From 5457330957fd4bbb83ac6565c5d17f97323fd8d7 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <domenic@chromium.org>
Date: Wed, 12 Feb 2020 14:24:04 -0800
Subject: [PATCH] Always fetch origin policies from /.well-known/origin-policy

This is the first step at implementing the new fetching semantics from the updated origin policy specification. It also deletes some parts that are no longer in the spec and would have needed updating anyway.

In particular, this removes:

* The distinction between default origin policies and versioned origin policies, and along with it, the "latest version map". This removes, for now, the application of origin policies to pages without an Origin-Policy header; that will be added back as part of the caching work in crbug.com/1042040.

* Redirect-handling logic for default policies. Redirects are now always an error.

* Parsing of the response header from the server. We currently just check for its presence, and will do parsing according to the new spec as part of crbug.com/1042036.

* Sending Sec-Origin-Policy: 0 on the request. We may add this back later, but it is still under discussion: https://github.com/WICG/origin-policy/issues/51

* A good amount of C++ "unit tests" that were rather integration test-ey, and would have had to be rewritten anyway. Instead they are replaced with web platform test integration tests.

* A thorough web platform test of the origin policy installation/deletion cycle, which would have had to be rewritten, and then rewritten again once we tackle crbug.com/1042049. We'll want to refer to it in version history once those foundations are stable.

* Reporting, for now. We need to first spec this and then add it back. See https://github.com/WICG/origin-policy/issues/62.

Additionally, although we removed all parsing of the response header, we changed the code to look for the presence of Origin-Policy instead of Sec-Origin-Policy per the latest spec.

Apart from removals, this CL's biggest changes are to the web platform tests. This implements the plan discussed at https://github.com/web-platform-tests/wpt/issues/20773 and https://github.com/web-platform-tests/rfcs/pull/44 which allows us to serve different origin policies per subdomain. The test origin policies also now contain "id" members, but those are not used or tested for now; that will occur in https://crbug.com/1042036.

Bug: 1042034
Change-Id: I4674fe2cfbc1f3e174c76415d86a487e750cdb0d
---
 .well-known/origin-policy                     |  18 +++
 .../policy-content-security-comma-in-policy   |   5 -
 ...y-content-security-double-content-security |   8 -
 .../policy-content-security-double-policies   |   6 -
 .../policy-content-security-noimg-report-only |   5 -
 .../policy-content-security-non-object        |   3 -
 .../policy-content-security-non-string        |   5 -
 .../policy-content-security-valid             |   5 -
 ...ntent-security-valid-with-multi-item-array |   5 -
 ...licy-content-security-valid-with-semicolon |   5 -
 .well-known/origin-policy/policy-csp-1        |   5 -
 .well-known/origin-policy/policy-csp-2        |   5 -
 .../policy-features-comma-in-policy           |   5 -
 .../policy-features-double-features           |   8 -
 .../policy-features-double-policy             |   6 -
 .../origin-policy/policy-features-non-object  |   3 -
 .../origin-policy/policy-features-non-string  |   5 -
 .../origin-policy/policy-features-valid       |   5 -
 .../comma-in-policy.https.html                |   9 +-
 .../comma-in-policy.https.html.headers        |   1 -
 .../double-content-security.https.html        |   9 +-
 ...double-content-security.https.html.headers |   1 -
 .../double-policies.https.html                |   9 +-
 .../double-policies.https.html.headers        |   1 -
 .../content-security/non-array.https.html     |   9 +-
 .../non-array.https.html.headers              |   1 -
 .../content-security/non-object.https.html    |   9 +-
 .../non-object.https.html.headers             |   1 -
 .../content-security/non-string.https.html    |   9 +-
 .../non-string.https.html.headers             |   1 -
 .../allow-unsafe-eval-disallow-images.mjs     |   3 +
 .../resources/allow-unsafe-eval.mjs           |   3 +
 .../disallow-unsafe-eval-disallow-images.mjs  |   3 +
 .../{helper.js => resources/helper.mjs}       |  17 +--
 .../trigger-violation-report-report-only.mjs  |  12 ++
 .../resources/trigger-violation-report.mjs    |  12 ++
 ...er-violation-report-report-only.https.html |  17 +--
 ...tion-report-report-only.https.html.headers |   1 -
 .../trigger-violation-report.https.html       |  17 +--
 ...rigger-violation-report.https.html.headers |   1 -
 .../valid-with-multi-item-array.https.html    |   9 +-
 ...d-with-multi-item-array.https.html.headers |   1 -
 .../valid-with-semicolon.https.html           |   9 +-
 .../valid-with-semicolon.https.html.headers   |   1 -
 .../content-security/valid.https.html         |  11 --
 .../content-security/valid.https.html.headers |   1 -
 .../features/comma-in-policy.https.html       |   9 +-
 .../comma-in-policy.https.html.headers        |   1 -
 .../features/double-features.https.html       |   9 +-
 .../double-features.https.html.headers        |   1 -
 .../features/double-policy.https.html         |   9 +-
 .../features/double-policy.https.html.headers |   1 -
 origin-policy/features/non-object.https.html  |   9 +-
 .../features/non-object.https.html.headers    |   1 -
 origin-policy/features/non-string.https.html  |   9 +-
 .../features/non-string.https.html.headers    |   1 -
 .../{helper.js => resources/helper.mjs}       |   4 +-
 .../resources/no-camera-no-geolocation.mjs    |   3 +
 .../resources/no-camera-yes-geolocation.mjs   |   3 +
 .../resources/yes-camera-yes-geolocation.mjs  |   3 +
 .../features/valid-with-semicolon.https.html  |  16 ++
 origin-policy/features/valid.https.html       |  11 --
 .../features/valid.https.html.headers         |   1 -
 ...-policy-report-to.https.tentative.sub.html |  22 ---
 ...rt-to.https.tentative.sub.html.sub.headers |   1 -
 .../origin-policy.https.tentative.html        | 143 ------------------
 origin-policy/policies/README.md              |   5 +
 .../policies/op1 cspfp-comma-in-policy.json   |  13 ++
