From a2c185eecb07fb4ceb07339f928d12dccdb909a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Wang?= <fwang@igalia.com>
Date: Fri, 24 Jan 2025 18:22:05 +0100
Subject: [PATCH] Add more tests for trusted-types-sink violation reports.

This covers all Window-only sinks listed in
https://github.com/w3c/trusted-types/issues/494#issuecomment-2572763334

This also adds small improvements to csp-violations.js:

- Rely on connect-src / EventSource / self.add/removeEventListner, so
  that the file could be usable in Workers in the future.

- Also force a connect-src violation before executing fn, so that we
  can flush previously reported violations. Although this is not
  necessary for existing tests, I noticed this can sometimes happen
  when I was trying to write tests.
---
 ...icyFactory-createPolicy-cspTests-none.html |   2 +-
 ...pePolicyFactory-createPolicy-cspTests.html |   2 +-
 ...trusted-types-for-report-only.html.headers |   2 +-
 trusted-types/require-trusted-types-for.html  |   2 +-
 trusted-types/support/csp-violations.js       |  39 ++++---
 ...d-types-eval-reporting-no-unsafe-eval.html |   4 +-
 ...eval-reporting-no-unsafe-eval.html.headers |   2 +-
 ...sted-types-eval-reporting-report-only.html |   2 +-
 ...es-eval-reporting-report-only.html.headers |   2 +-
 .../trusted-types-eval-reporting.html         |   2 +-
 .../trusted-types-eval-reporting.html.headers |   2 +-
 .../trusted-types-report-only.html.headers    |   2 +-
 ...porting-for-DOMParser-parseFromString.html |  26 +++++
 ...es-reporting-for-Document-execCommand.html |  34 ++++++
 ...eporting-for-Document-parseHTMLUnsafe.html |  26 +++++
 ...ed-types-reporting-for-Document-write.html |  38 +++++++
 ...types-reporting-for-Element-innerHTML.html |  26 +++++
 ...orting-for-Element-insertAdjacentHTML.html |  27 +++++
 ...types-reporting-for-Element-outerHTML.html |  26 +++++
 ...es-reporting-for-Element-setAttribute.html | 107 ++++++++++++++++++
 ...s-reporting-for-Element-setHTMLUnsafe.html |  26 +++++
 ...eporting-for-HTMLIFrameElement-srcdoc.html |  26 +++++
 ...types-reporting-for-HTMLScriptElement.html |  44 +++++++
 ...ng-for-Range-createContextualFragment.html |  32 ++++++
 ...es-reporting-for-ShadowRoot-innerHTML.html |  29 +++++
 ...eporting-for-ShadowRoot-setHTMLUnsafe.html |  29 +++++
 trusted-types/trusted-types-reporting.html    |  92 +--------------
 .../trusted-types-reporting.html.headers      |   2 +-
 .../trusted-types-source-file-path.html       |   2 +-
 .../trusted-types-svg-script-set-href.html    |   2 +-
 trusted-types/trusted-types-svg-script.html   |   2 +-
 31 files changed, 536 insertions(+), 123 deletions(-)
 create mode 100644 trusted-types/trusted-types-reporting-for-DOMParser-parseFromString.html
 create mode 100644 trusted-types/trusted-types-reporting-for-Document-execCommand.html
 create mode 100644 trusted-types/trusted-types-reporting-for-Document-parseHTMLUnsafe.html
 create mode 100644 trusted-types/trusted-types-reporting-for-Document-write.html
 create mode 100644 trusted-types/trusted-types-reporting-for-Element-innerHTML.html
 create mode 100644 trusted-types/trusted-types-reporting-for-Element-insertAdjacentHTML.html
 create mode 100644 trusted-types/trusted-types-reporting-for-Element-outerHTML.html
 create mode 100644 trusted-types/trusted-types-reporting-for-Element-setAttribute.html
 create mode 100644 trusted-types/trusted-types-reporting-for-Element-setHTMLUnsafe.html
 create mode 100644 trusted-types/trusted-types-reporting-for-HTMLIFrameElement-srcdoc.html
 create mode 100644 trusted-types/trusted-types-reporting-for-HTMLScriptElement.html
 create mode 100644 trusted-types/trusted-types-reporting-for-Range-createContextualFragment.html
 create mode 100644 trusted-types/trusted-types-reporting-for-ShadowRoot-innerHTML.html
 create mode 100644 trusted-types/trusted-types-reporting-for-ShadowRoot-setHTMLUnsafe.html

