From 4d7e84360db89b2941a9fb468ab9f14226d3ae24 Mon Sep 17 00:00:00 2001
From: Shane Handley <shanehandley@fastmail.com>
Date: Fri, 5 Sep 2025 05:23:01 +0000
Subject: [PATCH] Implement document's active sandboxing flag set

Signed-off-by: Shane Handley <shanehandley@fastmail.com>
---
 .../sandbox/autoplay-disabled-by-csp.html     | 23 ++++++++++++++++++
 .../autoplay-disabled-by-csp.html.headers     |  1 +
 ...form-submission-blocked-by-sandboxing.html | 24 +++++++++++++++++++
 ...mission-blocked-by-sandboxing.html.headers |  1 +
 4 files changed, 49 insertions(+)
 create mode 100644 content-security-policy/sandbox/autoplay-disabled-by-csp.html
 create mode 100644 content-security-policy/sandbox/autoplay-disabled-by-csp.html.headers
 create mode 100644 content-security-policy/sandbox/form-submission-blocked-by-sandboxing.html
 create mode 100644 content-security-policy/sandbox/form-submission-blocked-by-sandboxing.html.headers

diff --git a/content-security-policy/sandbox/autoplay-disabled-by-csp.html b/content-security-policy/sandbox/autoplay-disabled-by-csp.html
new file mode 100644
index 00000000000000..533028629e0ca6
--- /dev/null
+++ b/content-security-policy/sandbox/autoplay-disabled-by-csp.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+  <head>
+  <link rel="help" href="https://html.spec.whatwg.org/multipage/#eligible-for-autoplay" />
+  <title>Test that autoplay is blocked by a document's active sandboxing flags</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/common/media.js"></script>
+  </head>
+  <body>
+    <video id="v" autoplay></video>
+    <script>
+      async_test((t) => {
+        var v = document.getElementById('v')
+
+        v.addEventListener('playing', t.unreached_func('video should not autoplay due to sandboxing flags'));
+
+        v.src = getVideoURI('/media/movie_5') + '?' + new Date() + Math.random()
+        t.step_timeout(() => t.done(), 500);
+      }, 'csp-derived sandboxing flags prevent autoplay.')
+    </script>
+  </body>
+</html>
diff --git a/content-security-policy/sandbox/autoplay-disabled-by-csp.html.headers b/content-security-policy/sandbox/autoplay-disabled-by-csp.html.headers
new file mode 100644
index 00000000000000..32518e57d4584d
--- /dev/null
+++ b/content-security-policy/sandbox/autoplay-disabled-by-csp.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: sandbox allow-forms
diff --git a/content-security-policy/sandbox/form-submission-blocked-by-sandboxing.html b/content-security-policy/sandbox/form-submission-blocked-by-sandboxing.html
new file mode 100644
index 00000000000000..9a6610658d5d92
--- /dev/null
+++ b/content-security-policy/sandbox/form-submission-blocked-by-sandboxing.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+  <head>
+  <link rel="help" href="https://html.spec.whatwg.org/multipage/#concept-form-submit">
+  <title>Test that form submission is blocked by a document's active sandboxing flags</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  </head>
+  <body>
+    <form id="f">
+      <input type="hidden" value="test" />
+    </form>
+    <script>
+      async_test((t) => {
+        var f = document.getElementById('f')
+
+        f.addEventListener('submit', t.unreached_func('form should not be submitted due to sandboxing flags'));
+
+        f.submit();
+        t.step_timeout(() => t.done(), 500);
+      }, 'csp-derived sandboxing flags prevent form submission.')
+    </script>
+  </body>
+</html>
diff --git a/content-security-policy/sandbox/form-submission-blocked-by-sandboxing.html.headers b/content-security-policy/sandbox/form-submission-blocked-by-sandboxing.html.headers
new file mode 100644
index 00000000000000..1efcf8c226fac0
--- /dev/null
+++ b/content-security-policy/sandbox/form-submission-blocked-by-sandboxing.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: sandbox allow-scripts