 origin-policy/policies/op10 cspfp-valid.json  |  13 ++
 .../policies/op2 cspfp-double-top-level.json  |  21 +++
 .../op3 cspfp-double-second-level.json        |  17 +++
 .../policies/op4 csp-non-array.json           |   3 +
 .../policies/op5 cspfp-non-object.json        |   9 ++
 .../policies/op6 cspfp-non-string.json        |  17 +++
 .../policies/op7 csp-noimg-report-only.json   |  10 ++
 .../policies/op8 csp-noimg.json               |   3 +
 .../op9 csp-valid-with-multi-item-array.json  |  11 ++
 .../resources/origin-policy-test-runner.js    |  28 ++++
 .../resources/subframe-with-origin-policy.py  |  26 ++++
 .../sec-origin-policy-header.html.py          |  64 --------
 origin-policy/sec-origin-policy-subframe.html |   3 -
 ...ec-origin-policy-subframe.html.sub.headers |   3 -
 tools/serve/serve.py                          |   1 +
 83 files changed, 360 insertions(+), 429 deletions(-)
 create mode 100644 .well-known/origin-policy
 delete mode 100644 .well-known/origin-policy/policy-content-security-comma-in-policy
 delete mode 100644 .well-known/origin-policy/policy-content-security-double-content-security
 delete mode 100644 .well-known/origin-policy/policy-content-security-double-policies
 delete mode 100644 .well-known/origin-policy/policy-content-security-noimg-report-only
 delete mode 100644 .well-known/origin-policy/policy-content-security-non-object
 delete mode 100644 .well-known/origin-policy/policy-content-security-non-string
 delete mode 100644 .well-known/origin-policy/policy-content-security-valid
 delete mode 100644 .well-known/origin-policy/policy-content-security-valid-with-multi-item-array
 delete mode 100644 .well-known/origin-policy/policy-content-security-valid-with-semicolon
 delete mode 100644 .well-known/origin-policy/policy-csp-1
 delete mode 100644 .well-known/origin-policy/policy-csp-2
 delete mode 100644 .well-known/origin-policy/policy-features-comma-in-policy
 delete mode 100644 .well-known/origin-policy/policy-features-double-features
 delete mode 100644 .well-known/origin-policy/policy-features-double-policy
 delete mode 100644 .well-known/origin-policy/policy-features-non-object
 delete mode 100644 .well-known/origin-policy/policy-features-non-string
 delete mode 100644 .well-known/origin-policy/policy-features-valid
 delete mode 100644 origin-policy/content-security/comma-in-policy.https.html.headers
 delete mode 100644 origin-policy/content-security/double-content-security.https.html.headers
 delete mode 100644 origin-policy/content-security/double-policies.https.html.headers
 delete mode 100644 origin-policy/content-security/non-array.https.html.headers
 delete mode 100644 origin-policy/content-security/non-object.https.html.headers
 delete mode 100644 origin-policy/content-security/non-string.https.html.headers
 create mode 100644 origin-policy/content-security/resources/allow-unsafe-eval-disallow-images.mjs
 create mode 100644 origin-policy/content-security/resources/allow-unsafe-eval.mjs
 create mode 100644 origin-policy/content-security/resources/disallow-unsafe-eval-disallow-images.mjs
 rename origin-policy/content-security/{helper.js => resources/helper.mjs} (89%)
 create mode 100644 origin-policy/content-security/resources/trigger-violation-report-report-only.mjs
 create mode 100644 origin-policy/content-security/resources/trigger-violation-report.mjs
 delete mode 100644 origin-policy/content-security/trigger-violation-report-report-only.https.html.headers
 delete mode 100644 origin-policy/content-security/trigger-violation-report.https.html.headers
 delete mode 100644 origin-policy/content-security/valid-with-multi-item-array.https.html.headers
 delete mode 100644 origin-policy/content-security/valid-with-semicolon.https.html.headers
 delete mode 100644 origin-policy/content-security/valid.https.html
 delete mode 100644 origin-policy/content-security/valid.https.html.headers
 delete mode 100644 origin-policy/features/comma-in-policy.https.html.headers
 delete mode 100644 origin-policy/features/double-features.https.html.headers
 delete mode 100644 origin-policy/features/double-policy.https.html.headers
 delete mode 100644 origin-policy/features/non-object.https.html.headers
 delete mode 100644 origin-policy/features/non-string.https.html.headers
 rename origin-policy/features/{helper.js => resources/helper.mjs} (83%)
 create mode 100644 origin-policy/features/resources/no-camera-no-geolocation.mjs
 create mode 100644 origin-policy/features/resources/no-camera-yes-geolocation.mjs
 create mode 100644 origin-policy/features/resources/yes-camera-yes-geolocation.mjs
 create mode 100644 origin-policy/features/valid-with-semicolon.https.html
 delete mode 100644 origin-policy/features/valid.https.html
 delete mode 100644 origin-policy/features/valid.https.html.headers
 delete mode 100644 origin-policy/origin-policy-report-to.https.tentative.sub.html
 delete mode 100644 origin-policy/origin-policy-report-to.https.tentative.sub.html.sub.headers
 delete mode 100644 origin-policy/origin-policy.https.tentative.html
 create mode 100644 origin-policy/policies/README.md
 create mode 100644 origin-policy/policies/op1 cspfp-comma-in-policy.json
 create mode 100644 origin-policy/policies/op10 cspfp-valid.json
 create mode 100644 origin-policy/policies/op2 cspfp-double-top-level.json
 create mode 100644 origin-policy/policies/op3 cspfp-double-second-level.json
 rename .well-known/origin-policy/policy-content-security-non-array => origin-policy/policies/op4 csp-non-array.json (70%)
 create mode 100644 origin-policy/policies/op5 cspfp-non-object.json
 create mode 100644 origin-policy/policies/op6 cspfp-non-string.json
 create mode 100644 origin-policy/policies/op7 csp-noimg-report-only.json
 rename .well-known/origin-policy/policy-content-security-noimg => origin-policy/policies/op8 csp-noimg.json (67%)
 create mode 100644 origin-policy/policies/op9 csp-valid-with-multi-item-array.json
 create mode 100644 origin-policy/resources/origin-policy-test-runner.js
 create mode 100644 origin-policy/resources/subframe-with-origin-policy.py
 delete mode 100644 origin-policy/sec-origin-policy-header.html.py
 delete mode 100644 origin-policy/sec-origin-policy-subframe.html
 delete mode 100644 origin-policy/sec-origin-policy-subframe.html.sub.headers

