third_party/blink/web_tests/http/tests/security/img-crossorigin-redirect-credentials.html - chromium/src - Git at Google

 <!DOCTYPE HTML>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/resources/get-host-info.js?pipe=sub"></script>
 <script>
 if (window.testRunner)
   testRunner.setBlockThirdPartyCookies(false);

 const host_info = get_host_info();

 document.cookie = "TestCookie=same";

 const ANOTHER_REMOTE_ORIGIN = 'http://127.0.0.1:8080';

 const SET_COOKIE_PATH = '/security/resources/set-cookie.php';

 const set_cookie_promise = Promise.all([
   fetch(
       host_info['HTTP_REMOTE_ORIGIN'] + SET_COOKIE_PATH + '?name=TestCookie&value=cross',
       {mode: 'no-cors', credentials: 'include'}),
   fetch(
       ANOTHER_REMOTE_ORIGIN + SET_COOKIE_PATH + '?name=TestCookie&value=cross',
       {mode: 'no-cors', credentials: 'include'})
 ]);

 let count = 0;

 function load_image(url, crossOriginAttribute, expectLoad, expectCookie) {
   return new Promise((resolve, reject) => {
     set_cookie_promise.then(() => {
       const img = new Image();

       img.onload = () => {
         if (expectLoad) {
           resolve();
         } else {
           reject('Image loaded unexpectedly');
         }
       };

       img.onerror = () => {
         if (expectLoad) {
           reject('Image not loaded unexpectedly');
         } else {
           resolve();
         }
       };

       img.crossOrigin = crossOriginAttribute;

       const destination_params = new URLSearchParams();
       destination_params.append('count', count);
       ++count;
       if (expectCookie) {
         destination_params.append('Cookie', expectCookie);
       }

       const params = new URLSearchParams();
       params.append('mode', 'use-credentials');
       params.append('url', url + '?' + destination_params.toString());

       img.src = host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/cors-redirect.php?' + params.toString();

       document.body.appendChild(img);
     });
   });
 }

 promise_test(() => {
   return load_image(
       host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe.png',
       'anonymous',
       false,
       undefined);
 }, 'From a remote origin to the same remote origin. crossOrigin set to anonymous. Response includes no CORS header. Fails due to CORS check.');

 promise_test(() => {
   return load_image(
       host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe.png',
       'use-credentials',
       false,
       undefined);
 }, 'From a remote origin to the same remote origin. crossOrigin set to use-credentials. Response includes no CORS header. Fails due to CORS check.');

 promise_test(() => {
   return load_image(
       host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe-allow-star.php',
       'anonymous',
       true,
       'NotSet');
 }, 'From a remote origin to the same remote origin. crossOrigin set to anonymous. Response includes wildcard Access-Control-Allow-Origin.');

 promise_test(() => {
   return load_image(
       host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe-allow-star.php',
       'use-credentials',
       false,
       undefined);
 }, 'From a remote origin to the same remote origin. crossOrigin set to use-credentials. Response includes wildcard Access-Control-Allow-Origin. Fails due to absence of Access-Control-Allow-Credentials.');

 promise_test(() => {
   return load_image(
       host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe-allow-credentials.php',
       'use-credentials',
       true,
       'cross');
 }, 'From a remote origin to the same remote origin. crossOrigin set to use-credentials. Response includes Access-Control-Allow-Credentials.');

 // Origin is set to null on remote to another remote redirect.

 promise_test(() => {
   return load_image(
       ANOTHER_REMOTE_ORIGIN + '/security/resources/abe-allow-star.php',
       'anonymous',
       true,
       'NotSet');
 }, 'From a remote origin to another remote origin. crossOrigin set to anonymous. Response includes wildcard Access-Control-Allow-Origin.');

 promise_test(() => {
   return load_image(
       ANOTHER_REMOTE_ORIGIN + '/security/resources/abe-allow-star.php',
       'use-credentials',
       false,
       undefined);
 }, 'From a remote origin to another remote origin. crossOrigin set to use-credentials. Response includes wildcard Access-Control-Allow-Origin. Fails due to absence of Access-Control-Allow-Credentials.');

 promise_test(() => {
   return load_image(
       ANOTHER_REMOTE_ORIGIN + '/security/resources/abe-allow-credentials.php',
       'use-credentials',
       false,
       undefined);
 }, 'From a remote origin to another remote origin. crossOrigin set to use-credentials. Response includes Access-Control-Allow-Credentials. Fails due to allowed origin mismatch.');

 // Origin is set to null on remote to another redirect even if the destination is the same origin as this document.

