From f477833eae163b4e75f0ef5cc6d2f46e3cd47801 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <domenic@chromium.org>
Date: Tue, 3 Mar 2020 13:30:19 +0000
Subject: [PATCH] Bug 1616906 [wpt PR 21904] - Always fetch origin policies
 from /.well-known/origin-policy, a=testonly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Automatic update from web-platform-tests
Always fetch origin policies from /.well-known/origin-policy

This is the first step at implementing the new fetching semantics from the updated origin policy specification. It also deletes some parts that are no longer in the spec and would have needed updating anyway.

In particular, this removes:

* The distinction between default origin policies and versioned origin policies, and along with it, the "latest version map". This removes, for now, the application of origin policies to pages without an Origin-Policy header; that will be added back as part of the caching work in crbug.com/1042040.

* Redirect-handling logic for default policies. Redirects are now always an error.

* Parsing of the response header from the server. We currently just check for its presence, and will do parsing according to the new spec as part of crbug.com/1042036.

* Sending Sec-Origin-Policy: 0 on the request. We may add this back later, but it is still under discussion: https://github.com/WICG/origin-policy/issues/51

* A good amount of C++ "unit tests" that were rather integration test-ey, and would have had to be rewritten anyway. Instead they are replaced with web platform test integration tests.

* A thorough web platform test of the origin policy installation/deletion cycle, which would have had to be rewritten, and then rewritten again once we tackle crbug.com/1042049. We'll want to refer to it in version history once those foundations are stable.

* Reporting, for now. We need to first spec this and then add it back. See https://github.com/WICG/origin-policy/issues/62.

Additionally, although we removed all parsing of the response header, we changed the code to look for the presence of Origin-Policy instead of Sec-Origin-Policy per the latest spec.

Apart from removals, this CL's biggest changes are to the web platform tests. This implements the plan discussed at https://github.com/web-platform-tests/wpt/issues/20773 and https://github.com/web-platform-tests/rfcs/pull/44 which allows us to serve different origin policies per subdomain. The test origin policies also now contain "id" members, but those are not used or tested for now; that will occur in https://crbug.com/1042036.

Bug: 1042034
Change-Id: I4674fe2cfbc1f3e174c76415d86a487e750cdb0d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2020488
Commit-Queue: Domenic Denicola <domenic@chromium.org>
Reviewed-by: Martin Šrámek <msramek@chromium.org>
Reviewed-by: Matt Mueller <mattm@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Dominic Battré <battre@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#745187}

--

wpt-commits: 496499a3188a8da571cbe59e182d555c2a6b8d69
wpt-pr: 21904
---
 .../tests/.well-known/origin-policy           |  18 +++
 .../policy-content-security-comma-in-policy   |   5 -
 ...y-content-security-double-content-security |   8 -
 .../policy-content-security-double-policies   |   6 -
 .../policy-content-security-noimg-report-only |   5 -
 .../policy-content-security-non-object        |   3 -
 .../policy-content-security-non-string        |   5 -
 .../policy-content-security-valid             |   5 -
 ...ntent-security-valid-with-multi-item-array |   5 -
 ...licy-content-security-valid-with-semicolon |   5 -
 .../.well-known/origin-policy/policy-csp-1    |   5 -
 .../.well-known/origin-policy/policy-csp-2    |   5 -
 .../policy-features-comma-in-policy           |   5 -
 .../policy-features-double-features           |   8 -
 .../policy-features-double-policy             |   6 -
 .../origin-policy/policy-features-non-object  |   3 -
 .../origin-policy/policy-features-non-string  |   5 -
 .../origin-policy/policy-features-valid       |   5 -
 .../comma-in-policy.https.html                |   9 +-
 .../comma-in-policy.https.html.headers        |   1 -
 .../double-content-security.https.html        |   9 +-
 ...double-content-security.https.html.headers |   1 -
 .../double-policies.https.html                |   9 +-
 .../double-policies.https.html.headers        |   1 -
 .../content-security/non-array.https.html     |   9 +-
 .../non-array.https.html.headers              |   1 -
 .../content-security/non-object.https.html    |   9 +-
 .../non-object.https.html.headers             |   1 -
 .../content-security/non-string.https.html    |   9 +-
 .../non-string.https.html.headers             |   1 -
 .../allow-unsafe-eval-disallow-images.mjs     |   3 +
 .../resources/allow-unsafe-eval.mjs           |   3 +
 .../disallow-unsafe-eval-disallow-images.mjs  |   3 +
 .../{helper.js => resources/helper.mjs}       |  17 +--
 .../trigger-violation-report-report-only.mjs  |  12 ++
 .../resources/trigger-violation-report.mjs    |  12 ++
 ...er-violation-report-report-only.https.html |  17 +--
 ...tion-report-report-only.https.html.headers |   1 -
 .../trigger-violation-report.https.html       |  17 +--
 ...rigger-violation-report.https.html.headers |   1 -
 .../valid-with-multi-item-array.https.html    |   9 +-
 ...d-with-multi-item-array.https.html.headers |   1 -
 .../valid-with-semicolon.https.html           |   9 +-
 .../valid-with-semicolon.https.html.headers   |   1 -
 .../content-security/valid.https.html         |  11 --
 .../content-security/valid.https.html.headers |   1 -
 .../features/comma-in-policy.https.html       |   9 +-
 .../comma-in-policy.https.html.headers        |   1 -
 .../features/double-features.https.html       |   9 +-
 .../double-features.https.html.headers        |   1 -
 .../features/double-policy.https.html         |   9 +-
 .../features/double-policy.https.html.headers |   1 -
 .../features/non-object.https.html            |   9 +-
 .../features/non-object.https.html.headers    |   1 -
 .../features/non-string.https.html            |   9 +-
 .../features/non-string.https.html.headers    |   1 -
 .../{helper.js => resources/helper.mjs}       |   4 +-
 .../resources/no-camera-no-geolocation.mjs    |   3 +
 .../resources/no-camera-yes-geolocation.mjs   |   3 +
 .../resources/yes-camera-yes-geolocation.mjs  |   3 +
 .../features/valid-with-semicolon.https.html  |  16 ++
 .../origin-policy/features/valid.https.html   |  11 --
 .../features/valid.https.html.headers         |   1 -
 ...-policy-report-to.https.tentative.sub.html |  22 ---
 ...rt-to.https.tentative.sub.html.sub.headers |   1 -
 .../origin-policy.https.tentative.html        | 143 ------------------
 .../tests/origin-policy/policies/README.md    |   5 +
 .../policies/op1 cspfp-comma-in-policy.json   |  13 ++
 .../policies/op10 cspfp-valid.json            |  13 ++
 .../policies/op2 cspfp-double-top-level.json  |  21 +++
 .../op3 cspfp-double-second-level.json        |  17 +++
 .../policies/op4 csp-non-array.json}          |   3 +
 .../policies/op5 cspfp-non-object.json        |   9 ++
 .../policies/op6 cspfp-non-string.json        |  17 +++
 .../policies/op7 csp-noimg-report-only.json   |  10 ++
 .../policies/op8 csp-noimg.json}              |   3 +
 .../op9 csp-valid-with-multi-item-array.json  |  11 ++
 .../resources/origin-policy-test-runner.js    |  28 ++++
 .../resources/subframe-with-origin-policy.py  |  26 ++++
 .../sec-origin-policy-header.html.py          |  64 --------
 .../sec-origin-policy-subframe.html           |   3 -
 ...ec-origin-policy-subframe.html.sub.headers |   3 -
 82 files changed, 359 insertions(+), 429 deletions(-)
 create mode 100644 testing/web-platform/tests/.well-known/origin-policy
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-content-security-comma-in-policy
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-content-security-double-content-security
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-content-security-double-policies
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-content-security-noimg-report-only
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-content-security-non-object
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-content-security-non-string
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-content-security-valid
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-content-security-valid-with-multi-item-array
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-content-security-valid-with-semicolon
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-csp-1
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-csp-2
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-features-comma-in-policy
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-features-double-features
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-features-double-policy
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-features-non-object
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-features-non-string
 delete mode 100644 testing/web-platform/tests/.well-known/origin-policy/policy-features-valid
 delete mode 100644 testing/web-platform/tests/origin-policy/content-security/comma-in-policy.https.html.headers
 delete mode 100644 testing/web-platform/tests/origin-policy/content-security/double-content-security.https.html.headers
 delete mode 100644 testing/web-platform/tests/origin-policy/content-security/double-policies.https.html.headers
 delete mode 100644 testing/web-platform/tests/origin-policy/content-security/non-array.https.html.headers
 delete mode 100644 testing/web-platform/tests/origin-policy/content-security/non-object.https.html.headers
 delete mode 100644 testing/web-platform/tests/origin-policy/content-security/non-string.https.html.headers
 create mode 100644 testing/web-platform/tests/origin-policy/content-security/resources/allow-unsafe-eval-disallow-images.mjs
 create mode 100644 testing/web-platform/tests/origin-policy/content-security/resources/allow-unsafe-eval.mjs
 create mode 100644 testing/web-platform/tests/origin-policy/content-security/resources/disallow-unsafe-eval-disallow-images.mjs
 rename testing/web-platform/tests/origin-policy/content-security/{helper.js => resources/helper.mjs} (89%)
 create mode 100644 testing/web-platform/tests/origin-policy/content-security/resources/trigger-violation-report-report-only.mjs
 create mode 100644 testing/web-platform/tests/origin-policy/content-security/resources/trigger-violation-report.mjs
 delete mode 100644 testing/web-platform/tests/origin-policy/content-security/trigger-violation-report-report-only.https.html.headers
 delete mode 100644 testing/web-platform/tests/origin-policy/content-security/trigger-violation-report.https.html.headers
 delete mode 100644 testing/web-platform/tests/origin-policy/content-security/valid-with-multi-item-array.https.html.headers
 delete mode 100644 testing/web-platform/tests/origin-policy/content-security/valid-with-semicolon.https.html.headers
 delete mode 100644 testing/web-platform/tests/origin-policy/content-security/valid.https.html
 delete mode 100644 testing/web-platform/tests/origin-policy/content-security/valid.https.html.headers
 delete mode 100644 testing/web-platform/tests/origin-policy/features/comma-in-policy.https.html.headers
 delete mode 100644 testing/web-platform/tests/origin-policy/features/double-features.https.html.headers
 delete mode 100644 testing/web-platform/tests/origin-policy/features/double-policy.https.html.headers
 delete mode 100644 testing/web-platform/tests/origin-policy/features/non-object.https.html.headers
 delete mode 100644 testing/web-platform/tests/origin-policy/features/non-string.https.html.headers
 rename testing/web-platform/tests/origin-policy/features/{helper.js => resources/helper.mjs} (83%)
 create mode 100644 testing/web-platform/tests/origin-policy/features/resources/no-camera-no-geolocation.mjs
 create mode 100644 testing/web-platform/tests/origin-policy/features/resources/no-camera-yes-geolocation.mjs
 create mode 100644 testing/web-platform/tests/origin-policy/features/resources/yes-camera-yes-geolocation.mjs
 create mode 100644 testing/web-platform/tests/origin-policy/features/valid-with-semicolon.https.html
 delete mode 100644 testing/web-platform/tests/origin-policy/features/valid.https.html
 delete mode 100644 testing/web-platform/tests/origin-policy/features/valid.https.html.headers
 delete mode 100644 testing/web-platform/tests/origin-policy/origin-policy-report-to.https.tentative.sub.html
 delete mode 100644 testing/web-platform/tests/origin-policy/origin-policy-report-to.https.tentative.sub.html.sub.headers
 delete mode 100644 testing/web-platform/tests/origin-policy/origin-policy.https.tentative.html
 create mode 100644 testing/web-platform/tests/origin-policy/policies/README.md
 create mode 100644 testing/web-platform/tests/origin-policy/policies/op1 cspfp-comma-in-policy.json
 create mode 100644 testing/web-platform/tests/origin-policy/policies/op10 cspfp-valid.json
 create mode 100644 testing/web-platform/tests/origin-policy/policies/op2 cspfp-double-top-level.json
 create mode 100644 testing/web-platform/tests/origin-policy/policies/op3 cspfp-double-second-level.json
 rename testing/web-platform/tests/{.well-known/origin-policy/policy-content-security-non-array => origin-policy/policies/op4 csp-non-array.json} (70%)
 create mode 100644 testing/web-platform/tests/origin-policy/policies/op5 cspfp-non-object.json
 create mode 100644 testing/web-platform/tests/origin-policy/policies/op6 cspfp-non-string.json
 create mode 100644 testing/web-platform/tests/origin-policy/policies/op7 csp-noimg-report-only.json
 rename testing/web-platform/tests/{.well-known/origin-policy/policy-content-security-noimg => origin-policy/policies/op8 csp-noimg.json} (67%)
 create mode 100644 testing/web-platform/tests/origin-policy/policies/op9 csp-valid-with-multi-item-array.json
 create mode 100644 testing/web-platform/tests/origin-policy/resources/origin-policy-test-runner.js
 create mode 100644 testing/web-platform/tests/origin-policy/resources/subframe-with-origin-policy.py
 delete mode 100644 testing/web-platform/tests/origin-policy/sec-origin-policy-header.html.py
 delete mode 100644 testing/web-platform/tests/origin-policy/sec-origin-policy-subframe.html
 delete mode 100644 testing/web-platform/tests/origin-policy/sec-origin-policy-subframe.html.sub.headers