diff --git a/.well-known/origin-policy b/.well-known/origin-policy
new file mode 100644
index 000000000000000..df2b83256c2265f
--- /dev/null
+++ b/.well-known/origin-policy
@@ -0,0 +1,18 @@
+import os
+import glob
+
+
+def main(request, response):
+    host_piece = request.url_parts.hostname.split(".")[0]
+
+    filepath_pattern = os.path.normpath(os.path.join(os.path.dirname(os.path.abspath(
+        __file__)), "../origin-policy/policies/", "{} *.json".format(host_piece)))
+
+    matches = glob.glob(filepath_pattern)
+
+    if len(matches) != 1:
+        return 404, [], '{} origin policies found at a path matching "{}"'.format(len(matches), filepath_pattern)
+
+    with open(matches[0]) as f:
+        data = f.read()
+        return 200, [('Content-Type', 'application/originpolicy+json')], data
diff --git a/.well-known/origin-policy/policy-content-security-comma-in-policy b/.well-known/origin-policy/policy-content-security-comma-in-policy
deleted file mode 100644
index 42990f93e6d2722..000000000000000
--- a/.well-known/origin-policy/policy-content-security-comma-in-policy
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "content_security": {
-    "policies": ["script-src 'self' 'unsafe-inline', img-src 'none'"]
-  }
-}
diff --git a/.well-known/origin-policy/policy-content-security-double-content-security b/.well-known/origin-policy/policy-content-security-double-content-security
deleted file mode 100644
index be9b3750647d121..000000000000000
--- a/.well-known/origin-policy/policy-content-security-double-content-security
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "content_security": {
-    "policies": ["script-src 'self' 'unsafe-inline'"]
-  },
-  "content_security": {
-    "policies": ["img-src 'none'"]
-  }
-}
diff --git a/.well-known/origin-policy/policy-content-security-double-policies b/.well-known/origin-policy/policy-content-security-double-policies
deleted file mode 100644
index 2e625c5c46389b7..000000000000000
--- a/.well-known/origin-policy/policy-content-security-double-policies
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-  "content_security": {
-    "policies": ["script-src 'self' 'unsafe-inline'"],
-    "policies": ["img-src 'none'"]
-  }
-}
diff --git a/.well-known/origin-policy/policy-content-security-noimg-report-only b/.well-known/origin-policy/policy-content-security-noimg-report-only
deleted file mode 100644
index 13c662ef2d6e1c7..000000000000000
--- a/.well-known/origin-policy/policy-content-security-noimg-report-only
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "content_security": {
-    "policies_report_only": ["img-src 'none'"]
-  }
-}
diff --git a/.well-known/origin-policy/policy-content-security-non-object b/.well-known/origin-policy/policy-content-security-non-object
deleted file mode 100644
index 7f6e13836401251..000000000000000
--- a/.well-known/origin-policy/policy-content-security-non-object
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-  "content_security": ["script-src 'self' 'unsafe-inline'"]
-}
diff --git a/.well-known/origin-policy/policy-content-security-non-string b/.well-known/origin-policy/policy-content-security-non-string
deleted file mode 100644
index 8649b17c4d8e73e..000000000000000
--- a/.well-known/origin-policy/policy-content-security-non-string
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "content_security": {
-    "policies": [["script-src 'self' 'unsafe-inline'"]]
-  }
-}
diff --git a/.well-known/origin-policy/policy-content-security-valid b/.well-known/origin-policy/policy-content-security-valid
deleted file mode 100644
index d4babb7949eefdf..000000000000000
--- a/.well-known/origin-policy/policy-content-security-valid
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "content_security": {
-    "policies": ["script-src 'self' 'unsafe-inline'"]
-  }
-}
diff --git a/.well-known/origin-policy/policy-content-security-valid-with-multi-item-array b/.well-known/origin-policy/policy-content-security-valid-with-multi-item-array
deleted file mode 100644
index 45ec32200d5f6e3..000000000000000
--- a/.well-known/origin-policy/policy-content-security-valid-with-multi-item-array
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "content_security": {
-    "policies": ["script-src 'self' 'unsafe-inline'", "img-src 'none'"]
-  }
-}
diff --git a/.well-known/origin-policy/policy-content-security-valid-with-semicolon b/.well-known/origin-policy/policy-content-security-valid-with-semicolon
deleted file mode 100644
index e777d5c96d5921d..000000000000000
--- a/.well-known/origin-policy/policy-content-security-valid-with-semicolon
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "content_security": {
-    "policies": ["script-src 'self' 'unsafe-inline'; img-src 'none'"]
-  }
-}
diff --git a/.well-known/origin-policy/policy-csp-1 b/.well-known/origin-policy/policy-csp-1
deleted file mode 100644
index d4babb7949eefdf..000000000000000
--- a/.well-known/origin-policy/policy-csp-1
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "content_security": {
-    "policies": ["script-src 'self' 'unsafe-inline'"]
-  }
-}
diff --git a/.well-known/origin-policy/policy-csp-2 b/.well-known/origin-policy/policy-csp-2
deleted file mode 100644
index 34a6c5c873b5775..000000000000000
--- a/.well-known/origin-policy/policy-csp-2
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "content_security": {
-    "policies": ["script-src 'self' 'nonce-test'"]
-  }
-}
diff --git a/.well-known/origin-policy/policy-features-comma-in-policy b/.well-known/origin-policy/policy-features-comma-in-policy
deleted file mode 100644
index e991c788f24a160..000000000000000
--- a/.well-known/origin-policy/policy-features-comma-in-policy
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "features": {
-    "policy": "camera 'self' https://example.com/, geolocation 'self' https://example.com/"
-  }
-}
diff --git a/.well-known/origin-policy/policy-features-double-features b/.well-known/origin-policy/policy-features-double-features
deleted file mode 100644
index 583f1eaa2fcda87..000000000000000
--- a/.well-known/origin-policy/policy-features-double-features
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "features": {
-    "policy": "camera 'self' https://example.com/"
-  },
-  "features": {
-    "policy": "geolocation 'self' https://example.com/"
-  }
-}
diff --git a/.well-known/origin-policy/policy-features-double-policy b/.well-known/origin-policy/policy-features-double-policy
deleted file mode 100644
index fb216bc47298384..000000000000000
--- a/.well-known/origin-policy/policy-features-double-policy
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-  "features": {
-    "policy": "camera 'self' https://example.com/",
-    "policy": "geolocation 'self' https://example.com/"
-  }
-}
diff --git a/.well-known/origin-policy/policy-features-non-object b/.well-known/origin-policy/policy-features-non-object
deleted file mode 100644
index b4d255440dc4b30..000000000000000
--- a/.well-known/origin-policy/policy-features-non-object
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-  "features": "camera 'self' https://example.com/"
-}
diff --git a/.well-known/origin-policy/policy-features-non-string b/.well-known/origin-policy/policy-features-non-string
deleted file mode 100644
index 8b758c7f617790b..000000000000000
--- a/.well-known/origin-policy/policy-features-non-string
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "features": {
-    "policy": ["camera 'self' https://example.com/"]
-  }
-}
diff --git a/.well-known/origin-policy/policy-features-valid b/.well-known/origin-policy/policy-features-valid
deleted file mode 100644
index 22ef8992cf7b5e3..000000000000000
--- a/.well-known/origin-policy/policy-features-valid
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "features": {
-    "policy": "camera 'self' https://example.com/; geolocation 'self' https://example.com/"
-  }
-}
diff --git a/origin-policy/content-security/comma-in-policy.https.html b/origin-policy/content-security/comma-in-policy.https.html
index 88d72446392e675..07d10811f0bf853 100644
--- a/origin-policy/content-security/comma-in-policy.https.html
+++ b/origin-policy/content-security/comma-in-policy.https.html
@@ -3,9 +3,14 @@
 <title>Commas in "content_security/policy" cause parse errors and thus no CSP</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true });
+runTestsInSubframe({
+  hostname: "op1",
+  testJS: "resources/allow-unsafe-eval.mjs"
+});
 </script>
diff --git a/origin-policy/content-security/comma-in-policy.https.html.headers b/origin-policy/content-security/comma-in-policy.https.html.headers
deleted file mode 100644
index 32e453ab20de0c3..000000000000000
--- a/origin-policy/content-security/comma-in-policy.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-comma-in-policy
diff --git a/origin-policy/content-security/double-content-security.https.html b/origin-policy/content-security/double-content-security.https.html
index 99046803c9fe305..357bd7669a66865 100644
--- a/origin-policy/content-security/double-content-security.https.html
+++ b/origin-policy/content-security/double-content-security.https.html
@@ -3,11 +3,14 @@
 <title>Of two "content_security" items only the second counts</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
 
