| <!DOCTYPE html> |
| <head> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="/resources/get-host-info.js"></script> |
| <meta name="referrer" content="unsafe-url"> |
| </head> |
| <body> |
| </body> |
| <script> |
| if (window.testRunner) |
| testRunner.overridePreference("WebKitAllowRunningInsecureContent", true); |
| |
| // Tests that when a CORS-enabled redirect response includes a |
| // Referrer-Policy header, that Referrer Policy is applied to the request |
| // when following the redirect. |
| async_test(function () { |
| var test = this; |
| |
| // Initially the request will have a referrer policy of unsafe-url (from the document). |
| // |
| // The first leg of the request is to AUTHENTICATED_ORIGIN and |
| // returns a redirect response, to AUTHENTICATED_ORIGIN, with a |
| // Referrer-Policy of no-referrer-when-downgrade. |
| // |
| // The second leg of the request hits AUTHENTICATED_ORIGIN again and |
| // this time receives a redirect to UNAUTHENTICATED_ORIGIN (with no |
| // Referrer-Policy in the response). |
| // |
| // When following this final redirect, the Referrer-Policy received |
| // in the first redirect should still be on the request, so the |
| // referrer should be stripped. |
| |
| var final_url = encodeURIComponent(get_host_info().UNAUTHENTICATED_ORIGIN + "/security/referrerPolicyHeader/resources/referrer-and-host.php"); |
| var intermediate_url = encodeURIComponent(get_host_info().AUTHENTICATED_ORIGIN + "/security/referrerPolicyHeader/resources/redirect-to.php?location=" + final_url); |
| var initial_url = get_host_info().AUTHENTICATED_ORIGIN + "/security/referrerPolicyHeader/resources/redirect-to.php?referrerpolicy=no-referrer-when-downgrade&location=" + intermediate_url; |
| |
| fetch(initial_url).then(test.step_func(function (response) { |
| response.json().then(test.step_func(function (result) { |
| // Sanity check that the request ended up on the expected URL. |
| assert_equals("http://" + result.host, get_host_info().UNAUTHENTICATED_ORIGIN); |
| // The referrer should have been stripped because the |initial_url| response contained a Referrer-Policy header of 'no-referrer-when-downgrade'. |
| assert_equals("", result.referrer); |
| test.done(); |
| })); |
| })); |
| }); |
| </script> |
| </html> |