diff --git a/testing/web-platform/tests/.well-known/origin-policy b/testing/web-platform/tests/.well-known/origin-policy
new file mode 100644
index 0000000000000..df2b83256c226
--- /dev/null
+++ b/testing/web-platform/tests/.well-known/origin-policy
@@ -0,0 +1,18 @@
+import os
+import glob
+
+
+def main(request, response):
+    host_piece = request.url_parts.hostname.split(".")[0]
+
+    filepath_pattern = os.path.normpath(os.path.join(os.path.dirname(os.path.abspath(
+        __file__)), "../origin-policy/policies/", "{} *.json".format(host_piece)))
+
+    matches = glob.glob(filepath_pattern)
+
+    if len(matches) != 1:
+        return 404, [], '{} origin policies found at a path matching "{}"'.format(len(matches), filepath_pattern)
+
+    with open(matches[0]) as f:
+        data = f.read()
+        return 200, [('Content-Type', 'application/originpolicy+json')], data
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-comma-in-policy b/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-comma-in-policy
deleted file mode 100644
index 42990f93e6d27..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-comma-in-policy
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "content_security": {
-    "policies": ["script-src 'self' 'unsafe-inline', img-src 'none'"]
-  }
-}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-double-content-security b/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-double-content-security
deleted file mode 100644
index be9b3750647d1..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-double-content-security
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "content_security": {
-    "policies": ["script-src 'self' 'unsafe-inline'"]
-  },
-  "content_security": {
-    "policies": ["img-src 'none'"]
-  }
-}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-double-policies b/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-double-policies
deleted file mode 100644
index 2e625c5c46389..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-double-policies
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-  "content_security": {
-    "policies": ["script-src 'self' 'unsafe-inline'"],
-    "policies": ["img-src 'none'"]
-  }
-}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-noimg-report-only b/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-noimg-report-only
deleted file mode 100644
index 13c662ef2d6e1..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-noimg-report-only
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "content_security": {
-    "policies_report_only": ["img-src 'none'"]
-  }
-}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-non-object b/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-non-object
deleted file mode 100644
index 7f6e138364012..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-non-object
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-  "content_security": ["script-src 'self' 'unsafe-inline'"]
-}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-non-string b/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-non-string
deleted file mode 100644
index 8649b17c4d8e7..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-non-string
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "content_security": {
-    "policies": [["script-src 'self' 'unsafe-inline'"]]
-  }
-}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-valid b/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-valid
deleted file mode 100644
index d4babb7949eef..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-valid
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "content_security": {
-    "policies": ["script-src 'self' 'unsafe-inline'"]
-  }
-}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-valid-with-multi-item-array b/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-valid-with-multi-item-array
deleted file mode 100644
index 45ec32200d5f6..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-valid-with-multi-item-array
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "content_security": {
-    "policies": ["script-src 'self' 'unsafe-inline'", "img-src 'none'"]
-  }
-}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-valid-with-semicolon b/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-valid-with-semicolon
deleted file mode 100644
index e777d5c96d592..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-valid-with-semicolon
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "content_security": {
-    "policies": ["script-src 'self' 'unsafe-inline'; img-src 'none'"]
-  }
-}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-csp-1 b/testing/web-platform/tests/.well-known/origin-policy/policy-csp-1
deleted file mode 100644
index d4babb7949eef..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-csp-1
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "content_security": {
-    "policies": ["script-src 'self' 'unsafe-inline'"]
-  }
-}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-csp-2 b/testing/web-platform/tests/.well-known/origin-policy/policy-csp-2
deleted file mode 100644
index 34a6c5c873b57..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-csp-2
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "content_security": {
-    "policies": ["script-src 'self' 'nonce-test'"]
-  }
-}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-features-comma-in-policy b/testing/web-platform/tests/.well-known/origin-policy/policy-features-comma-in-policy
deleted file mode 100644
index e991c788f24a1..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-features-comma-in-policy
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "features": {
-    "policy": "camera 'self' https://example.com/, geolocation 'self' https://example.com/"
-  }
-}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-features-double-features b/testing/web-platform/tests/.well-known/origin-policy/policy-features-double-features
deleted file mode 100644
index 583f1eaa2fcda..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-features-double-features
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "features": {
-    "policy": "camera 'self' https://example.com/"
-  },
-  "features": {
-    "policy": "geolocation 'self' https://example.com/"
-  }
-}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-features-double-policy b/testing/web-platform/tests/.well-known/origin-policy/policy-features-double-policy
deleted file mode 100644
index fb216bc472983..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-features-double-policy
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-  "features": {
-    "policy": "camera 'self' https://example.com/",
-    "policy": "geolocation 'self' https://example.com/"
-  }
-}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-features-non-object b/testing/web-platform/tests/.well-known/origin-policy/policy-features-non-object
deleted file mode 100644
index b4d255440dc4b..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-features-non-object
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-  "features": "camera 'self' https://example.com/"
-}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-features-non-string b/testing/web-platform/tests/.well-known/origin-policy/policy-features-non-string
deleted file mode 100644
index 8b758c7f61779..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-features-non-string
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "features": {
-    "policy": ["camera 'self' https://example.com/"]
-  }
-}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-features-valid b/testing/web-platform/tests/.well-known/origin-policy/policy-features-valid
deleted file mode 100644
index 22ef8992cf7b5..0000000000000
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-features-valid
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "features": {
-    "policy": "camera 'self' https://example.com/; geolocation 'self' https://example.com/"
-  }
-}
diff --git a/testing/web-platform/tests/origin-policy/content-security/comma-in-policy.https.html b/testing/web-platform/tests/origin-policy/content-security/comma-in-policy.https.html
index 88d72446392e6..07d10811f0bf8 100644
--- a/testing/web-platform/tests/origin-policy/content-security/comma-in-policy.https.html
+++ b/testing/web-platform/tests/origin-policy/content-security/comma-in-policy.https.html
@@ -3,9 +3,14 @@
 <title>Commas in "content_security/policy" cause parse errors and thus no CSP</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true });
+runTestsInSubframe({
+  hostname: "op1",
+  testJS: "resources/allow-unsafe-eval.mjs"
+});
 </script>
diff --git a/testing/web-platform/tests/origin-policy/content-security/comma-in-policy.https.html.headers b/testing/web-platform/tests/origin-policy/content-security/comma-in-policy.https.html.headers
deleted file mode 100644
index 32e453ab20de0..0000000000000
--- a/testing/web-platform/tests/origin-policy/content-security/comma-in-policy.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-comma-in-policy
diff --git a/testing/web-platform/tests/origin-policy/content-security/double-content-security.https.html b/testing/web-platform/tests/origin-policy/content-security/double-content-security.https.html
index 99046803c9fe3..357bd7669a668 100644
--- a/testing/web-platform/tests/origin-policy/content-security/double-content-security.https.html
+++ b/testing/web-platform/tests/origin-policy/content-security/double-content-security.https.html
@@ -3,11 +3,14 @@
 <title>Of two "content_security" items only the second counts</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
 