-<body>
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true, img: false });
+runTestsInSubframe({
+  hostname: "op2",
+  testJS: "resources/allow-unsafe-eval-disallow-images.mjs"
+});
 </script>
diff --git a/origin-policy/content-security/double-content-security.https.html.headers b/origin-policy/content-security/double-content-security.https.html.headers
deleted file mode 100644
index a380b053c270c61..000000000000000
--- a/origin-policy/content-security/double-content-security.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-double-content-security
diff --git a/origin-policy/content-security/double-policies.https.html b/origin-policy/content-security/double-policies.https.html
index 925b9d5a31e10ff..327670fcad0b3ae 100644
--- a/origin-policy/content-security/double-policies.https.html
+++ b/origin-policy/content-security/double-policies.https.html
@@ -3,11 +3,14 @@
 <title>Of two "content_security/policies" items only the second counts</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
 
-<body>
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true, img: false });
+runTestsInSubframe({
+  hostname: "op3",
+  testJS: "resources/allow-unsafe-eval-disallow-images.mjs"
+});
 </script>
diff --git a/origin-policy/content-security/double-policies.https.html.headers b/origin-policy/content-security/double-policies.https.html.headers
deleted file mode 100644
index 23f1d1434057d27..000000000000000
--- a/origin-policy/content-security/double-policies.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-double-policies
diff --git a/origin-policy/content-security/non-array.https.html b/origin-policy/content-security/non-array.https.html
index 78a67e16eb9d305..c95b5a15b0e6414 100644
--- a/origin-policy/content-security/non-array.https.html
+++ b/origin-policy/content-security/non-array.https.html
@@ -3,9 +3,14 @@
 <title>Non-array "content_security/policies" member must be ignored</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true });
+runTestsInSubframe({
+  hostname: "op4",
+  testJS: "resources/allow-unsafe-eval.mjs"
+});
 </script>
diff --git a/origin-policy/content-security/non-array.https.html.headers b/origin-policy/content-security/non-array.https.html.headers
deleted file mode 100644
index 31e6f375ef967e2..000000000000000
--- a/origin-policy/content-security/non-array.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-non-array
diff --git a/origin-policy/content-security/non-object.https.html b/origin-policy/content-security/non-object.https.html
index 359c6c7692294eb..220136c4d050bea 100644
--- a/origin-policy/content-security/non-object.https.html
+++ b/origin-policy/content-security/non-object.https.html
@@ -3,9 +3,14 @@
 <title>Non-object "content_security" member must be ignored</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true });
+runTestsInSubframe({
+  hostname: "op5",
+  testJS: "resources/allow-unsafe-eval.mjs"
+});
 </script>
diff --git a/origin-policy/content-security/non-object.https.html.headers b/origin-policy/content-security/non-object.https.html.headers
deleted file mode 100644
index 812ea9445eca18d..000000000000000
--- a/origin-policy/content-security/non-object.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-non-object
diff --git a/origin-policy/content-security/non-string.https.html b/origin-policy/content-security/non-string.https.html
index 8af3c1c4dff1369..57c29fe265bebe2 100644
--- a/origin-policy/content-security/non-string.https.html
+++ b/origin-policy/content-security/non-string.https.html
@@ -3,9 +3,14 @@
 <title>Non-string "content_security/policies" array member must be ignored</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: true });
+runTestsInSubframe({
+  hostname: "op6",
+  testJS: "resources/allow-unsafe-eval.mjs"
+});
 </script>
diff --git a/origin-policy/content-security/non-string.https.html.headers b/origin-policy/content-security/non-string.https.html.headers
deleted file mode 100644
index 0b9ce2ee3f84c52..000000000000000
--- a/origin-policy/content-security/non-string.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-non-string
diff --git a/origin-policy/content-security/resources/allow-unsafe-eval-disallow-images.mjs b/origin-policy/content-security/resources/allow-unsafe-eval-disallow-images.mjs
new file mode 100644
index 000000000000000..8715e74e5df8195
--- /dev/null
+++ b/origin-policy/content-security/resources/allow-unsafe-eval-disallow-images.mjs
@@ -0,0 +1,3 @@
+import { runCSPTest } from "./helper.mjs";
+
+runCSPTest({ unsafeEval: true, img: false });
diff --git a/origin-policy/content-security/resources/allow-unsafe-eval.mjs b/origin-policy/content-security/resources/allow-unsafe-eval.mjs
new file mode 100644
index 000000000000000..bd6ca6f8bbd1e99
--- /dev/null
+++ b/origin-policy/content-security/resources/allow-unsafe-eval.mjs
@@ -0,0 +1,3 @@
+import { runCSPTest } from "./helper.mjs";
+
+runCSPTest({ unsafeEval: true });
diff --git a/origin-policy/content-security/resources/disallow-unsafe-eval-disallow-images.mjs b/origin-policy/content-security/resources/disallow-unsafe-eval-disallow-images.mjs
new file mode 100644
index 000000000000000..41b25553d56338a
--- /dev/null
+++ b/origin-policy/content-security/resources/disallow-unsafe-eval-disallow-images.mjs
@@ -0,0 +1,3 @@
+import { runCSPTest } from "./helper.mjs";
+
+runCSPTest({ unsafeEval: false, img: false });
diff --git a/origin-policy/content-security/helper.js b/origin-policy/content-security/resources/helper.mjs
similarity index 89%
rename from origin-policy/content-security/helper.js
rename to origin-policy/content-security/resources/helper.mjs
index 4875977afa4437a..5eff7e16ba04a73 100644
--- a/origin-policy/content-security/helper.js
+++ b/origin-policy/content-security/resources/helper.mjs
@@ -1,4 +1,4 @@
-window.waitForOneSecurityPolicyViolationEvent = expectedBlockedURI => {
+export function waitForOneSecurityPolicyViolationEvent(expectedBlockedURI) {
   return new Promise(resolve => {
     let eventCount = 0;
     let blockedURI = null;
@@ -17,9 +17,9 @@ window.waitForOneSecurityPolicyViolationEvent = expectedBlockedURI => {
       });
     });
   });
-};
+}
 
-window.waitForImgFail = imgSrc => {
+export function waitForImgFail(imgSrc) {
   return new Promise((resolve, reject) => {
     const img = document.createElement("img");
     img.onload = () => reject(new Error("Must not load the image"));
@@ -28,10 +28,9 @@ window.waitForImgFail = imgSrc => {
     img.src = imgSrc;
     document.body.append(img);
   });
-};
+}
 
-
-window.waitForImgSuccess = imgSrc => {
+export function waitForImgSuccess(imgSrc) {
   return new Promise((resolve, reject) => {
     const img = document.createElement("img");
     img.onload = () => resolve();
@@ -40,10 +39,10 @@ window.waitForImgSuccess = imgSrc => {
     img.src = imgSrc;
     document.body.append(img);
   });
-};
+}
 
 // Both params are optional; if they are not given as booleans then we will not test that aspect.
-window.runCSPTest = ({ unsafeEval, img }) => {
+export function runCSPTest({ unsafeEval, img }) {
   if (unsafeEval === true) {
     test(() => {
       eval("window.evalAllowed = true;");
@@ -70,4 +69,4 @@ window.runCSPTest = ({ unsafeEval, img }) => {
       "img loading must be disallowed"
     );
   }
-};
+}
diff --git a/origin-policy/content-security/resources/trigger-violation-report-report-only.mjs b/origin-policy/content-security/resources/trigger-violation-report-report-only.mjs
new file mode 100644
index 000000000000000..9766717e309b5f0
--- /dev/null
+++ b/origin-policy/content-security/resources/trigger-violation-report-report-only.mjs
@@ -0,0 +1,12 @@
+import { waitForOneSecurityPolicyViolationEvent, waitForImgSuccess } from "./helper.mjs";
+
+promise_test(() => {
+  const imgURL = (new URL("/common/security-features/subresource/image.py", document.location)).href;
+
+  return Promise.all([
+    waitForOneSecurityPolicyViolationEvent(imgURL).then(blockedURI => {
+      assert_equals(blockedURI, imgURL);
+    }),
+    waitForImgSuccess(imgURL)
+  ]);
+});
diff --git a/origin-policy/content-security/resources/trigger-violation-report.mjs b/origin-policy/content-security/resources/trigger-violation-report.mjs
new file mode 100644
index 000000000000000..319c87b0f8a6723
--- /dev/null
+++ b/origin-policy/content-security/resources/trigger-violation-report.mjs
@@ -0,0 +1,12 @@
+import { waitForOneSecurityPolicyViolationEvent, waitForImgFail } from "./helper.mjs";
+
+promise_test(() => {
+  const imgURL = (new URL("/common/security-features/subresource/image.py", document.location)).href;
+
+  return Promise.all([
+    waitForOneSecurityPolicyViolationEvent(imgURL).then(blockedURI => {
+      assert_equals(blockedURI, imgURL);
+    }),
+    waitForImgFail(imgURL)
+  ]);
+});
diff --git a/origin-policy/content-security/trigger-violation-report-report-only.https.html b/origin-policy/content-security/trigger-violation-report-report-only.https.html
index 3e5038b501dec9e..9eb83792852eb56 100644
--- a/origin-policy/content-security/trigger-violation-report-report-only.https.html
+++ b/origin-policy/content-security/trigger-violation-report-report-only.https.html
@@ -3,21 +3,14 @@
 <title>CSP via origin policy must trigger a securitypolicyviolation event even when the CSP is report-only</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
 
-<body>
+<div id="log"></div>
 
 <script>
 "use strict";
-
-promise_test(() => {
-  const imgURL = (new URL("/common/security-features/subresource/image.py", document.location)).href;
-
-  return Promise.all([
-    waitForOneSecurityPolicyViolationEvent(imgURL).then(blockedURI => {
-      assert_equals(blockedURI, imgURL);
-    }),
-    waitForImgSuccess(imgURL)
-  ]);
+runTestsInSubframe({
+  hostname: "op7",
+  testJS: "resources/trigger-violation-report-report-only.mjs"
 });
 </script>
diff --git a/origin-policy/content-security/trigger-violation-report-report-only.https.html.headers b/origin-policy/content-security/trigger-violation-report-report-only.https.html.headers
deleted file mode 100644
index cb27e1500e0b4e4..000000000000000
--- a/origin-policy/content-security/trigger-violation-report-report-only.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-noimg-report-only
diff --git a/origin-policy/content-security/trigger-violation-report.https.html b/origin-policy/content-security/trigger-violation-report.https.html
index 22beca5a3dbbc92..f981b2b05cef7e5 100644
--- a/origin-policy/content-security/trigger-violation-report.https.html
+++ b/origin-policy/content-security/trigger-violation-report.https.html
@@ -3,21 +3,14 @@
 <title>CSP via origin policy must trigger a securitypolicyviolation event</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
 
