The nonce-source patch in bug 855326 has tests, but during review dholbert suggested some additional corner cases that should be tested. From the original comment: Also, speaking of tests -- given that this is a security feature that web authors will be depending on, I think it's particularly important to make sure this has good test coverage. It looks like we still need test-coverage for the following things: a) nonce on <script src="..."> tags (I think (?) you're just testing inline <script> tags, right now) (The spec says if the nonce doesn't match on <script src>, "the user agent MUST act as if it had received an empty HTTP 400 response and report a violation") b) nonce being ignored on other style sources: i. <animate attributeName="fill" nonce="..."> ii. <div style="foo" nonce="..."> iii. <link href="..." nonce="..."> iv. <style> in an SVG document We also don't have any test-coverage for nonce validation, beyond testing that "correctscriptnonce" and "correctstylenonce" are both valid. It'd be worth also testing the following: e) empty-string shouldn't be a valid nonce (i.e. "nonce-" in the headers, nonce="" on a style element) f) special characters (beyond "+" and "/" should invalidate the nonce (e.g. "nonce-12%^"), or a random UTF-8 character, etc g) a nonce that exercises much (all?) of the range of valid characters *should* be allowed (both lower and uppercase characters, digits, +, and /) h) a nonce that starts with "NONCE-" (uppercase) is rejected Since this is preffed off by default, I'd be fine with this test-writing being tracked in followup bugs, as long as the followups (particularly for things being blocked) are resolved before this gets preffed on. Please file followups for those (marked as depending on this bug) before closing this out, though, so that we don't forget about them.

Garrett, I suppose you are fine with putting this one in the backlog, right?