- `security/` contains tests intended to ensure that input is not detectable cross-origin.
- `tentative/` contains tests to detect common cases where it may be beneficial to pending input.
  - All positive tests are marked as tentative, as the spec permits UAs to omit reporting pending input.