third_party/WebKit/LayoutTests/http/tests/security/referrerPolicyHeader/referrer-policy-header-on-cross-origin-redirect-response.https.html - chromium/src - Git at Google

 <!DOCTYPE html>
 <head>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
   <script src="/resources/get-host-info.js"></script>
   <meta name="referrer" content="unsafe-url">
 </head>
 <body>
 </body>
 <script>
   if (window.testRunner)
     testRunner.overridePreference("WebKitAllowRunningInsecureContent", true);

   // Tests that when a CORS-enabled redirect response includes a
   // Referrer-Policy header, that Referrer Policy is applied to the request
   // when following the redirect.
   async_test(function () {
     var test = this;

     // Initially the request will have a referrer policy of unsafe-url (from the document).
     //
     // The first leg of the request is to AUTHENTICATED_ORIGIN and
     // returns a redirect response, to AUTHENTICATED_ORIGIN, with a
     // Referrer-Policy of no-referrer-when-downgrade.
     //
     // The second leg of the request hits AUTHENTICATED_ORIGIN again and
     // this time receives a redirect to UNAUTHENTICATED_ORIGIN (with no
     // Referrer-Policy in the response).
     //
     // When following this final redirect, the Referrer-Policy received
     // in the first redirect should still be on the request, so the
     // referrer should be stripped.

     var final_url = encodeURIComponent(get_host_info().UNAUTHENTICATED_ORIGIN + "/security/referrerPolicyHeader/resources/referrer-and-host.php");
     var intermediate_url = encodeURIComponent(get_host_info().AUTHENTICATED_ORIGIN + "/security/referrerPolicyHeader/resources/redirect-to.php?location=" + final_url);
     var initial_url = get_host_info().AUTHENTICATED_ORIGIN + "/security/referrerPolicyHeader/resources/redirect-to.php?referrerpolicy=no-referrer-when-downgrade&location=" + intermediate_url;

     fetch(initial_url).then(test.step_func(function (response) {
       response.json().then(test.step_func(function (result) {
         // Sanity check that the request ended up on the expected URL.
         assert_equals("http://" + result.host, get_host_info().UNAUTHENTICATED_ORIGIN);
         // The referrer should have been stripped because the |initial_url| response contained a Referrer-Policy header of 'no-referrer-when-downgrade'.
         assert_equals("", result.referrer);
         test.done();
       }));
     }));
   });
 </script>
 </html>
	<!DOCTYPE html>
	<head>
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	<script src="/resources/get-host-info.js"></script>
	<meta name="referrer" content="unsafe-url">
	</head>
	<body>
	</body>
	<script>
	if (window.testRunner)
	testRunner.overridePreference("WebKitAllowRunningInsecureContent", true);

	// Tests that when a CORS-enabled redirect response includes a
	// Referrer-Policy header, that Referrer Policy is applied to the request
	// when following the redirect.
	async_test(function () {
	var test = this;

	// Initially the request will have a referrer policy of unsafe-url (from the document).
	//
	// The first leg of the request is to AUTHENTICATED_ORIGIN and
	// returns a redirect response, to AUTHENTICATED_ORIGIN, with a
	// Referrer-Policy of no-referrer-when-downgrade.
	//
	// The second leg of the request hits AUTHENTICATED_ORIGIN again and
	// this time receives a redirect to UNAUTHENTICATED_ORIGIN (with no
	// Referrer-Policy in the response).
	//
	// When following this final redirect, the Referrer-Policy received
	// in the first redirect should still be on the request, so the
	// referrer should be stripped.

	var final_url = encodeURIComponent(get_host_info().UNAUTHENTICATED_ORIGIN + "/security/referrerPolicyHeader/resources/referrer-and-host.php");
	var intermediate_url = encodeURIComponent(get_host_info().AUTHENTICATED_ORIGIN + "/security/referrerPolicyHeader/resources/redirect-to.php?location=" + final_url);
	var initial_url = get_host_info().AUTHENTICATED_ORIGIN + "/security/referrerPolicyHeader/resources/redirect-to.php?referrerpolicy=no-referrer-when-downgrade&location=" + intermediate_url;

	fetch(initial_url).then(test.step_func(function (response) {
	response.json().then(test.step_func(function (result) {
	// Sanity check that the request ended up on the expected URL.
	assert_equals("http://" + result.host, get_host_info().UNAUTHENTICATED_ORIGIN);
	// The referrer should have been stripped because the \|initial_url\| response contained a Referrer-Policy header of 'no-referrer-when-downgrade'.
	assert_equals("", result.referrer);
	test.done();
	}));
	}));
	});
	</script>
	</html>