diff --git a/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none.html b/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none.html
index a75b50f8f002e2..5179206e7e1270 100644
--- a/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none.html
+++ b/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none.html
@@ -4,7 +4,7 @@
 <script src="support/helper.sub.js"></script>
 <script src="./support/csp-violations.js"></script>
 <meta http-equiv="Content-Security-Policy" content="trusted-types 'none'">
-<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="connect-src 'none'">
 <body>
 <script>
   promise_test(async t => {
diff --git a/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests.html b/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests.html
index f84634a1408d20..21005516749112 100644
--- a/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests.html
+++ b/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests.html
@@ -5,7 +5,7 @@
 <script src="./support/csp-violations.js"></script>
 
 <meta http-equiv="Content-Security-Policy" content="trusted-types SomeName JustOneMoreName AnotherName">
-<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="connect-src 'none'">
 <body>
 <script>
   // Allowed name test
diff --git a/trusted-types/require-trusted-types-for-report-only.html.headers b/trusted-types/require-trusted-types-for-report-only.html.headers
index 8344761bdddf83..3f0aa88da83740 100644
--- a/trusted-types/require-trusted-types-for-report-only.html.headers
+++ b/trusted-types/require-trusted-types-for-report-only.html.headers
@@ -1,2 +1,2 @@
 Content-Security-Policy-Report-Only: require-trusted-types-for 'script'
-Content-Security-Policy: object-src 'none'
+Content-Security-Policy: connect-src 'none'
diff --git a/trusted-types/require-trusted-types-for.html b/trusted-types/require-trusted-types-for.html
index c6dfbcbfb4871d..8e18b20ae2ef4d 100644
--- a/trusted-types/require-trusted-types-for.html
+++ b/trusted-types/require-trusted-types-for.html
@@ -4,7 +4,7 @@
   <script src="/resources/testharnessreport.js"></script>
   <script src="./support/csp-violations.js"></script>
   <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
-  <meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+  <meta http-equiv="Content-Security-Policy" content="connect-src 'none'">
 </head>
 <body>
 <script>
diff --git a/trusted-types/support/csp-violations.js b/trusted-types/support/csp-violations.js
index 61b763911f7b50..bc8b0e1a8bfbb6 100644
--- a/trusted-types/support/csp-violations.js
+++ b/trusted-types/support/csp-violations.js
@@ -7,40 +7,45 @@ const cspDirectives = [
   "script-src",
 ];
 
-// A generic helper that runs function fn and return a promise resolving with
-// an array of reported violations for trusted type directives and a possible
-// exception thrown.
+// A generic helper that runs function fn and returns a promise resolving with
+// an array of reported violations and a possible exception thrown. This forces
+// a "connect-src" violation before and after calling fn, to make sure we are
+// not gathering violations reported before fn, and that all the violations
+// reported by fn have been delivered. This assumes that the test file contains
+// the CSP directive connect-src 'none' and that fn is not itself triggering
+// a "connect-src" violation report.
 function trusted_type_violations_and_exception_for(fn) {
   return new Promise((resolve, reject) => {
     // Listen for security policy violations.
+    let receivedInitialConnectSrcViolation = false;
     let result = { violations: [], exception: null };
     let handler = e => {
       if (cspDirectives.includes(e.effectiveDirective)) {
-        result.violations.push(e);
-      } else if (e.effectiveDirective === "object-src") {
-        document.removeEventListener("securitypolicyviolation", handler);
-        e.stopPropagation();
-        resolve(result);
+        if (receivedInitialConnectSrcViolation) {
+          result.violations.push(e);
+        }
+      } else if (e.effectiveDirective === "connect-src") {
+        if (receivedInitialConnectSrcViolation) {
+          self.removeEventListener("securitypolicyviolation", handler);
+          e.stopPropagation();
+          resolve(result);
+        } else {
+          receivedInitialConnectSrcViolation = true;
+        }
       } else {
         reject(`Unexpected violation for directive ${e.effectiveDirective}`);
       }
     }
-    document.addEventListener("securitypolicyviolation", handler);
+    self.addEventListener("securitypolicyviolation", handler);
 