-<body>
+<div id="log"></div>
 
 <script>
 "use strict";
-
-promise_test(() => {
-  const imgURL = (new URL("/common/security-features/subresource/image.py", document.location)).href;
-
-  return Promise.all([
-    waitForOneSecurityPolicyViolationEvent(imgURL).then(blockedURI => {
-      assert_equals(blockedURI, imgURL);
-    }),
-    waitForImgFail(imgURL)
-  ]);
+runTestsInSubframe({
+  hostname: "op8",
+  testJS: "resources/trigger-violation-report.mjs"
 });
 </script>
diff --git a/origin-policy/content-security/trigger-violation-report.https.html.headers b/origin-policy/content-security/trigger-violation-report.https.html.headers
deleted file mode 100644
index 08bcb9fa94171ee..000000000000000
--- a/origin-policy/content-security/trigger-violation-report.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-noimg
diff --git a/origin-policy/content-security/valid-with-multi-item-array.https.html b/origin-policy/content-security/valid-with-multi-item-array.https.html
index bc9ebd0cccfcbd7..36333a1e4b19943 100644
--- a/origin-policy/content-security/valid-with-multi-item-array.https.html
+++ b/origin-policy/content-security/valid-with-multi-item-array.https.html
@@ -3,11 +3,14 @@
 <title>"content_security/policy" can contain multiple array items to enforce multiple CSPs</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
 
-<body>
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: false, img: false });
+runTestsInSubframe({
+  hostname: "op9",
+  testJS: "resources/disallow-unsafe-eval-disallow-images.mjs"
+});
 </script>
diff --git a/origin-policy/content-security/valid-with-multi-item-array.https.html.headers b/origin-policy/content-security/valid-with-multi-item-array.https.html.headers
deleted file mode 100644
index eeddaba7a59b580..000000000000000
--- a/origin-policy/content-security/valid-with-multi-item-array.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-valid-with-semicolon
diff --git a/origin-policy/content-security/valid-with-semicolon.https.html b/origin-policy/content-security/valid-with-semicolon.https.html
index 82158f1cf7044f8..9eadc8f89d31ab8 100644
--- a/origin-policy/content-security/valid-with-semicolon.https.html
+++ b/origin-policy/content-security/valid-with-semicolon.https.html
@@ -3,11 +3,14 @@
 <title>"content_security/policy" array items can contain semicolons to enforce multiple CSP directives</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
 
-<body>
+<div id="log"></div>
 
 <script>
 "use strict";
-runCSPTest({ unsafeEval: false, img: false });
+runTestsInSubframe({
+  hostname: "op10",
+  testJS: "resources/disallow-unsafe-eval-disallow-images.mjs"
+});
 </script>
diff --git a/origin-policy/content-security/valid-with-semicolon.https.html.headers b/origin-policy/content-security/valid-with-semicolon.https.html.headers
deleted file mode 100644
index eeddaba7a59b580..000000000000000
--- a/origin-policy/content-security/valid-with-semicolon.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-valid-with-semicolon
diff --git a/origin-policy/content-security/valid.https.html b/origin-policy/content-security/valid.https.html
deleted file mode 100644
index 36e5ddbf958b317..000000000000000
--- a/origin-policy/content-security/valid.https.html
+++ /dev/null
@@ -1,11 +0,0 @@
-<!DOCTYPE HTML>
-<meta charset="utf-8">
-<title>Valid "content_security" member disallows eval</title>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
-
-<script>
-"use strict";
-runCSPTest({ unsafeEval: false });
-</script>
diff --git a/origin-policy/content-security/valid.https.html.headers b/origin-policy/content-security/valid.https.html.headers
deleted file mode 100644
index 78aeeacd934c90f..000000000000000
--- a/origin-policy/content-security/valid.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-content-security-valid
diff --git a/origin-policy/features/comma-in-policy.https.html b/origin-policy/features/comma-in-policy.https.html
index 1b991f0d8b68af0..a9faba4bfd4dd0c 100644
--- a/origin-policy/features/comma-in-policy.https.html
+++ b/origin-policy/features/comma-in-policy.https.html
@@ -3,9 +3,14 @@
 <title>Commas in "features/policy" cause parse errors and thus no feature policy</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runFPTest({ camera: false, geolocation: false });
+runTestsInSubframe({
+  hostname: "op1",
+  testJS: "resources/no-camera-no-geolocation.mjs"
+});
 </script>
diff --git a/origin-policy/features/comma-in-policy.https.html.headers b/origin-policy/features/comma-in-policy.https.html.headers
deleted file mode 100644
index c0e68720516a666..000000000000000
--- a/origin-policy/features/comma-in-policy.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-features-comma-in-policy
diff --git a/origin-policy/features/double-features.https.html b/origin-policy/features/double-features.https.html
index 8397f849f301480..aa687d681c66d62 100644
--- a/origin-policy/features/double-features.https.html
+++ b/origin-policy/features/double-features.https.html
@@ -3,9 +3,14 @@
 <title>Of two "features" items only the second counts</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runFPTest({ camera: false, geolocation: true });
+runTestsInSubframe({
+  hostname: "op2",
+  testJS: "resources/no-camera-yes-geolocation.mjs"
+});
 </script>
diff --git a/origin-policy/features/double-features.https.html.headers b/origin-policy/features/double-features.https.html.headers
deleted file mode 100644
index f0a57380a8f570d..000000000000000
--- a/origin-policy/features/double-features.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-features-double-features
diff --git a/origin-policy/features/double-policy.https.html b/origin-policy/features/double-policy.https.html
index f1d63d6de966b36..d9e544acaaf6a4e 100644
--- a/origin-policy/features/double-policy.https.html
+++ b/origin-policy/features/double-policy.https.html
@@ -3,9 +3,14 @@
 <title>Of two "features/policy" items only the second counts</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runFPTest({ camera: false, geolocation: true });
+runTestsInSubframe({
+  hostname: "op2",
+  testJS: "resources/no-camera-yes-geolocation.mjs"
+});
 </script>
diff --git a/origin-policy/features/double-policy.https.html.headers b/origin-policy/features/double-policy.https.html.headers
deleted file mode 100644
index c1421693e4dafff..000000000000000
--- a/origin-policy/features/double-policy.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-features-double-policy
diff --git a/origin-policy/features/non-object.https.html b/origin-policy/features/non-object.https.html
index 31f632bf0f1fed5..2bd4b67e600c9bb 100644
--- a/origin-policy/features/non-object.https.html
+++ b/origin-policy/features/non-object.https.html
@@ -3,9 +3,14 @@
 <title>Non-object "features" member must be ignored</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runFPTest({ camera: false, geolocation: false });
+runTestsInSubframe({
+  hostname: "op5",
+  testJS: "resources/no-camera-no-geolocation.mjs"
+});
 </script>
diff --git a/origin-policy/features/non-object.https.html.headers b/origin-policy/features/non-object.https.html.headers
deleted file mode 100644
index e8f68712ed341e9..000000000000000
--- a/origin-policy/features/non-object.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-features-non-object
diff --git a/origin-policy/features/non-string.https.html b/origin-policy/features/non-string.https.html
index 019014c980a4a3a..190d224a4cfe05b 100644
--- a/origin-policy/features/non-string.https.html
+++ b/origin-policy/features/non-string.https.html
@@ -3,9 +3,14 @@
 <title>Non-string "features/policy" member must be ignored</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
 
 <script>
 "use strict";
-runFPTest({ camera: false, geolocation: false });
+runTestsInSubframe({
+  hostname: "op6",
+  testJS: "resources/no-camera-no-geolocation.mjs"
+});
 </script>
diff --git a/origin-policy/features/non-string.https.html.headers b/origin-policy/features/non-string.https.html.headers
deleted file mode 100644
index 4c6c376697b855c..000000000000000
--- a/origin-policy/features/non-string.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-features-non-string
diff --git a/origin-policy/features/helper.js b/origin-policy/features/resources/helper.mjs
similarity index 83%
rename from origin-policy/features/helper.js
rename to origin-policy/features/resources/helper.mjs
index f9c16b58c2cf8bf..7ced355e645c7ba 100644
--- a/origin-policy/features/helper.js
+++ b/origin-policy/features/resources/helper.mjs
@@ -1,8 +1,8 @@
 "use strict";
 