-<body>
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true, img: false });
+runTestsInSubframe({
+  hostname: "op2",
+  testJS: "resources/allow-unsafe-eval-disallow-images.mjs"
+});
 </script>
diff --git a/testing/web-platform/tests/origin-policy/content-security/double-content-security.https.html.headers b/testing/web-platform/tests/origin-policy/content-security/double-content-security.https.html.headers
deleted file mode 100644
index a380b053c270c..0000000000000
--- a/testing/web-platform/tests/origin-policy/content-security/double-content-security.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-double-content-security
diff --git a/testing/web-platform/tests/origin-policy/content-security/double-policies.https.html b/testing/web-platform/tests/origin-policy/content-security/double-policies.https.html
index 925b9d5a31e10..327670fcad0b3 100644
--- a/testing/web-platform/tests/origin-policy/content-security/double-policies.https.html
+++ b/testing/web-platform/tests/origin-policy/content-security/double-policies.https.html
@@ -3,11 +3,14 @@
 <title>Of two "content_security/policies" items only the second counts</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
 
-<body>
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true, img: false });
+runTestsInSubframe({
+  hostname: "op3",
+  testJS: "resources/allow-unsafe-eval-disallow-images.mjs"
+});
 </script>
diff --git a/testing/web-platform/tests/origin-policy/content-security/double-policies.https.html.headers b/testing/web-platform/tests/origin-policy/content-security/double-policies.https.html.headers
deleted file mode 100644
index 23f1d1434057d..0000000000000
--- a/testing/web-platform/tests/origin-policy/content-security/double-policies.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-double-policies
diff --git a/testing/web-platform/tests/origin-policy/content-security/non-array.https.html b/testing/web-platform/tests/origin-policy/content-security/non-array.https.html
index 78a67e16eb9d3..c95b5a15b0e64 100644
--- a/testing/web-platform/tests/origin-policy/content-security/non-array.https.html
+++ b/testing/web-platform/tests/origin-policy/content-security/non-array.https.html
@@ -3,9 +3,14 @@
 <title>Non-array "content_security/policies" member must be ignored</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true });
+runTestsInSubframe({
+  hostname: "op4",
+  testJS: "resources/allow-unsafe-eval.mjs"
+});
 </script>
diff --git a/testing/web-platform/tests/origin-policy/content-security/non-array.https.html.headers b/testing/web-platform/tests/origin-policy/content-security/non-array.https.html.headers
deleted file mode 100644
index 31e6f375ef967..0000000000000
--- a/testing/web-platform/tests/origin-policy/content-security/non-array.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-non-array
diff --git a/testing/web-platform/tests/origin-policy/content-security/non-object.https.html b/testing/web-platform/tests/origin-policy/content-security/non-object.https.html
index 359c6c7692294..220136c4d050b 100644
--- a/testing/web-platform/tests/origin-policy/content-security/non-object.https.html
+++ b/testing/web-platform/tests/origin-policy/content-security/non-object.https.html
@@ -3,9 +3,14 @@
 <title>Non-object "content_security" member must be ignored</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true });
+runTestsInSubframe({
+  hostname: "op5",
+  testJS: "resources/allow-unsafe-eval.mjs"
+});
 </script>
diff --git a/testing/web-platform/tests/origin-policy/content-security/non-object.https.html.headers b/testing/web-platform/tests/origin-policy/content-security/non-object.https.html.headers
deleted file mode 100644
index 812ea9445eca1..0000000000000
--- a/testing/web-platform/tests/origin-policy/content-security/non-object.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-non-object
diff --git a/testing/web-platform/tests/origin-policy/content-security/non-string.https.html b/testing/web-platform/tests/origin-policy/content-security/non-string.https.html
index 8af3c1c4dff13..57c29fe265beb 100644
--- a/testing/web-platform/tests/origin-policy/content-security/non-string.https.html
+++ b/testing/web-platform/tests/origin-policy/content-security/non-string.https.html
@@ -3,9 +3,14 @@
 <title>Non-string "content_security/policies" array member must be ignored</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true });
+runTestsInSubframe({
+  hostname: "op6",
+  testJS: "resources/allow-unsafe-eval.mjs"
+});
 </script>
diff --git a/testing/web-platform/tests/origin-policy/content-security/non-string.https.html.headers b/testing/web-platform/tests/origin-policy/content-security/non-string.https.html.headers
deleted file mode 100644
index 0b9ce2ee3f84c..0000000000000
--- a/testing/web-platform/tests/origin-policy/content-security/non-string.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-non-string
diff --git a/testing/web-platform/tests/origin-policy/content-security/resources/allow-unsafe-eval-disallow-images.mjs b/testing/web-platform/tests/origin-policy/content-security/resources/allow-unsafe-eval-disallow-images.mjs
new file mode 100644
index 0000000000000..8715e74e5df81
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/content-security/resources/allow-unsafe-eval-disallow-images.mjs
@@ -0,0 +1,3 @@
+import { runCSPTest } from "./helper.mjs";
+
+runCSPTest({ unsafeEval: true, img: false });
diff --git a/testing/web-platform/tests/origin-policy/content-security/resources/allow-unsafe-eval.mjs b/testing/web-platform/tests/origin-policy/content-security/resources/allow-unsafe-eval.mjs
new file mode 100644
index 0000000000000..bd6ca6f8bbd1e
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/content-security/resources/allow-unsafe-eval.mjs
@@ -0,0 +1,3 @@
+import { runCSPTest } from "./helper.mjs";
+
+runCSPTest({ unsafeEval: true });
diff --git a/testing/web-platform/tests/origin-policy/content-security/resources/disallow-unsafe-eval-disallow-images.mjs b/testing/web-platform/tests/origin-policy/content-security/resources/disallow-unsafe-eval-disallow-images.mjs
new file mode 100644
index 0000000000000..41b25553d5633
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/content-security/resources/disallow-unsafe-eval-disallow-images.mjs
@@ -0,0 +1,3 @@
+import { runCSPTest } from "./helper.mjs";
+
+runCSPTest({ unsafeEval: false, img: false });
diff --git a/testing/web-platform/tests/origin-policy/content-security/helper.js b/testing/web-platform/tests/origin-policy/content-security/resources/helper.mjs
similarity index 89%
rename from testing/web-platform/tests/origin-policy/content-security/helper.js
rename to testing/web-platform/tests/origin-policy/content-security/resources/helper.mjs
index 4875977afa443..5eff7e16ba04a 100644
--- a/testing/web-platform/tests/origin-policy/content-security/helper.js
+++ b/testing/web-platform/tests/origin-policy/content-security/resources/helper.mjs
@@ -1,4 +1,4 @@
-window.waitForOneSecurityPolicyViolationEvent = expectedBlockedURI => {
+export function waitForOneSecurityPolicyViolationEvent(expectedBlockedURI) {
   return new Promise(resolve => {
     let eventCount = 0;
     let blockedURI = null;
@@ -17,9 +17,9 @@ window.waitForOneSecurityPolicyViolationEvent = expectedBlockedURI => {
       });
     });
   });
-};
+}
 