     // Run the specified function and record any exception.
+    new EventSource("/common/blank.html");
     try {
       fn();
     } catch(e) {
       result.exception = e;
     }
-
-    // Force an "object-src" violation, to make sure all the previous violations
-    // have been delivered. This assumes the test file's associated .headers
-    // file contains Content-Security-Policy: object-src 'none'.
-    var o = document.createElement('object');
-    o.type = "video/mp4";
-    o.data = "dummy.webm";
-    document.body.appendChild(o);
+    new EventSource("/common/blank.html");
   });
 }
 
diff --git a/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html b/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html
index 5e2087a1c6b827..797dfa1e2ef34b 100644
--- a/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html
+++ b/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html
@@ -11,13 +11,13 @@
   // headers are set in the .headers file:
   //
   //   Content-Security-Policy: script-src 'unsafe-inline'; report-uri ...
-  //   Content-Security-Policy: object-src 'none'
+  //   Content-Security-Policy: connect-src 'none'
   //   Content-Security-Policy: require-trusted-types-for 'script'
   //
   // The second rule is there so we can provoke a CSP violation report at will.
   // The intent is that in order to test that a violation has *not* been thrown
   // (and without resorting to abominations like timeouts), we force a *another*
-  // CSP violation (by violating the object-src rule) and when that event is
+  // CSP violation (by violating the connect-src rule) and when that event is
   // processed we can we sure that an earlier event - if it indeed occurred -
   // must have already been processed.
 
diff --git a/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html.headers b/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html.headers
index 2bdd8a7d1abaa1..72cebc03552da9 100644
--- a/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html.headers
+++ b/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html.headers
@@ -1,3 +1,3 @@
 Content-Security-Policy: script-src http: https: 'nonce-123' 'report-sample'
-Content-Security-Policy: object-src 'none'
+Content-Security-Policy: connect-src 'none'
 Content-Security-Policy: require-trusted-types-for 'script'
diff --git a/trusted-types/trusted-types-eval-reporting-report-only.html b/trusted-types/trusted-types-eval-reporting-report-only.html
index 226db176bd8d03..5b5ce50601c591 100644
--- a/trusted-types/trusted-types-eval-reporting-report-only.html
+++ b/trusted-types/trusted-types-eval-reporting-report-only.html
@@ -11,7 +11,7 @@
   // headers are set in the .headers file:
   //
   //   Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval'; report-uri ...
-  //   Content-Security-Policy: object-src 'none'
+  //   Content-Security-Policy: connect-src 'none'
   //   Content-Security-Policy-Report-Only: require-trusted-types-for 'script'
   //
   // The last rule is there so we can provoke a CSP violation report at will.
diff --git a/trusted-types/trusted-types-eval-reporting-report-only.html.headers b/trusted-types/trusted-types-eval-reporting-report-only.html.headers
index d212eda5ef5709..9ab275fe6f1d49 100644
--- a/trusted-types/trusted-types-eval-reporting-report-only.html.headers
+++ b/trusted-types/trusted-types-eval-reporting-report-only.html.headers
@@ -1,4 +1,4 @@
 Content-Security-Policy: script-src http: https: 'nonce-123' 'unsafe-eval'
-Content-Security-Policy: object-src 'none'
+Content-Security-Policy: connect-src 'none'
 Content-Security-Policy-Report-Only: require-trusted-types-for 'script'
 
diff --git a/trusted-types/trusted-types-eval-reporting.html b/trusted-types/trusted-types-eval-reporting.html
index 2fc889549ec28e..d037c058d9b2b4 100644
--- a/trusted-types/trusted-types-eval-reporting.html
+++ b/trusted-types/trusted-types-eval-reporting.html
@@ -11,7 +11,7 @@
   // headers are set in the .headers file:
   //
   //   Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval'; report-uri ...
-  //   Content-Security-Policy: object-src 'none'
+  //   Content-Security-Policy: connect-src 'none'
   //   Content-Security-Policy: require-trusted-types-for 'script'
   //
   // The last rule is there so we can provoke a CSP violation report at will.
diff --git a/trusted-types/trusted-types-eval-reporting.html.headers b/trusted-types/trusted-types-eval-reporting.html.headers
index 8989345e722067..1e57f8bf5851bc 100644
--- a/trusted-types/trusted-types-eval-reporting.html.headers
+++ b/trusted-types/trusted-types-eval-reporting.html.headers
@@ -1,4 +1,4 @@
 Content-Security-Policy: script-src http: https: 'nonce-123' 'unsafe-eval'
-Content-Security-Policy: object-src 'none'
+Content-Security-Policy: connect-src 'none'
 Content-Security-Policy: require-trusted-types-for 'script'
 