-window.runFPTest = ({ camera, geolocation }) => {
+export function runFPTest({ camera, geolocation }) {
   test(() => {
     assert_equals(document.featurePolicy.allowsFeature('camera', 'https://example.com/'), camera, 'camera');
     assert_equals(document.featurePolicy.allowsFeature('geolocation', 'https://example.com/'), geolocation, 'geolocation');
   });
-};
+}
diff --git a/origin-policy/features/resources/no-camera-no-geolocation.mjs b/origin-policy/features/resources/no-camera-no-geolocation.mjs
new file mode 100644
index 000000000000000..b25d9abcb92ec99
--- /dev/null
+++ b/origin-policy/features/resources/no-camera-no-geolocation.mjs
@@ -0,0 +1,3 @@
+import { runFPTest } from "./helper.mjs";
+
+runFPTest({ camera: false, geolocation: false });
diff --git a/origin-policy/features/resources/no-camera-yes-geolocation.mjs b/origin-policy/features/resources/no-camera-yes-geolocation.mjs
new file mode 100644
index 000000000000000..a961deeb38989b3
--- /dev/null
+++ b/origin-policy/features/resources/no-camera-yes-geolocation.mjs
@@ -0,0 +1,3 @@
+import { runFPTest } from "./helper.mjs";
+
+runFPTest({ camera: false, geolocation: true });
diff --git a/origin-policy/features/resources/yes-camera-yes-geolocation.mjs b/origin-policy/features/resources/yes-camera-yes-geolocation.mjs
new file mode 100644
index 000000000000000..9f3b1d8303fe63a
--- /dev/null
+++ b/origin-policy/features/resources/yes-camera-yes-geolocation.mjs
@@ -0,0 +1,3 @@
+import { runFPTest } from "./helper.mjs";
+
+runFPTest({ camera: true, geolocation: true });
diff --git a/origin-policy/features/valid-with-semicolon.https.html b/origin-policy/features/valid-with-semicolon.https.html
new file mode 100644
index 000000000000000..8d2d0f4495ff7f4
--- /dev/null
+++ b/origin-policy/features/valid-with-semicolon.https.html
@@ -0,0 +1,16 @@
+<!DOCTYPE HTML>
+<meta charset="utf-8">
+<title>Valid "features" member, with a semicolon</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/origin-policy-test-runner.js"></script>
+
+<div id="log"></div>
+
+<script>
+"use strict";
+runTestsInSubframe({
+  hostname: "op10",
+  testJS: "resources/yes-camera-yes-geolocation.mjs"
+});
+</script>
diff --git a/origin-policy/features/valid.https.html b/origin-policy/features/valid.https.html
deleted file mode 100644
index 6ff2076a7f076e7..000000000000000
--- a/origin-policy/features/valid.https.html
+++ /dev/null
@@ -1,11 +0,0 @@
-<!DOCTYPE HTML>
-<meta charset="utf-8">
-<title>Valid "features" member</title>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="helper.js"></script>
-
-<script>
-"use strict";
-runFPTest({ camera: true, geolocation: true });
-</script>
diff --git a/origin-policy/features/valid.https.html.headers b/origin-policy/features/valid.https.html.headers
deleted file mode 100644
index 9d0e25792c46d40..000000000000000
--- a/origin-policy/features/valid.https.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Sec-Origin-Policy: policy=policy-features-valid
diff --git a/origin-policy/origin-policy-report-to.https.tentative.sub.html b/origin-policy/origin-policy-report-to.https.tentative.sub.html
deleted file mode 100644
index dfef7a1d133c267..000000000000000
--- a/origin-policy/origin-policy-report-to.https.tentative.sub.html
+++ /dev/null
@@ -1,22 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Test that Origin Policy report-to are deliverd to the declared reporting group</title>
-  <script src='/resources/testharness.js'></script>
-  <script src='/resources/testharnessreport.js'></script>
-</head>
-<body>
-  <iframe id="frame" src="about:blank"></iframe>
-  <script>
-    // Navigate the frame to a URL that declares an (invalid) origin policy with
-    // a report-to directive.
-    document.getElementById("frame").src =
-        "https://{{hosts[alt][]}}:{{ports[https][0]}}/origin-policy/sec-origin-policy-subframe.html";
-  </script>
-  <script async defer src='/content-security-policy/support/checkReport.sub.js?reportField=policy&reportValue=nonexistingpolicy'>
-    // This re-uses CSP reporting test infrastructure, and contains the actual
-    // test. In addition to sanity checks, it will check whether the report body
-    // contains a key/value pair as indicated by reportField and reportValue.
-  </script>
-</body>
-</html>
diff --git a/origin-policy/origin-policy-report-to.https.tentative.sub.html.sub.headers b/origin-policy/origin-policy-report-to.https.tentative.sub.html.sub.headers
deleted file mode 100644
index 92a90c347d3a7d0..000000000000000
--- a/origin-policy/origin-policy-report-to.https.tentative.sub.html.sub.headers
+++ /dev/null
@@ -1 +0,0 @@
-Set-Cookie: origin-policy-report-to=5b4d35b6-0771-46fe-8700-ed2bb59ed4be; Path=/origin-policy/
diff --git a/origin-policy/origin-policy.https.tentative.html b/origin-policy/origin-policy.https.tentative.html
deleted file mode 100644
index 34a71fe40a19241..000000000000000
--- a/origin-policy/origin-policy.https.tentative.html
+++ /dev/null
@@ -1,143 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <script src='/resources/testharness.js'></script>
-  <script src='/resources/testharnessreport.js'></script>
-</head>
-<body>
-  <div id=log></div>
-  <iframe id=frame></iframe>
-  <script>
-    // Navigate the frame to a test page with the given policy and wait for
-    // postMessage to arrive. Resolve the result promise with the message.
-    function navigate(policy) {
-      return new Promise(resolve => {
-        window.addEventListener("message", event => { resolve(event.data); },
-                                { once: true });
-        document.getElementById("frame").src =
-            "/origin-policy/sec-origin-policy-header.html.py?policy=" + policy;
-      });
-    }
-
-    // Check whether the message returned from the frame meets our expectations.
-    function expect(expect_script, expect_eval, message) {
-      assert_own_property(message, "inline_allowed");
-      assert_own_property(message, "eval_allowed");
-      assert_equals(message.inline_allowed, expect_script);
-      assert_equals(message.eval_allowed, expect_eval);
-    }
-
-    // Generate a more descriptive error message. Re-throw the error.
-    function descriptive_message(policy, expect_inline, expect_eval,
-                                 index, error) {
-      error.message = `Error occured on entry #${index + 1} ["${policy
-          }", ${expect_inline}, ${expect_eval}]: "${error}".`;
-      throw(error);
-    }
-
-    // Run the navigation + expectation checking for one test case line.
-    function test_case_entry([policy, expect_inline, expect_eval], index) {
-      return navigate(policy)
-          .then(message => expect(expect_inline, expect_eval, message))
-
-          // This catch handler merely logs a more friendly message,
-          // pointing you to the exact line of the failing test.
-          .catch(error => descriptive_message(policy, expect_inline,
-                                              expect_eval, index, error));
-    }
-
-    function origin_policy_csp_test_case(test_case_list) {
-      return t => {
-        // Setup the promise chain for the test.
-        let chain = Promise.resolve();
-        for ([index, val] of test_case_list.entries())
-          chain = chain.then(test_case_entry.bind(this, val, index));
-
-        // Delete the policy as the last element of the chain, on both
-        // resolve + reject paths, so that a left-over policy won't break
-        // subsequent tests.
-        return chain.then(() => navigate("0"),
-                          (error) => { navigate("0"); throw error; });
-      }
-    }
-
-
-    // Sanity check: A request with no policy.
-    promise_test(origin_policy_csp_test_case([
-        ["", true, true],  // No policy.
-    ]), "sanity check");
-
-    // Basic functionality. A policy should have an effect.
-    promise_test(origin_policy_csp_test_case([