-window.waitForImgFail = imgSrc => {
+export function waitForImgFail(imgSrc) {
   return new Promise((resolve, reject) => {
     const img = document.createElement("img");
     img.onload = () => reject(new Error("Must not load the image"));
@@ -28,10 +28,9 @@ window.waitForImgFail = imgSrc => {
     img.src = imgSrc;
     document.body.append(img);
   });
-};
+}
 
-
-window.waitForImgSuccess = imgSrc => {
+export function waitForImgSuccess(imgSrc) {
   return new Promise((resolve, reject) => {
     const img = document.createElement("img");
     img.onload = () => resolve();
@@ -40,10 +39,10 @@ window.waitForImgSuccess = imgSrc => {
     img.src = imgSrc;
     document.body.append(img);
   });
-};
+}
 
 // Both params are optional; if they are not given as booleans then we will not test that aspect.
-window.runCSPTest = ({ unsafeEval, img }) => {
+export function runCSPTest({ unsafeEval, img }) {
   if (unsafeEval === true) {
     test(() => {
       eval("window.evalAllowed = true;");
@@ -70,4 +69,4 @@ window.runCSPTest = ({ unsafeEval, img }) => {
       "img loading must be disallowed"
     );
   }
-};
+}
diff --git a/testing/web-platform/tests/origin-policy/content-security/resources/trigger-violation-report-report-only.mjs b/testing/web-platform/tests/origin-policy/content-security/resources/trigger-violation-report-report-only.mjs
new file mode 100644
index 0000000000000..9766717e309b5
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/content-security/resources/trigger-violation-report-report-only.mjs
@@ -0,0 +1,12 @@
+import { waitForOneSecurityPolicyViolationEvent, waitForImgSuccess } from "./helper.mjs";
+
+promise_test(() => {
+  const imgURL = (new URL("/common/security-features/subresource/image.py", document.location)).href;
+
+  return Promise.all([
+    waitForOneSecurityPolicyViolationEvent(imgURL).then(blockedURI => {
+      assert_equals(blockedURI, imgURL);
+    }),
+    waitForImgSuccess(imgURL)
+  ]);
+});
diff --git a/testing/web-platform/tests/origin-policy/content-security/resources/trigger-violation-report.mjs b/testing/web-platform/tests/origin-policy/content-security/resources/trigger-violation-report.mjs
new file mode 100644
index 0000000000000..319c87b0f8a67
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/content-security/resources/trigger-violation-report.mjs
@@ -0,0 +1,12 @@
+import { waitForOneSecurityPolicyViolationEvent, waitForImgFail } from "./helper.mjs";
+
+promise_test(() => {
+  const imgURL = (new URL("/common/security-features/subresource/image.py", document.location)).href;
+
+  return Promise.all([
+    waitForOneSecurityPolicyViolationEvent(imgURL).then(blockedURI => {
+      assert_equals(blockedURI, imgURL);
+    }),
+    waitForImgFail(imgURL)
+  ]);
+});
diff --git a/testing/web-platform/tests/origin-policy/content-security/trigger-violation-report-report-only.https.html b/testing/web-platform/tests/origin-policy/content-security/trigger-violation-report-report-only.https.html
index 3e5038b501dec..9eb83792852eb 100644
--- a/testing/web-platform/tests/origin-policy/content-security/trigger-violation-report-report-only.https.html
+++ b/testing/web-platform/tests/origin-policy/content-security/trigger-violation-report-report-only.https.html
@@ -3,21 +3,14 @@
 <title>CSP via origin policy must trigger a securitypolicyviolation event even when the CSP is report-only</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
 
-<body>
+<div id="log"></div>
 
 <script>
 "use strict";
-
-promise_test(() => {
-  const imgURL = (new URL("/common/security-features/subresource/image.py", document.location)).href;
-
-  return Promise.all([
-    waitForOneSecurityPolicyViolationEvent(imgURL).then(blockedURI => {
-      assert_equals(blockedURI, imgURL);
-    }),
-    waitForImgSuccess(imgURL)
-  ]);
+runTestsInSubframe({
+  hostname: "op7",
+  testJS: "resources/trigger-violation-report-report-only.mjs"
 });
 </script>
diff --git a/testing/web-platform/tests/origin-policy/content-security/trigger-violation-report-report-only.https.html.headers b/testing/web-platform/tests/origin-policy/content-security/trigger-violation-report-report-only.https.html.headers
deleted file mode 100644
index cb27e1500e0b4..0000000000000
--- a/testing/web-platform/tests/origin-policy/content-security/trigger-violation-report-report-only.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-noimg-report-only
diff --git a/testing/web-platform/tests/origin-policy/content-security/trigger-violation-report.https.html b/testing/web-platform/tests/origin-policy/content-security/trigger-violation-report.https.html
index 22beca5a3dbbc..f981b2b05cef7 100644
--- a/testing/web-platform/tests/origin-policy/content-security/trigger-violation-report.https.html
+++ b/testing/web-platform/tests/origin-policy/content-security/trigger-violation-report.https.html
@@ -3,21 +3,14 @@
 <title>CSP via origin policy must trigger a securitypolicyviolation event</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
 
-<body>
+<div id="log"></div>
 
 <script>
 "use strict";
-
-promise_test(() => {
-  const imgURL = (new URL("/common/security-features/subresource/image.py", document.location)).href;
-
-  return Promise.all([
-    waitForOneSecurityPolicyViolationEvent(imgURL).then(blockedURI => {
-      assert_equals(blockedURI, imgURL);
-    }),
-    waitForImgFail(imgURL)
-  ]);
+runTestsInSubframe({
+  hostname: "op8",
+  testJS: "resources/trigger-violation-report.mjs"
 });
 </script>
diff --git a/testing/web-platform/tests/origin-policy/content-security/trigger-violation-report.https.html.headers b/testing/web-platform/tests/origin-policy/content-security/trigger-violation-report.https.html.headers
deleted file mode 100644
index 08bcb9fa94171..0000000000000
--- a/testing/web-platform/tests/origin-policy/content-security/trigger-violation-report.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-noimg
diff --git a/testing/web-platform/tests/origin-policy/content-security/valid-with-multi-item-array.https.html b/testing/web-platform/tests/origin-policy/content-security/valid-with-multi-item-array.https.html
index bc9ebd0cccfcb..36333a1e4b199 100644
--- a/testing/web-platform/tests/origin-policy/content-security/valid-with-multi-item-array.https.html
+++ b/testing/web-platform/tests/origin-policy/content-security/valid-with-multi-item-array.https.html
@@ -3,11 +3,14 @@
 <title>"content_security/policy" can contain multiple array items to enforce multiple CSPs</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
 