diff --git a/trusted-types/trusted-types-report-only.html.headers b/trusted-types/trusted-types-report-only.html.headers
index 383f05138fe626..602186027d0d75 100644
--- a/trusted-types/trusted-types-report-only.html.headers
+++ b/trusted-types/trusted-types-report-only.html.headers
@@ -1,2 +1,2 @@
 Content-Security-Policy-Report-Only: trusted-types two; report-uri /content-security-policy/resources/dummy-report.php; require-trusted-types-for 'script';
-Content-Security-Policy: object-src 'none'
+Content-Security-Policy: connect-src 'none'
diff --git a/trusted-types/trusted-types-reporting-for-DOMParser-parseFromString.html b/trusted-types/trusted-types-reporting-for-DOMParser-parseFromString.html
new file mode 100644
index 00000000000000..0dccd3bac68d7a
--- /dev/null
+++ b/trusted-types/trusted-types-reporting-for-DOMParser-parseFromString.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        (new DOMParser()).parseFromString(policy.createHTML(input), "text/html")
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        (new DOMParser()).parseFromString(input, "text/html")
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `DOMParser parseFromString|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-Document-execCommand.html b/trusted-types/trusted-types-reporting-for-Document-execCommand.html
new file mode 100644
index 00000000000000..617c3c18c53231
--- /dev/null
+++ b/trusted-types/trusted-types-reporting-for-Document-execCommand.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ => {
+        ["insertHTML", "paste"].forEach(command => {
+          document.execCommand(command, false, policy.createHTML(input));
+        });
+      });
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        document.execCommand("paste", false, input)
+      );
+    }, "No violation reported (paste command).");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        document.execCommand("insertHTML", false, input)
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `Document execCommand|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string (insertHTML command).");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-Document-parseHTMLUnsafe.html b/trusted-types/trusted-types-reporting-for-Document-parseHTMLUnsafe.html
new file mode 100644
index 00000000000000..b0b286f733eba5
--- /dev/null
+++ b/trusted-types/trusted-types-reporting-for-Document-parseHTMLUnsafe.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        Document.parseHTMLUnsafe(policy.createHTML(input))
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        Document.parseHTMLUnsafe(input)
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `Document parseHTMLUnsafe|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-Document-write.html b/trusted-types/trusted-types-reporting-for-Document-write.html
new file mode 100644
index 00000000000000..b20c458b4a1c6f
--- /dev/null
+++ b/trusted-types/trusted-types-reporting-for-Document-write.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <div id="log"></div>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = [`<p>${'A'.repeat(50)}</p>`,
+                   `<p>${'B'.repeat(30)}</p>`,
+                   `<p>${'C'.repeat(20)}</p>`];
+    const joinedInput = input.join('');
+    const trustedInput = input.map(x => policy.createHTML(input));
+
+    // Create a separate document for testing, so write calls don't mess up with
+    // how testharness writes its output in the main document.
+    const doc = (new DOMParser()).
+          parseFromString(policy.createHTML("<body></body>"), "text/html");
+
+    ["write", "writeln"].forEach(methodName => {
+      promise_test(async t => {
+        await no_trusted_type_violation_for(_ =>
+          doc[methodName](...trustedInput)
+        );
+      }, `No violation reported for ${methodName}() with TrustedHTML arguments.`);
+
+      promise_test(async t => {
+        let violation = await trusted_type_violation_for(TypeError, _ =>
+          doc[methodName](trustedInput[0], input[1], trustedInput[2])
+        );
+        assert_equals(violation.blockedURI, "trusted-types-sink");
+        assert_equals(violation.sample, `Document ${methodName}|${clipSampleIfNeeded(joinedInput)}`);
+      }, `Violation report for plain string for ${methodName}() with at least one plain string argument.`);
+    });
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-Element-innerHTML.html b/trusted-types/trusted-types-reporting-for-Element-innerHTML.html
new file mode 100644
index 00000000000000..5782c689071128
--- /dev/null
+++ b/trusted-types/trusted-types-reporting-for-Element-innerHTML.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        document.createElement("div").innerHTML = policy.createHTML(input)
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        document.createElement("div").innerHTML = input
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `Element innerHTML|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-Element-insertAdjacentHTML.html b/trusted-types/trusted-types-reporting-for-Element-insertAdjacentHTML.html
new file mode 100644
index 00000000000000..6448b3f4097af7
--- /dev/null
+++ b/trusted-types/trusted-types-reporting-for-Element-insertAdjacentHTML.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        document.createElement("div").
+          insertAdjacentHTML("beforeend", policy.createHTML(input))
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        document.createElement("div").insertAdjacentHTML("beforeend", input)
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `Element insertAdjacentHTML|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-Element-outerHTML.html b/trusted-types/trusted-types-reporting-for-Element-outerHTML.html
new file mode 100644
index 00000000000000..a5fcb2d24f0482
--- /dev/null
+++ b/trusted-types/trusted-types-reporting-for-Element-outerHTML.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        document.createElement("div").outerHTML = policy.createHTML(input)
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        document.createElement("div").outerHTML = input
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `Element outerHTML|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-Element-setAttribute.html b/trusted-types/trusted-types-reporting-for-Element-setAttribute.html
new file mode 100644
index 00000000000000..f0ad7a966f6dbd
--- /dev/null
+++ b/trusted-types/trusted-types-reporting-for-Element-setAttribute.html
@@ -0,0 +1,107 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<script src="support/namespaces.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", {
+      createHTML: x => x, createScript: x => x, createScriptURL: x => x });
+    const input = 'A'.repeat(100);
+    const trustedHTML = policy.createHTML(input);
+    const trustedScript = policy.createScript(input);
+    const trustedScriptURL = policy.createScriptURL(input);
+    function createIFrame() { return document.createElement("iframe"); }
+    function createScript() { return document.createElement("script"); }
+    function createSVGScript() { return document.createElementNS(NSURI_SVG, "script"); }
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ => {
+        createIFrame().setAttribute("srcdoc", trustedHTML);
+        createIFrame().setAttributeNS(null, "srcdoc", trustedHTML);
+        createIFrame().setAttribute("onclick", trustedScript);
+        createIFrame().setAttributeNS(null, "onclick", trustedScript);
+        createScript().setAttribute("src", trustedScriptURL);
+        createScript().setAttributeNS(null, "src", trustedScriptURL);
+        createSVGScript().setAttribute("href", trustedScriptURL);
+        createSVGScript().setAttributeNS(null, "href", trustedScriptURL);
+        createSVGScript().setAttributeNS(NSURI_XLINK, "href", trustedScriptURL);
+      });
+    }, "No violation reported for trusted types.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ => {
+        createIFrame().setAttribute("srcdoc", input);
+      });
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `HTMLIFrameElement srcdoc|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for HTMLIFrameElement.setAttribute('srcdoc', plain_string)");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ => {
+        createIFrame().setAttributeNS(null, "srcdoc", input);
+      });
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `HTMLIFrameElement srcdoc|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for HTMLIFrameElement.setAttributeNS(null, 'srcdoc', plain_string)");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ => {
+        createIFrame().setAttribute("onclick", input);
+      });
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `Element onclick|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for Element.setAttribute('onclick', plain_string)");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ => {
