CORS script with integrity.
+PASS Reporting endpoints received no report for failed integrity check with sha256.
+PASS Reporting endpoints received no report for failed integrity check with sha512.
+PASS Reporting endpoints received no report for CORS stylesheet.
 

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src.https.window.js.sub.headers

@@ -1,3 +1,3 @@
 Reporting-Endpoints: csp-endpoint="/reporting/resources/report.py?reportID={{$id:uuid()}}"
-Content-Security-Policy-Report-Only: script-src 'self' {{hosts[alt][www]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha256'; report-to csp-endpoint
+Content-Security-Policy-Report-Only: script-src 'self' {{hosts[alt][]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha256'; report-to csp-endpoint
 Server-Timing: uuid;desc="{{$id}}",hash;desc="sha256-1XF/E08XndkoxwN6eIa5J89hYn3OVZ/UyB8BrU5jgzk="

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/resources/report-hash-test-runner.sub.js

@@ -9,7 +9,7 @@ function find_server_timing(name) {
 }
 
 const ORIGIN = "https://{{host}}:{{ports[https][0]}}";
-const REMOTE_ORIGIN = "https://{{hosts[alt][www]}}:{{ports[https][0]}}";
+const REMOTE_ORIGIN = "https://{{hosts[alt][]}}:{{ports[https][0]}}";
 const endpoint = `${ORIGIN}/reporting/resources/report.py`;
 const id = find_server_timing("uuid");
 const id2 = find_server_timing("uuid2");
@@ -49,6 +49,7 @@ function report_hash_test(url, populate_script_attributes, expected_hash, expect
       script.src = unique_subresource_url;
       populate_script_attributes(script);
       script.addEventListener('load', resolve);
+      script.addEventListener('error', resolve);
       document.head.appendChild(script);
     });
 

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src-elem.https.window-expected.txt

@@ -1,12 +1,10 @@
 
-Harness Error (TIMEOUT), message = null
-
-FAIL Reporting endpoints received hash for same-origin CORS script. assert_unreached: A report of csp-hash from https://localhost:9443/content-security-policy/report-hash/script-src-elem.https.window.html is not found. Reached unreachable code
-FAIL Reporting endpoints received hash for same-origin no-CORS script. assert_unreached: A report of csp-hash from https://localhost:9443/content-security-policy/report-hash/script-src-elem.https.window.html is not found. Reached unreachable code
-TIMEOUT Reporting endpoints received hash for cross-origin CORS script. Test timed out
-NOTRUN Reporting endpoints received no hash for cross-origin no-CORS script.
-NOTRUN Reporting endpoints received the right hash for same-origin CORS script with integrity.
-NOTRUN Reporting endpoints received no report for failed integrity check with sha256.
-NOTRUN Reporting endpoints received no report for failed integrity check with sha512.
-NOTRUN Reporting endpoints received no report for CORS stylesheet.
+PASS Reporting endpoints received hash for same-origin CORS script.
+PASS Reporting endpoints received hash for same-origin no-CORS script.
+PASS Reporting endpoints received hash for cross-origin CORS script.
+PASS Reporting endpoints received no hash for cross-origin no-CORS script.
+PASS Reporting endpoints received the right hash for same-origin CORS script with integrity.
+PASS Reporting endpoints received no report for failed integrity check with sha256.
+PASS Reporting endpoints received no report for failed integrity check with sha512.
+PASS Reporting endpoints received no report for CORS stylesheet.
 

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src-elem.https.window.js.sub.headers

@@ -1,3 +1,3 @@
 Reporting-Endpoints: csp-endpoint="/reporting/resources/report.py?reportID={{$id:uuid()}}"
-Content-Security-Policy: script-src-elem 'self' {{hosts[alt][www]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha256'; report-to csp-endpoint
+Content-Security-Policy: script-src-elem 'self' {{hosts[alt][]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha256'; report-to csp-endpoint
 Server-Timing: uuid;desc="{{$id}}",hash;desc="sha256-1XF/E08XndkoxwN6eIa5J89hYn3OVZ/UyB8BrU5jgzk="

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src-sha512.https.window-expected.txt

@@ -1,12 +1,10 @@
 
-Harness Error (TIMEOUT), message = null
-
-FAIL Reporting endpoints received hash for same-origin CORS script. assert_unreached: A report of csp-hash from https://localhost:9443/content-security-policy/report-hash/script-src-sha512.https.window.html is not found. Reached unreachable code
-FAIL Reporting endpoints received hash for same-origin no-CORS script. assert_unreached: A report of csp-hash from https://localhost:9443/content-security-policy/report-hash/script-src-sha512.https.window.html is not found. Reached unreachable code
-TIMEOUT Reporting endpoints received hash for cross-origin CORS script. Test timed out
-NOTRUN Reporting endpoints received no hash for cross-origin no-CORS script.
-NOTRUN Reporting endpoints received the right hash for same-origin CORS script with integrity.
-NOTRUN Reporting endpoints received no report for failed integrity check with sha256.
-NOTRUN Reporting endpoints received no report for failed integrity check with sha512.
-NOTRUN Reporting endpoints received no report for CORS stylesheet.
+PASS Reporting endpoints received hash for same-origin CORS script.
+PASS Reporting endpoints received hash for same-origin no-CORS script.
+PASS Reporting endpoints received hash for cross-origin CORS script.
+PASS Reporting endpoints received no hash for cross-origin no-CORS script.
+PASS Reporting endpoints received the right hash for same-origin CORS script with integrity.
+PASS Reporting endpoints received no report for failed integrity check with sha256.
+PASS Reporting endpoints received no report for failed integrity check with sha512.
+PASS Reporting endpoints received no report for CORS stylesheet.
 

LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src-sha512.https.window.js.sub.headers

@@ -1,3 +1,3 @@
 Reporting-Endpoints: csp-endpoint="/reporting/resources/report.py?reportID={{$id:uuid()}}"
-Content-Security-Policy: script-src 'self' {{hosts[alt][www]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha512' 'report-sha384' 'report-sha256'; report-to csp-endpoint
+Content-Security-Policy: script-src 'self' {{hosts[alt][]}}:{{ports[https][0]}} 'unsafe-inline' 'report-sha512' 'report-sha384' 'report-sha256'; report-to csp-endpoint
 Server-Timing: uuid;desc="{{$id}}",hash;desc="sha512-hG4x56V5IhUUepZdYU/lX7UOQJ2M7f6ud2EI7os4JV3OwXSZ002P3zkb9tXQkjpOO8UbtjuEufvdcU67Qt2tlw=="