-<body>
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: false, img: false });
+runTestsInSubframe({
+  hostname: "op9",
+  testJS: "resources/disallow-unsafe-eval-disallow-images.mjs"
+});
 </script>
diff --git a/testing/web-platform/tests/origin-policy/content-security/valid-with-multi-item-array.https.html.headers b/testing/web-platform/tests/origin-policy/content-security/valid-with-multi-item-array.https.html.headers
deleted file mode 100644
index eeddaba7a59b5..0000000000000
--- a/testing/web-platform/tests/origin-policy/content-security/valid-with-multi-item-array.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-valid-with-semicolon
diff --git a/testing/web-platform/tests/origin-policy/content-security/valid-with-semicolon.https.html b/testing/web-platform/tests/origin-policy/content-security/valid-with-semicolon.https.html
index 82158f1cf7044..9eadc8f89d31a 100644
--- a/testing/web-platform/tests/origin-policy/content-security/valid-with-semicolon.https.html
+++ b/testing/web-platform/tests/origin-policy/content-security/valid-with-semicolon.https.html
@@ -3,11 +3,14 @@
 <title>"content_security/policy" array items can contain semicolons to enforce multiple CSP directives</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
 
-<body>
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: false, img: false });
+runTestsInSubframe({
+  hostname: "op10",
+  testJS: "resources/disallow-unsafe-eval-disallow-images.mjs"
+});
 </script>
diff --git a/testing/web-platform/tests/origin-policy/content-security/valid-with-semicolon.https.html.headers b/testing/web-platform/tests/origin-policy/content-security/valid-with-semicolon.https.html.headers
deleted file mode 100644
index eeddaba7a59b5..0000000000000
--- a/testing/web-platform/tests/origin-policy/content-security/valid-with-semicolon.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-valid-with-semicolon
diff --git a/testing/web-platform/tests/origin-policy/content-security/valid.https.html b/testing/web-platform/tests/origin-policy/content-security/valid.https.html
deleted file mode 100644
index 36e5ddbf958b3..0000000000000
--- a/testing/web-platform/tests/origin-policy/content-security/valid.https.html
+++ /dev/null
@@ -1,11 +0,0 @@
-<!DOCTYPE HTML>
-<meta charset="utf-8">
-<title>Valid "content_security" member disallows eval</title>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
-
-<script>
-"use strict";
-runCSPTest({ unsafeEval: false });
-</script>
diff --git a/testing/web-platform/tests/origin-policy/content-security/valid.https.html.headers b/testing/web-platform/tests/origin-policy/content-security/valid.https.html.headers
deleted file mode 100644
index 78aeeacd934c9..0000000000000
--- a/testing/web-platform/tests/origin-policy/content-security/valid.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-valid
diff --git a/testing/web-platform/tests/origin-policy/features/comma-in-policy.https.html b/testing/web-platform/tests/origin-policy/features/comma-in-policy.https.html
index 1b991f0d8b68a..a9faba4bfd4dd 100644
--- a/testing/web-platform/tests/origin-policy/features/comma-in-policy.https.html
+++ b/testing/web-platform/tests/origin-policy/features/comma-in-policy.https.html
@@ -3,9 +3,14 @@
 <title>Commas in "features/policy" cause parse errors and thus no feature policy</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runFPTest({ camera: false, geolocation: false });
+runTestsInSubframe({
+  hostname: "op1",
+  testJS: "resources/no-camera-no-geolocation.mjs"
+});
 </script>
diff --git a/testing/web-platform/tests/origin-policy/features/comma-in-policy.https.html.headers b/testing/web-platform/tests/origin-policy/features/comma-in-policy.https.html.headers
deleted file mode 100644
index c0e68720516a6..0000000000000
--- a/testing/web-platform/tests/origin-policy/features/comma-in-policy.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-features-comma-in-policy
diff --git a/testing/web-platform/tests/origin-policy/features/double-features.https.html b/testing/web-platform/tests/origin-policy/features/double-features.https.html
index 8397f849f3014..aa687d681c66d 100644
--- a/testing/web-platform/tests/origin-policy/features/double-features.https.html
+++ b/testing/web-platform/tests/origin-policy/features/double-features.https.html
@@ -3,9 +3,14 @@
 <title>Of two "features" items only the second counts</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runFPTest({ camera: false, geolocation: true });
+runTestsInSubframe({
+  hostname: "op2",
+  testJS: "resources/no-camera-yes-geolocation.mjs"
+});
 </script>
diff --git a/testing/web-platform/tests/origin-policy/features/double-features.https.html.headers b/testing/web-platform/tests/origin-policy/features/double-features.https.html.headers
deleted file mode 100644
index f0a57380a8f57..0000000000000
--- a/testing/web-platform/tests/origin-policy/features/double-features.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-features-double-features
diff --git a/testing/web-platform/tests/origin-policy/features/double-policy.https.html b/testing/web-platform/tests/origin-policy/features/double-policy.https.html
index f1d63d6de966b..d9e544acaaf6a 100644
--- a/testing/web-platform/tests/origin-policy/features/double-policy.https.html
+++ b/testing/web-platform/tests/origin-policy/features/double-policy.https.html
@@ -3,9 +3,14 @@
 <title>Of two "features/policy" items only the second counts</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runFPTest({ camera: false, geolocation: true });
+runTestsInSubframe({
+  hostname: "op2",
+  testJS: "resources/no-camera-yes-geolocation.mjs"
+});
 </script>
diff --git a/testing/web-platform/tests/origin-policy/features/double-policy.https.html.headers b/testing/web-platform/tests/origin-policy/features/double-policy.https.html.headers
deleted file mode 100644
index c1421693e4daf..0000000000000
--- a/testing/web-platform/tests/origin-policy/features/double-policy.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-features-double-policy
diff --git a/testing/web-platform/tests/origin-policy/features/non-object.https.html b/testing/web-platform/tests/origin-policy/features/non-object.https.html
index 31f632bf0f1fe..2bd4b67e600c9 100644
--- a/testing/web-platform/tests/origin-policy/features/non-object.https.html
+++ b/testing/web-platform/tests/origin-policy/features/non-object.https.html
@@ -3,9 +3,14 @@
 <title>Non-object "features" member must be ignored</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runFPTest({ camera: false, geolocation: false });
+runTestsInSubframe({
+  hostname: "op5",
+  testJS: "resources/no-camera-no-geolocation.mjs"
+});
 </script>
diff --git a/testing/web-platform/tests/origin-policy/features/non-object.https.html.headers b/testing/web-platform/tests/origin-policy/features/non-object.https.html.headers
deleted file mode 100644
index e8f68712ed341..0000000000000
--- a/testing/web-platform/tests/origin-policy/features/non-object.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-features-non-object
diff --git a/testing/web-platform/tests/origin-policy/features/non-string.https.html b/testing/web-platform/tests/origin-policy/features/non-string.https.html
index 019014c980a4a..190d224a4cfe0 100644
--- a/testing/web-platform/tests/origin-policy/features/non-string.https.html
+++ b/testing/web-platform/tests/origin-policy/features/non-string.https.html
@@ -3,9 +3,14 @@
 <title>Non-string "features/policy" member must be ignored</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runFPTest({ camera: false, geolocation: false });
+runTestsInSubframe({
+  hostname: "op6",
+  testJS: "resources/no-camera-no-geolocation.mjs"
+});
 </script>
diff --git a/testing/web-platform/tests/origin-policy/features/non-string.https.html.headers b/testing/web-platform/tests/origin-policy/features/non-string.https.html.headers
deleted file mode 100644
index 4c6c376697b85..0000000000000
--- a/testing/web-platform/tests/origin-policy/features/non-string.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-features-non-string
diff --git a/testing/web-platform/tests/origin-policy/features/helper.js b/testing/web-platform/tests/origin-policy/features/resources/helper.mjs
similarity index 83%
rename from testing/web-platform/tests/origin-policy/features/helper.js
rename to testing/web-platform/tests/origin-policy/features/resources/helper.mjs
index f9c16b58c2cf8..7ced355e645c7 100644
--- a/testing/web-platform/tests/origin-policy/features/helper.js
+++ b/testing/web-platform/tests/origin-policy/features/resources/helper.mjs
@@ -1,8 +1,8 @@
 "use strict";
 