+        createIFrame().setAttributeNS(null, "onclick", input);
+      });
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `Element onclick|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for Element.setAttributeNS(null, 'onclick', plain_string)");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ => {
+        createScript().setAttribute("src", input);
+      });
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `HTMLScriptElement src|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for HTMLScriptElement.setAttribute('src', plain_string)");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ => {
+        createScript().setAttributeNS(null, "src", input);
+      });
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `HTMLScriptElement src|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for HTMLScriptElement.setAttributeNS(null, 'src', plain_string)");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ => {
+        createSVGScript().setAttribute("href", input);
+      });
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `SVGScriptElement href|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for SVGScriptElement.setAttribute('href', plain_string)");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ => {
+        createSVGScript().setAttributeNS(null, "href", input);
+      });
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `SVGScriptElement href|${clipSampleIfNeeded(input)}`);
+    }, `Violation report for SVGScriptElement.setAttributeNS(null, 'href', plain_string)`);
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ => {
+        createSVGScript().setAttributeNS(NSURI_XLINK, "href", input);
+      });
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `SVGScriptElement href|${clipSampleIfNeeded(input)}`);
+    }, `Violation report for SVGScriptElement.setAttributeNS(${NSURI_XLINK}, 'href', plain_string)`);
+
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-Element-setHTMLUnsafe.html b/trusted-types/trusted-types-reporting-for-Element-setHTMLUnsafe.html
new file mode 100644
index 00000000000000..41bc4d57b7a936
--- /dev/null
+++ b/trusted-types/trusted-types-reporting-for-Element-setHTMLUnsafe.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        document.createElement("div").setHTMLUnsafe(policy.createHTML(input))
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        document.createElement("div").setHTMLUnsafe(input)
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `Element setHTMLUnsafe|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-HTMLIFrameElement-srcdoc.html b/trusted-types/trusted-types-reporting-for-HTMLIFrameElement-srcdoc.html
new file mode 100644
index 00000000000000..b86eb6e6910d18
--- /dev/null
+++ b/trusted-types/trusted-types-reporting-for-HTMLIFrameElement-srcdoc.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        document.createElement("iframe").srcdoc = policy.createHTML(input)
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        document.createElement("iframe").srcdoc = input
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `HTMLIFrameElement srcdoc|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-HTMLScriptElement.html b/trusted-types/trusted-types-reporting-for-HTMLScriptElement.html
new file mode 100644
index 00000000000000..3c540e8d287d5f
--- /dev/null
+++ b/trusted-types/trusted-types-reporting-for-HTMLScriptElement.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    function createScript() { return document.createElement("script"); }
+    const policy = trustedTypes.createPolicy("dummy", {
+      createScript: x => x,
+      createScriptURL: x => x,
+    });
+    const properties = {
+      innerText: "script",
+      textContent: "script",
+      src: "scriptURL",
+      text: "script",
+    };
+    const input = {
+      script: `${';'.repeat(100)}`,
+      scriptURL: `about:blank?${'A'.repeat(100)}`,
+    };
+    const trustedInput = {
+      script: policy.createScript(input.script),
+      scriptURL: policy.createScriptURL(input.scriptURL),
+    };
+    for (let [property, type] of Object.entries(properties)) {
+      promise_test(async t => {
+        await no_trusted_type_violation_for(_ =>
+          createScript()[property] = trustedInput[type]
+        );
+      }, `No violation reported for trusted input (${property}).`);
+
+      promise_test(async t => {
+        let violation = await trusted_type_violation_for(TypeError, _ =>
+          createScript()[property] = input[type]
+        );
+        assert_equals(violation.blockedURI, "trusted-types-sink");
+        assert_equals(violation.sample, `HTMLScriptElement ${property}|${clipSampleIfNeeded(input[type])}`);
+      }, `Violation report for plain string (${property})`);
+    }
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-Range-createContextualFragment.html b/trusted-types/trusted-types-reporting-for-Range-createContextualFragment.html
new file mode 100644
index 00000000000000..8f34ba0ed1dfa6
--- /dev/null
+++ b/trusted-types/trusted-types-reporting-for-Range-createContextualFragment.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <div id="element"></div>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+    function createRange() {
+      let range = document.createRange();
+      range.selectNodeContents(document.getElementById("element"));
+      return range;
+    }
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        createRange().createContextualFragment(policy.createHTML(input))
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        createRange().createContextualFragment(input)
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `Range createContextualFragment|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-ShadowRoot-innerHTML.html b/trusted-types/trusted-types-reporting-for-ShadowRoot-innerHTML.html
new file mode 100644
index 00000000000000..9aaf2d8aa4f50d
--- /dev/null
+++ b/trusted-types/trusted-types-reporting-for-ShadowRoot-innerHTML.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+    function createShadowRoot() {
+      return document.createElement('div').attachShadow({mode: 'open'});
+    }
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        createShadowRoot().innerHTML = policy.createHTML(input)
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        createShadowRoot().innerHTML = input
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `ShadowRoot innerHTML|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-ShadowRoot-setHTMLUnsafe.html b/trusted-types/trusted-types-reporting-for-ShadowRoot-setHTMLUnsafe.html
new file mode 100644
index 00000000000000..b65261d0e38180
--- /dev/null
+++ b/trusted-types/trusted-types-reporting-for-ShadowRoot-setHTMLUnsafe.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+    function createShadowRoot() {
+      return document.createElement('div').attachShadow({mode: 'open'});
+    }
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        createShadowRoot().setHTMLUnsafe(policy.createHTML(input))
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        createShadowRoot().setHTMLUnsafe(input)
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `ShadowRoot setHTMLUnsafe|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting.html b/trusted-types/trusted-types-reporting.html
index 2ea5855e054637..1649e46d0d5aa4 100644
--- a/trusted-types/trusted-types-reporting.html
+++ b/trusted-types/trusted-types-reporting.html
@@ -7,8 +7,6 @@
 </head>
 <body>
   <!-- Some elements for the tests to act on. -->
-  <div id="div"></div>
-  <script id="script"></script>
   <script id="customscript" is="custom-script" src="a"></script>
   <svg><script id="svgscript"></script></svg>
   <script>
@@ -18,13 +16,13 @@
   //
   //   Content-Security-Policy: trusted-types one
   //   Content-Security-Policy-Report-Only: trusted-types two; report-uri ...
-  //   Content-Security-Policy: object-src 'none'
+  //   Content-Security-Policy: connect-src 'none'
   //   Content-Security-Policy: default-src * 'unsafe-inline'
   //
   // The third rule is there so we can provoke a CSP violation report at will.
   // The intent is that in order to test that a violation has *not* been thrown
   // (and without resorting to abominations like timeouts), we force a *another*
-  // CSP violation (by violating the object-src rule) and when that event is
+  // CSP violation (by violating the connect-src rule) and when that event is
   // processed we can we sure that an earlier event - if it indeed occurred -
   // must have already been processed.
   //
@@ -84,80 +82,6 @@
     assert_equals(violation.blockedURI, "trusted-types-policy");
   }, "Trusted Type violation report: creating a forbidden-but-not-reported policy.");
 
