--- a/tests/cors/submitted/bhill2/redir-test.html	Thu May 03 14:42:56 2012 -0700
+++ b/tests/cors/submitted/bhill2/redir-test.html	Thu May 03 14:45:54 2012 -0700
@@ -11,7 +11,7 @@
 		<script>
 			function dirname(path) { return path.replace(/\/[^\/]*$/,'/') }
 
-			var crossdomain = dirname(location.href).replace('://www.','://www3.');
+			var crossdomain = dirname(location.href).replace('://www.','://www2.');
 
 			var t = async_test("Test async CORS request modifies Origin on cross-domain redirection to prevent reflection/redirection attacks.");
 		</script>

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/webkit/resources/access-control-basic-allow-star.php	Thu May 03 14:45:54 2012 -0700
@@ -0,0 +1,7 @@
+<?php
+
+header("Content-Type: text/plain");
+header("Access-Control-Allow-Origin: *");
+
+echo "PASS: Cross-domain access allowed.";
+?>

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/webkit/resources/access-control-basic-whitelist-response-headers.php	Thu May 03 14:45:54 2012 -0700
@@ -0,0 +1,18 @@
+<?php
+
+#in whitelist
+header("content-type: text/plain");
+header("cache-control: no cache");
+header("content-language: en");
+header("expires: Fri, 30 Oct 1998 14:19:41 GMT");
+header("last-modified: Tue, 15 Nov 1994 12:45:26 GMT");
+header("pragma: no-cache");
+
+#not in whitelist
+header("x-webkit: foobar");
+
+header("Access-Control-Allow-Origin: *");
+
+echo "PASS: Cross-domain access allowed.";
+?>
+

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/webkit/resources/access-control-sandboxed-iframe-allow.php	Thu May 03 14:45:54 2012 -0700
@@ -0,0 +1,9 @@
+<?php
+
+header("Content-Type: text/plain");
+header("Access-Control-Allow-Credentials: true");
+header("Access-Control-Allow-Origin: *");
+
+echo "PASS: Sandboxed iframe XHR access allowed.";
+?>
+

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/webkit/resources/access-control-sandboxed-iframe-denied.php	Thu May 03 14:45:54 2012 -0700
@@ -0,0 +1,7 @@
+<?php
+
+header("Content-Type: text/plain");
+
+echo "FAIL: Sandboxed iframe XHR access allowed.";
+
+?>

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/redir-test.php	Thu May 03 14:45:54 2012 -0700
@@ -0,0 +1,6 @@
+<?php
+
+TODO: get url, change host to www2, keep path and use "getOrigin.php"
+
+header("Location: ");
+?>

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/bhill2/CSP_001.php	Thu May 03 14:45:54 2012 -0700
@@ -0,0 +1,24 @@
+<?php
+header("Content-Security-Policy: default-src *");
+header("X-Content-Security-Policy: default-src *");
+header("X-WebKit-CSP: default-src *");
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<title>CSP Test: default-src: *</title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta descriptionn="Content-Security-Policy Test: default-src: *" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="http://www.w3c-test.org/resources/testharness.js"></script>
+		<script src="http://www.w3c-test.org/resources/testharnessreport.js"></script>
+		<script src="CSP_passTest001.php"></script>
+	</head>
+	<body>
+		<div id=log></div>
+	</body>
+
+	<script>
+		test(function() {assert_true(false)}, "assert_true with false from unsafe inline script");
+	</script>
+</html>

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/bhill2/CSP_002.php	Thu May 03 14:45:54 2012 -0700
@@ -0,0 +1,24 @@
+<?php
+header("Content-Security-Policy: default-src 'self'");
+header("X-Content-Security-Policy: default-src 'self'");
+header("X-WebKit-CSP: default-src 'self'");
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<title>CSP Test: default-src: 'self'</title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="Content-Security-Policy Test: default-src: 'self'" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+		<script src="CSP_passTest001.php"></script>
+	</head>
+	<body>
+		<div id=log></div>
+	</body>
+
+	<script>
+		test(function() {assert_true(false)}, "assert_true with false from unsafe inline script");
+	</script>
+</html>

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/bhill2/CSP_003.php	Thu May 03 14:45:54 2012 -0700
@@ -0,0 +1,35 @@
+<?php
+header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'");
+header("X-Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'");
+header("X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'");
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<title>CSP Test: default-src: 'self'; script-src 'self' 'unsafe-inline'</title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="Content-Security-Policy Test: default-src: 'self'; script-src 'self' 'unsafe-inline'" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+	</head>
+	<body>
+		<div id=log></div>
+	</body>
+	<!--
+		This test demonstrates how to test something that shouldn't happen, or 
+		fail when something that should happend doesn't.  Use script with
+		conditional execution based on the policy being tested to set a variable,
+		then use script we know will execute by policy to check if it is set.
+		
+		Some limitations on this approach, obviously, if policy enforcement is
+		very broken - when we can't count on any script to execute - but this
+		is a start, at least.
+	-->	
+
+	<script>
+		var unsafeScript = true;
+	</script>
+
+	<script src="assertTrue.php?varName=unsafeScript"></script>
+</html>

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/bhill2/CSP_passTest001.php	Thu May 03 14:45:54 2012 -0700
@@ -0,0 +1,7 @@
+<?php
+header("Content-type: text/javascript");
+?>
+(function ()
+{
+	test(function() {assert_true(true)}, "assert_true with true");
+})();

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/bhill2/assertTrue.php	Thu May 03 14:45:54 2012 -0700
@@ -0,0 +1,15 @@
+<?php
+
+//Prevent Caching
+header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+header("Content-Type: text/javascript");
+
+
+print("(function () { test(function() {assert_true(" . $_GET["varName"] . ")}, \"assert_true with varName\"); })();");
+
+?>
+