-        ["",             true, true],  // No policy.
-        ["policy-csp-1", true, false], // policy-csp-1, which forbids eval.
-        ["0",            true, true],  // Delete the policy again.
-      ]), "The basics: A policy should have an effect..");
-
-    // Basic functionality. Set a policy. Make sure it "sticks".
-    promise_test(origin_policy_csp_test_case([
-        ["",             true, true],  // No policy.
-        ["policy-csp-1", true, false], // policy-csp-1, which forbids eval.
-        ["",             true, false], // No policy. Should remember p...-csp-1.
-        ["0",            true, true],  // Delete the policy again.
-      ]), "The basics: A policy should stick.");
-
-    // Set, update, and delete a policy.
-    promise_test(origin_policy_csp_test_case([
-        ["",             true,  true],
-        ["policy-csp-1", true,  false], // policy-csp-1, which forbids eval.
-        ["policy-csp-2", false, false], // policy-csp-2, forbids script + eval.
-        ["0",            true,  true],  // Delete the policy.
-      ]), "Policy set, update, and delete.");
-
-    // Set, update, and delete a policy. Check on each step whether it 'sticks'.
-    promise_test(origin_policy_csp_test_case([
-        ["",             true,  true],
-        ["policy-csp-1", true,  false], // policy-csp-1, which forbids eval.
-        ["",             true,  false],
-        ["policy-csp-2", false, false], // Forbid script + eval.
-        ["",             false, false],
-        ["0",            true,  true],  // Delete the policy.
-        ["",             true,  true],
-      ]), "Policy set-update-delete cycle with checks.");
-
-    // Set a policy, update, then revert to the old one.
-    promise_test(origin_policy_csp_test_case([
-        ["",             true,  true],
-        ["policy-csp-1", true,  false], // policy-csp-1, which forbids eval.
-        ["policy-csp-2", false, false], // Forbid script + eval.
-        ["policy-csp-1", true,  false], // policy-csp-1 again.
-        ["0",            true,  true],
-      ]), "Policy set-update-delete cycle.");
-
-    // Set, delete, re-set, and re-delete a policy.
-    promise_test(origin_policy_csp_test_case([
-        ["",             true, true],  // No policy.
-        ["policy-csp-1", true, false], // policy-csp-1, which forbids eval.
-        ["",             true, false],
-        ["0",            true, true],  // Delete the policy.
-        ["",             true, true],
-        ["policy-csp-1", true, false], // Set policy after policy was deleted.
-        ["",             true, false],
-        ["0",            true, true],  // Delete the policy again.
-        ["",             true, true],
-      ]), "Policy re-set and re-delete.");
-
-    // We've had some bugs with repeated policies being set, so lets just
-    // run through a set-update-delete cycle but with every request being
-    // made twice.
-    promise_test(origin_policy_csp_test_case([
-        ["",             true,  true],
-        ["",             true,  true],
-        ["policy-csp-1", true,  false],
-        ["policy-csp-1", true,  false],
-        ["policy-csp-2", false, false],
-        ["policy-csp-2", false, false],
-        ["0",            true,  true],
-        ["0",            true,  true],
-        ["",             true,  true],
-        ["",             true,  true],
-      ]), "Double Trouble");
-  </script>
-</body>
-</html>
diff --git a/origin-policy/policies/README.md b/origin-policy/policies/README.md
new file mode 100644
index 000000000000000..b07be74035f2dee
--- /dev/null
+++ b/origin-policy/policies/README.md
@@ -0,0 +1,5 @@
+These policies are served via the Python script at /.well-known/origin-policy. Their filenames must be in the form `subdomain human-facing-string-with-no-spaces.json`. They will be served in response to requests to that subdomain.
+
+The human-facing string has no impact on the tests, and just makes it easier to scroll through the list.
+
+The list of potential hostnames is created by `tools/serve/serve.py`'s `_make_origin_policy_subdomains` function, and can be expanded as necessary.
diff --git a/origin-policy/policies/op1 cspfp-comma-in-policy.json b/origin-policy/policies/op1 cspfp-comma-in-policy.json
new file mode 100644
index 000000000000000..189d28db8ba80d6
--- /dev/null
+++ b/origin-policy/policies/op1 cspfp-comma-in-policy.json	
@@ -0,0 +1,13 @@
+{
+  "ids": [
+    "cspfp-comma-in-policy"
+  ],
+  "content_security": {
+    "policies": [
+      "script-src 'self' 'unsafe-inline', img-src 'none'"
+    ]
+  },
+  "features": {
+    "policy": "camera 'self' https://example.com/, geolocation 'self' https://example.com/"
+  }
+}
diff --git a/origin-policy/policies/op10 cspfp-valid.json b/origin-policy/policies/op10 cspfp-valid.json
new file mode 100644
index 000000000000000..0fc1d163f2b6195
--- /dev/null
+++ b/origin-policy/policies/op10 cspfp-valid.json	
@@ -0,0 +1,13 @@
+{
+  "ids": [
+    "cspfp-valid"
+  ],
+  "content_security": {
+    "policies": [
+      "script-src 'self' 'unsafe-inline'; img-src 'none'"
+    ]
+  },
+  "features": {
+    "policy": "camera 'self' https://example.com/; geolocation 'self' https://example.com/"
+  }
+}
diff --git a/origin-policy/policies/op2 cspfp-double-top-level.json b/origin-policy/policies/op2 cspfp-double-top-level.json
new file mode 100644
index 000000000000000..26d798b585d96fd
--- /dev/null
+++ b/origin-policy/policies/op2 cspfp-double-top-level.json	
@@ -0,0 +1,21 @@
+{
+  "ids": [
+    "cspfp-double-top-level"
+  ],
+  "content_security": {
+    "policies": [
+      "script-src 'self' 'unsafe-inline'"
+    ]
+  },
+  "content_security": {
+    "policies": [
+      "img-src 'none'"
+    ]
+  },
+  "features": {
+    "policy": "camera 'self' https://example.com/"
+  },
+  "features": {
+    "policy": "geolocation 'self' https://example.com/"
+  }
+}
diff --git a/origin-policy/policies/op3 cspfp-double-second-level.json b/origin-policy/policies/op3 cspfp-double-second-level.json
new file mode 100644
index 000000000000000..6665332807bea37
--- /dev/null
+++ b/origin-policy/policies/op3 cspfp-double-second-level.json	
@@ -0,0 +1,17 @@
+{
+  "ids": [
+    "cspfp-double-second-level"
+  ],
+  "content_security": {
+    "policies": [
+      "script-src 'self' 'unsafe-inline'"
+    ],
+    "policies": [
+      "img-src 'none'"
+    ]
+  },
+  "features": {
+    "policy": "camera 'self' https://example.com/",
+    "policy": "geolocation 'self' https://example.com/"
+  }
+}
diff --git a/.well-known/origin-policy/policy-content-security-non-array b/origin-policy/policies/op4 csp-non-array.json
similarity index 70%
rename from .well-known/origin-policy/policy-content-security-non-array
rename to origin-policy/policies/op4 csp-non-array.json
index b96546c5f88fe77..5916b1ff9b572dd 100644
--- a/.well-known/origin-policy/policy-content-security-non-array
+++ b/origin-policy/policies/op4 csp-non-array.json	
@@ -1,4 +1,7 @@
 {
+  "ids": [
+    "csp-non-array"
+  ],
   "content_security": {
     "policies": "script-src 'self' 'unsafe-inline'"
   }
diff --git a/origin-policy/policies/op5 cspfp-non-object.json b/origin-policy/policies/op5 cspfp-non-object.json
new file mode 100644
index 000000000000000..7488f9bfef297e0
--- /dev/null
+++ b/origin-policy/policies/op5 cspfp-non-object.json	
@@ -0,0 +1,9 @@
+{
+  "ids": [
+    "cspfp-non-object"
+  ],
+  "content_security": [
+    "script-src 'self' 'unsafe-inline'"
+  ],
+  "features": "camera 'self' https://example.com/"
+}
diff --git a/origin-policy/policies/op6 cspfp-non-string.json b/origin-policy/policies/op6 cspfp-non-string.json
new file mode 100644
index 000000000000000..5c6941bf8fd1892
--- /dev/null
+++ b/origin-policy/policies/op6 cspfp-non-string.json	
@@ -0,0 +1,17 @@
+{
+  "ids": [
+    "csp-non-string"
+  ],
+  "content_security": {
+    "policies": [
+      [
+        "script-src 'self' 'unsafe-inline'"
+      ]