-window.runFPTest = ({ camera, geolocation }) => {
+export function runFPTest({ camera, geolocation }) {
   test(() => {
     assert_equals(document.featurePolicy.allowsFeature('camera', 'https://example.com/'), camera, 'camera');
     assert_equals(document.featurePolicy.allowsFeature('geolocation', 'https://example.com/'), geolocation, 'geolocation');
   });
-};
+}
diff --git a/testing/web-platform/tests/origin-policy/features/resources/no-camera-no-geolocation.mjs b/testing/web-platform/tests/origin-policy/features/resources/no-camera-no-geolocation.mjs
new file mode 100644
index 0000000000000..b25d9abcb92ec
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/features/resources/no-camera-no-geolocation.mjs
@@ -0,0 +1,3 @@
+import { runFPTest } from "./helper.mjs";
+
+runFPTest({ camera: false, geolocation: false });
diff --git a/testing/web-platform/tests/origin-policy/features/resources/no-camera-yes-geolocation.mjs b/testing/web-platform/tests/origin-policy/features/resources/no-camera-yes-geolocation.mjs
new file mode 100644
index 0000000000000..a961deeb38989
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/features/resources/no-camera-yes-geolocation.mjs
@@ -0,0 +1,3 @@
+import { runFPTest } from "./helper.mjs";
+
+runFPTest({ camera: false, geolocation: true });
diff --git a/testing/web-platform/tests/origin-policy/features/resources/yes-camera-yes-geolocation.mjs b/testing/web-platform/tests/origin-policy/features/resources/yes-camera-yes-geolocation.mjs
new file mode 100644
index 0000000000000..9f3b1d8303fe6
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/features/resources/yes-camera-yes-geolocation.mjs
@@ -0,0 +1,3 @@
+import { runFPTest } from "./helper.mjs";
+
+runFPTest({ camera: true, geolocation: true });
diff --git a/testing/web-platform/tests/origin-policy/features/valid-with-semicolon.https.html b/testing/web-platform/tests/origin-policy/features/valid-with-semicolon.https.html
new file mode 100644
index 0000000000000..8d2d0f4495ff7
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/features/valid-with-semicolon.https.html
@@ -0,0 +1,16 @@
+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>Valid "features" member, with a semicolon</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
+
+<script>
+"use strict";
+runTestsInSubframe({
+  hostname: "op10",
+  testJS: "resources/yes-camera-yes-geolocation.mjs"
+});
+</script>
diff --git a/testing/web-platform/tests/origin-policy/features/valid.https.html b/testing/web-platform/tests/origin-policy/features/valid.https.html
deleted file mode 100644
index 6ff2076a7f076..0000000000000
--- a/testing/web-platform/tests/origin-policy/features/valid.https.html
+++ /dev/null
@@ -1,11 +0,0 @@
-<!DOCTYPE HTML>
-<meta charset="utf-8">
-<title>Valid "features" member</title>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
-
-<script>
-"use strict";
-runFPTest({ camera: true, geolocation: true });
-</script>
diff --git a/testing/web-platform/tests/origin-policy/features/valid.https.html.headers b/testing/web-platform/tests/origin-policy/features/valid.https.html.headers
deleted file mode 100644
index 9d0e25792c46d..0000000000000
--- a/testing/web-platform/tests/origin-policy/features/valid.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-features-valid
diff --git a/testing/web-platform/tests/origin-policy/origin-policy-report-to.https.tentative.sub.html b/testing/web-platform/tests/origin-policy/origin-policy-report-to.https.tentative.sub.html
deleted file mode 100644
index dfef7a1d133c2..0000000000000
--- a/testing/web-platform/tests/origin-policy/origin-policy-report-to.https.tentative.sub.html
+++ /dev/null
@@ -1,22 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Test that Origin Policy report-to are deliverd to the declared reporting group</title>
-  <script src='/resources/testharness.js'></script>
-  <script src='/resources/testharnessreport.js'></script>
-</head>
-<body>
-  <iframe id="frame" src="about:blank"></iframe>
-  <script>
-    // Navigate the frame to a URL that declares an (invalid) origin policy with
-    // a report-to directive.
-    document.getElementById("frame").src =
-        "https://{{hosts[alt][]}}:{{ports[https][0]}}/origin-policy/sec-origin-policy-subframe.html";
-  </script>
-  <script async defer src='/content-security-policy/support/checkReport.sub.js?reportField=policy&reportValue=nonexistingpolicy'>
-    // This re-uses CSP reporting test infrastructure, and contains the actual
-    // test. In addition to sanity checks, it will check whether the report body
-    // contains a key/value pair as indicated by reportField and reportValue.
-  </script>
-</body>
-</html>
diff --git a/testing/web-platform/tests/origin-policy/origin-policy-report-to.https.tentative.sub.html.sub.headers b/testing/web-platform/tests/origin-policy/origin-policy-report-to.https.tentative.sub.html.sub.headers
deleted file mode 100644
index 92a90c347d3a7..0000000000000
--- a/testing/web-platform/tests/origin-policy/origin-policy-report-to.https.tentative.sub.html.sub.headers
+++ /dev/null
@@ -1 +0,0 @@
-Set-Cookie: origin-policy-report-to=5b4d35b6-0771-46fe-8700-ed2bb59ed4be; Path=/origin-policy/
diff --git a/testing/web-platform/tests/origin-policy/origin-policy.https.tentative.html b/testing/web-platform/tests/origin-policy/origin-policy.https.tentative.html
deleted file mode 100644
index 34a71fe40a192..0000000000000
--- a/testing/web-platform/tests/origin-policy/origin-policy.https.tentative.html
+++ /dev/null
@@ -1,143 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <script src='/resources/testharness.js'></script>
-  <script src='/resources/testharnessreport.js'></script>
-</head>
-<body>
-  <div id=log></div>
-  <iframe id=frame></iframe>
-  <script>
-    // Navigate the frame to a test page with the given policy and wait for
-    // postMessage to arrive. Resolve the result promise with the message.
-    function navigate(policy) {
-      return new Promise(resolve => {
-        window.addEventListener("message", event => { resolve(event.data); },
-                                { once: true });
-        document.getElementById("frame").src =
-            "/origin-policy/sec-origin-policy-header.html.py?policy=" + policy;
-      });
-    }
-
-    // Check whether the message returned from the frame meets our expectations.
-    function expect(expect_script, expect_eval, message) {
-      assert_own_property(message, "inline_allowed");
-      assert_own_property(message, "eval_allowed");
-      assert_equals(message.inline_allowed, expect_script);
-      assert_equals(message.eval_allowed, expect_eval);
-    }
-
-    // Generate a more descriptive error message. Re-throw the error.
-    function descriptive_message(policy, expect_inline, expect_eval,
-                                 index, error) {
-      error.message = `Error occured on entry #${index + 1} ["${policy
-          }", ${expect_inline}, ${expect_eval}]: "${error}".`;
-      throw(error);
-    }
-
-    // Run the navigation + expectation checking for one test case line.
-    function test_case_entry([policy, expect_inline, expect_eval], index) {
-      return navigate(policy)
-          .then(message => expect(expect_inline, expect_eval, message))
-
-          // This catch handler merely logs a more friendly message,
-          // pointing you to the exact line of the failing test.
-          .catch(error => descriptive_message(policy, expect_inline,
-                                              expect_eval, index, error));
-    }
-
-    function origin_policy_csp_test_case(test_case_list) {
-      return t => {
-        // Setup the promise chain for the test.
-        let chain = Promise.resolve();
-        for ([index, val] of test_case_list.entries())
-          chain = chain.then(test_case_entry.bind(this, val, index));
-
-        // Delete the policy as the last element of the chain, on both
-        // resolve + reject paths, so that a left-over policy won't break
-        // subsequent tests.
-        return chain.then(() => navigate("0"),
-                          (error) => { navigate("0"); throw error; });
-      }
-    }
-
-
-    // Sanity check: A request with no policy.
-    promise_test(origin_policy_csp_test_case([
-        ["", true, true],  // No policy.