-  promise_test(async t => {
-    let violation = await trusted_type_violation_for(TypeError, _ =>
-      document.getElementById("div").insertAdjacentHTML("beforebegin", "x")
-    );
-    assert_true(violation.originalPolicy.includes("require-trusted-types-for 'script'"));
-    assert_equals(violation.blockedURI, "trusted-types-sink");
-  }, "Trusted Type violation report: blocked URI and sample for insertAdjacentHTML");
-
-  promise_test(async t => {
-    let violation = await trusted_type_violation_for(TypeError, _ =>
-      document.getElementById("script").src = url
-    );
-    assert_true(violation.originalPolicy.includes("require-trusted-types-for 'script'"));
-  }, "Trusted Type violation report: assign string to script url");
-
-  promise_test(async t => {
-    let violation = await trusted_type_violation_for(TypeError, _ =>
-      document.getElementById("div").innerHTML = "abc"
-    );
-    assert_true(violation.originalPolicy.includes("require-trusted-types-for 'script'"));
-  }, "Trusted Type violation report: assign string to html");
-
-  promise_test(async t => {
-    await no_trusted_type_violation_for(_ =>
-      document.getElementById("script").text = policy_one.createScript("2+2;")
-    );
-  }, "Trusted Type violation report: assign trusted script to script; no report");
-
-  promise_test(async t => {
-    await no_trusted_type_violation_for(_ =>
-      document.getElementById("div").innerHTML = policy_one.createHTML("abc")
-    );
-  }, "Trusted Type violation report: assign trusted HTML to html; no report");
-
-  promise_test(async t => {
-    const input = "abc";
-    let violation = await trusted_type_violation_for(TypeError, _ =>
-      document.getElementById("div").innerHTML = input
-    );
-    assert_true(violation.originalPolicy.includes("require-trusted-types-for 'script'"));
-    assert_equals(violation.blockedURI, "trusted-types-sink");
-    assert_equals(violation.sample, `Element innerHTML|${clipSampleIfNeeded(input)}`);
-  }, "Trusted Type violation report: sample for innerHTML assignment");
-
-  promise_test(async t => {
-    const input = "1+2;";
-    let violation = await trusted_type_violation_for(TypeError, _ =>
-      document.getElementById("script").text = input
-    );
-    assert_true(violation.originalPolicy.includes("require-trusted-types-for 'script'"));
-    assert_equals(violation.blockedURI, "trusted-types-sink");
-    assert_equals(violation.sample, `HTMLScriptElement text|${clipSampleIfNeeded(input)}`);
-  }, "Trusted Type violation report: sample for text assignment");
-
-  promise_test(async t => {
-    const input = "about:blank";
-    let violation = await trusted_type_violation_for(TypeError, _ =>
-      document.getElementById("script").src = input
-    );
-    assert_true(violation.originalPolicy.includes("require-trusted-types-for 'script'"));
-    assert_equals(violation.blockedURI, "trusted-types-sink");
-    assert_equals(violation.sample, `HTMLScriptElement src|${clipSampleIfNeeded(input)}`);
-  }, "Trusted Type violation report: sample for script.src assignment");
-
-  promise_test(async t => {
-    const input = "2+2;";
-    let violation = await trusted_type_violation_for(TypeError, _ =>
-      document.getElementById("script").innerText = "2+2;"
-    );
-    assert_true(violation.originalPolicy.includes("require-trusted-types-for 'script'"));
-    assert_equals(violation.blockedURI, "trusted-types-sink");
-    assert_equals(violation.sample, `HTMLScriptElement innerText|${clipSampleIfNeeded(input)}`);
-  }, "Trusted Type violation report: sample for script innerText assignment");
-
   promise_test(async t => {
     const input = "about:blank";
     let violation = await trusted_type_violation_for(TypeError, _ =>
@@ -198,18 +122,6 @@
     assert_equals(violation.sample, `eval|${clipSampleIfNeeded(input)}`);
   }, "Trusted Type violation report: sample for eval");
 