+    ]
+  },
+  "features": {
+    "policy": [
+      "camera 'self' https://example.com/"
+    ]
+  }
+}
diff --git a/origin-policy/policies/op7 csp-noimg-report-only.json b/origin-policy/policies/op7 csp-noimg-report-only.json
new file mode 100644
index 000000000000000..fd5c522042a7e06
--- /dev/null
+++ b/origin-policy/policies/op7 csp-noimg-report-only.json	
@@ -0,0 +1,10 @@
+{
+  "ids": [
+    "csp-noimg-report-only"
+  ],
+  "content_security": {
+    "policies_report_only": [
+      "img-src 'none'"
+    ]
+  }
+}
diff --git a/.well-known/origin-policy/policy-content-security-noimg b/origin-policy/policies/op8 csp-noimg.json
similarity index 67%
rename from .well-known/origin-policy/policy-content-security-noimg
rename to origin-policy/policies/op8 csp-noimg.json
index cd57b7b21e916b4..b88e1f80bf93c9b 100644
--- a/.well-known/origin-policy/policy-content-security-noimg
+++ b/origin-policy/policies/op8 csp-noimg.json	
@@ -1,4 +1,7 @@
 {
+  "ids": [
+    "csp-noimg"
+  ],
   "content_security": {
     "policies": ["img-src 'none'"]
   }
diff --git a/origin-policy/policies/op9 csp-valid-with-multi-item-array.json b/origin-policy/policies/op9 csp-valid-with-multi-item-array.json
new file mode 100644
index 000000000000000..edd743038db8d48
--- /dev/null
+++ b/origin-policy/policies/op9 csp-valid-with-multi-item-array.json	
@@ -0,0 +1,11 @@
+{
+  "ids": [
+    "csp-valid-with-multi-item-array"
+  ],
+  "content_security": {
+    "policies": [
+      "script-src 'self' 'unsafe-inline'",
+      "img-src 'none'"
+    ]
+  }
+}
diff --git a/origin-policy/resources/origin-policy-test-runner.js b/origin-policy/resources/origin-policy-test-runner.js
new file mode 100644
index 000000000000000..a1c6453debd20d7
--- /dev/null
+++ b/origin-policy/resources/origin-policy-test-runner.js
@@ -0,0 +1,28 @@
+window.runTestsInSubframe = ({ hostname, testJS }) => {
+  test(() => {
+    assert_equals(location.protocol, "https:");
+  }, "Prerequisite check: running on HTTPS");
+
+  promise_test(() => new Promise((resolve, reject) => {
+    const url = new URL(window.location.href);
+    url.hostname = `${hostname}.${document.domain}`;
+    url.pathname = "/origin-policy/resources/subframe-with-origin-policy.py";
+
+    // Normalize the URL so that callers can idiomatically give values relative
+    // to themselves.
+    url.searchParams.append("test", new URL(testJS, document.baseURI).pathname);
+
+    const iframe = document.createElement("iframe");
+    iframe.src = url.href;
+
+    // We need to delegate anything we plan to toggle with FP otherwise it will
+    // be locked to disallowed.
+    iframe.allow = "camera *; geolocation *";
+
+    iframe.onload = resolve;
+    iframe.onerror = () => reject(new Error(`Could not load ${url.href}`));
+    document.body.append(iframe);
+
+    fetch_tests_from_window(iframe.contentWindow);
+  }), "Test setup of the iframe");
+};
diff --git a/origin-policy/resources/subframe-with-origin-policy.py b/origin-policy/resources/subframe-with-origin-policy.py
new file mode 100644
index 000000000000000..636a649a0e20beb
--- /dev/null
+++ b/origin-policy/resources/subframe-with-origin-policy.py
@@ -0,0 +1,26 @@
+def main(request, response):
+    """Send a response with the Origin-Policy header asking for the latest
+      policy, that runs the test JS given by the ?test= argument. This is meant
+       to be loaded into an iframe by origin-policy-test-runner.js.
+
+       The ?test= argument is best given as an absolute path (starting with /)
+       since it will otherwise be interpreted relative to where this file is
+       served.
+    """
+    test_file = request.GET.first("test")
+
+    response.headers.set("Origin-Policy", "allowed=(latest)")
+    response.headers.set("Content-Type", "text/html")
+
+    return """
+    <!DOCTYPE html>
+    <meta charset="utf-8">
+    <title>Origin policy subframe</title>
+
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <div id="log"></div>
+
+    <script type="module" src="%s"></script>
+  """ % test_file
diff --git a/origin-policy/sec-origin-policy-header.html.py b/origin-policy/sec-origin-policy-header.html.py
deleted file mode 100644
index 7754e04a313c129..000000000000000
--- a/origin-policy/sec-origin-policy-header.html.py
+++ /dev/null
@@ -1,64 +0,0 @@
-def main(request, response):
-  """Send a response with the origin policy indicated by the ?policy= argument.
-
-     Won't send a policy when the browser doesn't indicate support.
-     The response tests whether inline script and eval are allowed, and will
-     send a corresponding message to the parent frame.
-     For easier debugging, we'll also show the results in-page.
-  """
-  origin_policy_header = "Sec-Origin-Policy"
-  request_policy = request.headers.get(origin_policy_header)
-  response_policy = request.GET.first("policy", default="")
-
-  if request_policy and response_policy:
-    response.headers.set(origin_policy_header, "policy=%s" % response_policy)
-    response.headers.set("Vary", "sec-origin-policy")
-
-  response.headers.set("Content-Type", "text/html");
-  return """
-    <html>
-    <head>
-     <title>Page with an Origin Policy</title>
-    </head>
-    <body>
-    <script nonce=test>
-      let inlineAllowed = false;
-      let evalAllowed = false;
-      try { eval('evalAllowed = true;'); } catch (e) {};
-    </script>
-    <script>
-      inlineAllowed = true;
-    </script>
-
-    <p>Reveal whether CSP with "unsafe-inline" or "unsafe-eval" is present:</p>
-    <ul>
-      <li>inline script allowed: <span id=inline_allowed></span></li>
-      <li>eval allowed: <span id=eval_allowed></span></li>
-    </ul>
-
-    <script nonce=test>
-      const result = {
-        "inline_allowed": inlineAllowed,
-        "eval_allowed": evalAllowed,
-      };
-
-      // Mirror content into the page for easy debugging:
-      const styles = {
-        true: "font-weight: bold; color: green;",
-        false: "font-weight: bold; color: red",
-      }
-      for (const [key, value] of Object.entries(result)) {
-        let element = document.getElementById(key);
-        element.textContent = value.toString();
-        element.style = styles[value];
-      }
-
-      // Send result to parent frame for evaluation.
-      if (window.parent) {
-        window.parent.postMessage(result, "*");
-      }
-    </script>
-    </body>
-    </html>
-  """
-
diff --git a/origin-policy/sec-origin-policy-subframe.html b/origin-policy/sec-origin-policy-subframe.html
deleted file mode 100644
index d716ba11d97ce61..000000000000000
--- a/origin-policy/sec-origin-policy-subframe.html
+++ /dev/null
@@ -1,3 +0,0 @@
-The forbidden frame.
-Content shouldn't matter, because this frame shouldn't be loaded.
-So there.
diff --git a/origin-policy/sec-origin-policy-subframe.html.sub.headers b/origin-policy/sec-origin-policy-subframe.html.sub.headers
deleted file mode 100644
index a046f0096ba1b30..000000000000000
--- a/origin-policy/sec-origin-policy-subframe.html.sub.headers
+++ /dev/null
@@ -1,3 +0,0 @@
-Report-To: { "group": "report-to-group", "max_age": 1000, "endpoints": [{ "url": "https://{{hosts[alt][]}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID=5b4d35b6-0771-46fe-8700-ed2bb59ed4be" }] }
-Sec-Origin-Policy: policy=nonexistingpolicy, report-to=report-to-group
-
diff --git a/tools/serve/serve.py b/tools/serve/serve.py
index 0985810cc58e30c..062a70d5fac97d3 100644
--- a/tools/serve/serve.py
+++ b/tools/serve/serve.py
@@ -366,6 +366,7 @@ def add_mount_point(self, url_base, path):
             ("GET", "*.any.serviceworker.html", ServiceWorkersHandler),
             ("GET", "*.any.worker.js", AnyWorkerHandler),
             ("GET", "*.asis", handlers.AsIsHandler),
+            ("GET", "/.well-known/origin-policy", handlers.PythonScriptHandler),
             ("*", "*.py", handlers.PythonScriptHandler),
             ("GET", "*", handlers.FileHandler)
         ]