-    ]), "sanity check");
-
-    // Basic functionality. A policy should have an effect.
-    promise_test(origin_policy_csp_test_case([
-        ["",             true, true],  // No policy.
-        ["policy-csp-1", true, false], // policy-csp-1, which forbids eval.
-        ["0",            true, true],  // Delete the policy again.
-      ]), "The basics: A policy should have an effect..");
-
-    // Basic functionality. Set a policy. Make sure it "sticks".
-    promise_test(origin_policy_csp_test_case([
-        ["",             true, true],  // No policy.
-        ["policy-csp-1", true, false], // policy-csp-1, which forbids eval.
-        ["",             true, false], // No policy. Should remember p...-csp-1.
-        ["0",            true, true],  // Delete the policy again.
-      ]), "The basics: A policy should stick.");
-
-    // Set, update, and delete a policy.
-    promise_test(origin_policy_csp_test_case([
-        ["",             true,  true],
-        ["policy-csp-1", true,  false], // policy-csp-1, which forbids eval.
-        ["policy-csp-2", false, false], // policy-csp-2, forbids script + eval.
-        ["0",            true,  true],  // Delete the policy.
-      ]), "Policy set, update, and delete.");
-
-    // Set, update, and delete a policy. Check on each step whether it 'sticks'.
-    promise_test(origin_policy_csp_test_case([
-        ["",             true,  true],
-        ["policy-csp-1", true,  false], // policy-csp-1, which forbids eval.
-        ["",             true,  false],
-        ["policy-csp-2", false, false], // Forbid script + eval.
-        ["",             false, false],
-        ["0",            true,  true],  // Delete the policy.
-        ["",             true,  true],
-      ]), "Policy set-update-delete cycle with checks.");
-
-    // Set a policy, update, then revert to the old one.
-    promise_test(origin_policy_csp_test_case([
-        ["",             true,  true],
-        ["policy-csp-1", true,  false], // policy-csp-1, which forbids eval.
-        ["policy-csp-2", false, false], // Forbid script + eval.
-        ["policy-csp-1", true,  false], // policy-csp-1 again.
-        ["0",            true,  true],
-      ]), "Policy set-update-delete cycle.");
-
-    // Set, delete, re-set, and re-delete a policy.
-    promise_test(origin_policy_csp_test_case([
-        ["",             true, true],  // No policy.
-        ["policy-csp-1", true, false], // policy-csp-1, which forbids eval.
-        ["",             true, false],
-        ["0",            true, true],  // Delete the policy.
-        ["",             true, true],
-        ["policy-csp-1", true, false], // Set policy after policy was deleted.
-        ["",             true, false],
-        ["0",            true, true],  // Delete the policy again.
-        ["",             true, true],
-      ]), "Policy re-set and re-delete.");
-
-    // We've had some bugs with repeated policies being set, so lets just
-    // run through a set-update-delete cycle but with every request being
-    // made twice.
-    promise_test(origin_policy_csp_test_case([
-        ["",             true,  true],
-        ["",             true,  true],
-        ["policy-csp-1", true,  false],
-        ["policy-csp-1", true,  false],
-        ["policy-csp-2", false, false],
-        ["policy-csp-2", false, false],
-        ["0",            true,  true],
-        ["0",            true,  true],
-        ["",             true,  true],
-        ["",             true,  true],
-      ]), "Double Trouble");
-  </script>
-</body>
-</html>
diff --git a/testing/web-platform/tests/origin-policy/policies/README.md b/testing/web-platform/tests/origin-policy/policies/README.md
new file mode 100644
index 0000000000000..b07be74035f2d
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/policies/README.md
@@ -0,0 +1,5 @@
+These policies are served via the Python script at /.well-known/origin-policy. Their filenames must be in the form `subdomain human-facing-string-with-no-spaces.json`. They will be served in response to requests to that subdomain.
+
+The human-facing string has no impact on the tests, and just makes it easier to scroll through the list.
+
+The list of potential hostnames is created by `tools/serve/serve.py`'s `_make_origin_policy_subdomains` function, and can be expanded as necessary.
diff --git a/testing/web-platform/tests/origin-policy/policies/op1 cspfp-comma-in-policy.json b/testing/web-platform/tests/origin-policy/policies/op1 cspfp-comma-in-policy.json
new file mode 100644
index 0000000000000..189d28db8ba80
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/policies/op1 cspfp-comma-in-policy.json	
@@ -0,0 +1,13 @@
+{
+  "ids": [
+    "cspfp-comma-in-policy"
+  ],
+  "content_security": {
+    "policies": [
+      "script-src 'self' 'unsafe-inline', img-src 'none'"
+    ]
+  },
+  "features": {
+    "policy": "camera 'self' https://example.com/, geolocation 'self' https://example.com/"
+  }
+}
diff --git a/testing/web-platform/tests/origin-policy/policies/op10 cspfp-valid.json b/testing/web-platform/tests/origin-policy/policies/op10 cspfp-valid.json
new file mode 100644
index 0000000000000..0fc1d163f2b61
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/policies/op10 cspfp-valid.json	
@@ -0,0 +1,13 @@
+{
+  "ids": [
+    "cspfp-valid"
+  ],
+  "content_security": {
+    "policies": [
+      "script-src 'self' 'unsafe-inline'; img-src 'none'"
+    ]
+  },
+  "features": {
+    "policy": "camera 'self' https://example.com/; geolocation 'self' https://example.com/"
+  }
+}
diff --git a/testing/web-platform/tests/origin-policy/policies/op2 cspfp-double-top-level.json b/testing/web-platform/tests/origin-policy/policies/op2 cspfp-double-top-level.json
new file mode 100644
index 0000000000000..26d798b585d96
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/policies/op2 cspfp-double-top-level.json	
@@ -0,0 +1,21 @@
+{
+  "ids": [
+    "cspfp-double-top-level"
+  ],
+  "content_security": {
+    "policies": [
+      "script-src 'self' 'unsafe-inline'"
+    ]
+  },
+  "content_security": {
+    "policies": [
+      "img-src 'none'"
+    ]
+  },
+  "features": {
+    "policy": "camera 'self' https://example.com/"
+  },
+  "features": {
+    "policy": "geolocation 'self' https://example.com/"
+  }
+}
diff --git a/testing/web-platform/tests/origin-policy/policies/op3 cspfp-double-second-level.json b/testing/web-platform/tests/origin-policy/policies/op3 cspfp-double-second-level.json
new file mode 100644
index 0000000000000..6665332807bea
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/policies/op3 cspfp-double-second-level.json	
@@ -0,0 +1,17 @@
+{
+  "ids": [
+    "cspfp-double-second-level"
+  ],
+  "content_security": {
+    "policies": [
+      "script-src 'self' 'unsafe-inline'"
+    ],
+    "policies": [
+      "img-src 'none'"
+    ]
+  },
+  "features": {
+    "policy": "camera 'self' https://example.com/",
+    "policy": "geolocation 'self' https://example.com/"
+  }
+}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-non-array b/testing/web-platform/tests/origin-policy/policies/op4 csp-non-array.json
similarity index 70%
rename from testing/web-platform/tests/.well-known/origin-policy/policy-content-security-non-array
rename to testing/web-platform/tests/origin-policy/policies/op4 csp-non-array.json
index b96546c5f88fe..5916b1ff9b572 100644
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-non-array
+++ b/testing/web-platform/tests/origin-policy/policies/op4 csp-non-array.json	
@@ -1,4 +1,7 @@
 {
+  "ids": [
+    "csp-non-array"
+  ],
   "content_security": {
     "policies": "script-src 'self' 'unsafe-inline'"
   }
diff --git a/testing/web-platform/tests/origin-policy/policies/op5 cspfp-non-object.json b/testing/web-platform/tests/origin-policy/policies/op5 cspfp-non-object.json
new file mode 100644
index 0000000000000..7488f9bfef297
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/policies/op5 cspfp-non-object.json	
@@ -0,0 +1,9 @@
+{
+  "ids": [
+    "cspfp-non-object"
+  ],
+  "content_security": [
+    "script-src 'self' 'unsafe-inline'"
+  ],
+  "features": "camera 'self' https://example.com/"
+}
diff --git a/testing/web-platform/tests/origin-policy/policies/op6 cspfp-non-string.json b/testing/web-platform/tests/origin-policy/policies/op6 cspfp-non-string.json