-  promise_test(async t => {
-    // We expect the sample string to always contain the name, and at least the
-    // start of the value, but it should not be excessively long.
-    const value = "a" + "b".repeat(50000);
-    let violation = await trusted_type_violation_for(TypeError, _ =>
-      document.getElementById("script").innerText = value
-    );
-    assert_true(violation.originalPolicy.includes("require-trusted-types-for 'script'"));
-    assert_equals(violation.blockedURI, "trusted-types-sink");
-    assert_equals(violation.sample, `HTMLScriptElement innerText|${clipSampleIfNeeded(value)}`);
-  }, "Trusted Type violation report: large values should be handled sanely.");
-
   // Test reporting for Custom Elements (where supported). The report should
   // refer to the DOM elements being modified, so that Custom Elements cannot
   // "mask" the underlying DOM mechanism (for reporting).
diff --git a/trusted-types/trusted-types-reporting.html.headers b/trusted-types/trusted-types-reporting.html.headers
index 31c8e4131701cf..7076f4106f7348 100644
--- a/trusted-types/trusted-types-reporting.html.headers
+++ b/trusted-types/trusted-types-reporting.html.headers
@@ -1,6 +1,6 @@
 Content-Security-Policy: trusted-types one
 Content-Security-Policy-Report-Only: trusted-types two; report-uri /content-security-policy/resources/dummy-report.php
-Content-Security-Policy: object-src 'none'
+Content-Security-Policy: connect-src 'none'
 Content-Security-Policy: default-src * 'unsafe-inline'
 Content-Security-Policy: require-trusted-types-for 'script'
 
diff --git a/trusted-types/trusted-types-source-file-path.html b/trusted-types/trusted-types-source-file-path.html
index edb1d5d68e9331..105a04247f630d 100644
--- a/trusted-types/trusted-types-source-file-path.html
+++ b/trusted-types/trusted-types-source-file-path.html
@@ -9,7 +9,7 @@
   <script src="./support/csp-violations.js"></script>
   <meta http-equiv="Content-Security-Policy"
         content="require-trusted-types-for 'script'; trusted-types id">
-  <meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+  <meta http-equiv="Content-Security-Policy" content="connect-src 'none'">
   </head>
 <body>
 
diff --git a/trusted-types/trusted-types-svg-script-set-href.html b/trusted-types/trusted-types-svg-script-set-href.html
index f339ba119a1b6b..3092fb41d81f73 100644
--- a/trusted-types/trusted-types-svg-script-set-href.html
+++ b/trusted-types/trusted-types-svg-script-set-href.html
@@ -6,7 +6,7 @@
   <script src="./support/namespaces.js"></script>
   <meta http-equiv="Content-Security-Policy"
         content="require-trusted-types-for 'script'">
-  <meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+  <meta http-equiv="Content-Security-Policy" content="connect-src 'none'">
 </head>
 <body>
   <div id="log"></div>
diff --git a/trusted-types/trusted-types-svg-script.html b/trusted-types/trusted-types-svg-script.html
index 4fc3b710eb620c..c08bdc0db87026 100644
--- a/trusted-types/trusted-types-svg-script.html
+++ b/trusted-types/trusted-types-svg-script.html
@@ -5,7 +5,7 @@
   <script src="./support/csp-violations.js"></script>
   <meta http-equiv="Content-Security-Policy"
         content="require-trusted-types-for 'script'">
-  <meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+  <meta http-equiv="Content-Security-Policy" content="connect-src 'none'">
 </head>
 <body>
   <div id="log"></div>