new file mode 100644
index 0000000000000..5c6941bf8fd18
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/policies/op6 cspfp-non-string.json	
@@ -0,0 +1,17 @@
+{
+  "ids": [
+    "csp-non-string"
+  ],
+  "content_security": {
+    "policies": [
+      [
+        "script-src 'self' 'unsafe-inline'"
+      ]
+    ]
+  },
+  "features": {
+    "policy": [
+      "camera 'self' https://example.com/"
+    ]
+  }
+}
diff --git a/testing/web-platform/tests/origin-policy/policies/op7 csp-noimg-report-only.json b/testing/web-platform/tests/origin-policy/policies/op7 csp-noimg-report-only.json
new file mode 100644
index 0000000000000..fd5c522042a7e
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/policies/op7 csp-noimg-report-only.json	
@@ -0,0 +1,10 @@
+{
+  "ids": [
+    "csp-noimg-report-only"
+  ],
+  "content_security": {
+    "policies_report_only": [
+      "img-src 'none'"
+    ]
+  }
+}
diff --git a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-noimg b/testing/web-platform/tests/origin-policy/policies/op8 csp-noimg.json
similarity index 67%
rename from testing/web-platform/tests/.well-known/origin-policy/policy-content-security-noimg
rename to testing/web-platform/tests/origin-policy/policies/op8 csp-noimg.json
index cd57b7b21e916..b88e1f80bf93c 100644
--- a/testing/web-platform/tests/.well-known/origin-policy/policy-content-security-noimg
+++ b/testing/web-platform/tests/origin-policy/policies/op8 csp-noimg.json	
@@ -1,4 +1,7 @@
 {
+  "ids": [
+    "csp-noimg"
+  ],
   "content_security": {
     "policies": ["img-src 'none'"]
   }
diff --git a/testing/web-platform/tests/origin-policy/policies/op9 csp-valid-with-multi-item-array.json b/testing/web-platform/tests/origin-policy/policies/op9 csp-valid-with-multi-item-array.json
new file mode 100644
index 0000000000000..edd743038db8d
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/policies/op9 csp-valid-with-multi-item-array.json	
@@ -0,0 +1,11 @@
+{
+  "ids": [
+    "csp-valid-with-multi-item-array"
+  ],
+  "content_security": {
+    "policies": [
+      "script-src 'self' 'unsafe-inline'",
+      "img-src 'none'"
+    ]
+  }
+}
diff --git a/testing/web-platform/tests/origin-policy/resources/origin-policy-test-runner.js b/testing/web-platform/tests/origin-policy/resources/origin-policy-test-runner.js
new file mode 100644
index 0000000000000..a1c6453debd20
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/resources/origin-policy-test-runner.js
@@ -0,0 +1,28 @@
+window.runTestsInSubframe = ({ hostname, testJS }) => {
+  test(() => {
+    assert_equals(location.protocol, "https:");
+  }, "Prerequisite check: running on HTTPS");
+
+  promise_test(() => new Promise((resolve, reject) => {
+    const url = new URL(window.location.href);
+    url.hostname = `${hostname}.${document.domain}`;
+    url.pathname = "/origin-policy/resources/subframe-with-origin-policy.py";
+
+    // Normalize the URL so that callers can idiomatically give values relative
+    // to themselves.
+    url.searchParams.append("test", new URL(testJS, document.baseURI).pathname);
+
+    const iframe = document.createElement("iframe");
+    iframe.src = url.href;
+
+    // We need to delegate anything we plan to toggle with FP otherwise it will
+    // be locked to disallowed.
+    iframe.allow = "camera *; geolocation *";
+
+    iframe.onload = resolve;
+    iframe.onerror = () => reject(new Error(`Could not load ${url.href}`));
+    document.body.append(iframe);
+
+    fetch_tests_from_window(iframe.contentWindow);
+  }), "Test setup of the iframe");
+};
diff --git a/testing/web-platform/tests/origin-policy/resources/subframe-with-origin-policy.py b/testing/web-platform/tests/origin-policy/resources/subframe-with-origin-policy.py
new file mode 100644
index 0000000000000..636a649a0e20b
--- /dev/null
+++ b/testing/web-platform/tests/origin-policy/resources/subframe-with-origin-policy.py
@@ -0,0 +1,26 @@
+def main(request, response):
+    """Send a response with the Origin-Policy header asking for the latest
+      policy, that runs the test JS given by the ?test= argument. This is meant
+       to be loaded into an iframe by origin-policy-test-runner.js.
+
+       The ?test= argument is best given as an absolute path (starting with /)
+       since it will otherwise be interpreted relative to where this file is
+       served.
+    """
+    test_file = request.GET.first("test")
+
+    response.headers.set("Origin-Policy", "allowed=(latest)")
+    response.headers.set("Content-Type", "text/html")
+
+    return """
+    <!DOCTYPE html>
+    <meta charset="utf-8">
+    <title>Origin policy subframe</title>
+
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <div id="log"></div>
+
+    <script type="module" src="%s"></script>
+  """ % test_file
diff --git a/testing/web-platform/tests/origin-policy/sec-origin-policy-header.html.py b/testing/web-platform/tests/origin-policy/sec-origin-policy-header.html.py
deleted file mode 100644
index 7754e04a313c1..0000000000000
--- a/testing/web-platform/tests/origin-policy/sec-origin-policy-header.html.py
+++ /dev/null
@@ -1,64 +0,0 @@
-def main(request, response):
-  """Send a response with the origin policy indicated by the ?policy= argument.
-
-     Won't send a policy when the browser doesn't indicate support.
-     The response tests whether inline script and eval are allowed, and will
-     send a corresponding message to the parent frame.
-     For easier debugging, we'll also show the results in-page.
-  """
-  origin_policy_header = "Sec-Origin-Policy"
-  request_policy = request.headers.get(origin_policy_header)
-  response_policy = request.GET.first("policy", default="")
-
-  if request_policy and response_policy:
-    response.headers.set(origin_policy_header, "policy=%s" % response_policy)
-    response.headers.set("Vary", "sec-origin-policy")
-
-  response.headers.set("Content-Type", "text/html");
-  return """
-    <html>
-    <head>
-     <title>Page with an Origin Policy</title>
-    </head>
-    <body>
-    <script nonce=test>
-      let inlineAllowed = false;
-      let evalAllowed = false;
-      try { eval('evalAllowed = true;'); } catch (e) {};
-    </script>
-    <script>
-      inlineAllowed = true;
-    </script>
-
-    <p>Reveal whether CSP with "unsafe-inline" or "unsafe-eval" is present:</p>
-    <ul>
-      <li>inline script allowed: <span id=inline_allowed></span></li>
-      <li>eval allowed: <span id=eval_allowed></span></li>
-    </ul>
-
-    <script nonce=test>
-      const result = {
-        "inline_allowed": inlineAllowed,
-        "eval_allowed": evalAllowed,
-      };
-
-      // Mirror content into the page for easy debugging:
-      const styles = {
-        true: "font-weight: bold; color: green;",
-        false: "font-weight: bold; color: red",
-      }
-      for (const [key, value] of Object.entries(result)) {
-        let element = document.getElementById(key);
-        element.textContent = value.toString();
-        element.style = styles[value];
-      }
-
-      // Send result to parent frame for evaluation.
-      if (window.parent) {
-        window.parent.postMessage(result, "*");
-      }
-    </script>
-    </body>
-    </html>
-  """
-
diff --git a/testing/web-platform/tests/origin-policy/sec-origin-policy-subframe.html b/testing/web-platform/tests/origin-policy/sec-origin-policy-subframe.html
deleted file mode 100644
index d716ba11d97ce..0000000000000
--- a/testing/web-platform/tests/origin-policy/sec-origin-policy-subframe.html
+++ /dev/null
@@ -1,3 +0,0 @@
-The forbidden frame.
-Content shouldn't matter, because this frame shouldn't be loaded.
-So there.
diff --git a/testing/web-platform/tests/origin-policy/sec-origin-policy-subframe.html.sub.headers b/testing/web-platform/tests/origin-policy/sec-origin-policy-subframe.html.sub.headers
deleted file mode 100644
index a046f0096ba1b..0000000000000
--- a/testing/web-platform/tests/origin-policy/sec-origin-policy-subframe.html.sub.headers
+++ /dev/null
@@ -1,3 +0,0 @@
-Report-To: { "group": "report-to-group", "max_age": 1000, "endpoints": [{ "url": "https://{{hosts[alt][]}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID=5b4d35b6-0771-46fe-8700-ed2bb59ed4be" }] }
-Sec-Origin-Policy: policy=nonexistingpolicy, report-to=report-to-group
-