 promise_test(() => {
   return load_image(
       host_info['HTTP_ORIGIN'] + '/security/resources/abe-allow-star.php',
       'anonymous',
       true,
       'NotSet');
 }, 'From a remote origin to the origin of this document. crossOrigin set to anonymous. Response includes wildcard Access-Control-Allow-Origin.');

 promise_test(() => {
   return load_image(
       host_info['HTTP_ORIGIN'] + '/security/resources/abe-allow-star.php',
       'use-credentials',
       false,
       undefined);
 }, 'From a remote origin to the origin of this document. crossOrigin set to use-credentials. Response includes wildcard Access-Control-Allow-Origin. Fails due to absence of Access-Control-Allow-Credentials.');

 promise_test(() => {
   return load_image(
       host_info['HTTP_ORIGIN'] + '/security/resources/abe-allow-credentials.php',
       'use-credentials',
       false,
       undefined);
 }, 'From a remote origin to the origin of this document. crossOrigin set to use-credentials. Response includes Access-Control-Allow-Credentials. Fails due to allowed origin mismatch.');
 </script>
	<!DOCTYPE HTML>
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	<script src="/resources/get-host-info.js?pipe=sub"></script>
	<script>
	if (window.testRunner)
	testRunner.setBlockThirdPartyCookies(false);

	const host_info = get_host_info();

	document.cookie = "TestCookie=same";

	const ANOTHER_REMOTE_ORIGIN = 'http://127.0.0.1:8080';

	const SET_COOKIE_PATH = '/security/resources/set-cookie.php';

	const set_cookie_promise = Promise.all([
	fetch(
	host_info['HTTP_REMOTE_ORIGIN'] + SET_COOKIE_PATH + '?name=TestCookie&value=cross',
	{mode: 'no-cors', credentials: 'include'}),
	fetch(
	ANOTHER_REMOTE_ORIGIN + SET_COOKIE_PATH + '?name=TestCookie&value=cross',
	{mode: 'no-cors', credentials: 'include'})
	]);

	let count = 0;

	function load_image(url, crossOriginAttribute, expectLoad, expectCookie) {
	return new Promise((resolve, reject) => {
	set_cookie_promise.then(() => {
	const img = new Image();

	img.onload = () => {
	if (expectLoad) {
	resolve();
	} else {
	reject('Image loaded unexpectedly');
	}
	};

	img.onerror = () => {
	if (expectLoad) {
	reject('Image not loaded unexpectedly');
	} else {
	resolve();
	}
	};

	img.crossOrigin = crossOriginAttribute;

	const destination_params = new URLSearchParams();
	destination_params.append('count', count);
	++count;
	if (expectCookie) {
	destination_params.append('Cookie', expectCookie);
	}

	const params = new URLSearchParams();
	params.append('mode', 'use-credentials');
	params.append('url', url + '?' + destination_params.toString());

	img.src = host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/cors-redirect.php?' + params.toString();

	document.body.appendChild(img);
	});
	});
	}

	promise_test(() => {
	return load_image(
	host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe.png',
	'anonymous',
	false,
	undefined);
	}, 'From a remote origin to the same remote origin. crossOrigin set to anonymous. Response includes no CORS header. Fails due to CORS check.');

	promise_test(() => {
	return load_image(
	host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe.png',
	'use-credentials',
	false,
	undefined);
	}, 'From a remote origin to the same remote origin. crossOrigin set to use-credentials. Response includes no CORS header. Fails due to CORS check.');

	promise_test(() => {
	return load_image(
	host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe-allow-star.php',
	'anonymous',
	true,
	'NotSet');
	}, 'From a remote origin to the same remote origin. crossOrigin set to anonymous. Response includes wildcard Access-Control-Allow-Origin.');

	promise_test(() => {
	return load_image(
	host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe-allow-star.php',
	'use-credentials',
	false,
	undefined);
	}, 'From a remote origin to the same remote origin. crossOrigin set to use-credentials. Response includes wildcard Access-Control-Allow-Origin. Fails due to absence of Access-Control-Allow-Credentials.');

	promise_test(() => {
	return load_image(
	host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe-allow-credentials.php',
	'use-credentials',
	true,
	'cross');
	}, 'From a remote origin to the same remote origin. crossOrigin set to use-credentials. Response includes Access-Control-Allow-Credentials.');

	// Origin is set to null on remote to another remote redirect.

	promise_test(() => {
	return load_image(
	ANOTHER_REMOTE_ORIGIN + '/security/resources/abe-allow-star.php',
	'anonymous',
	true,
	'NotSet');
	}, 'From a remote origin to another remote origin. crossOrigin set to anonymous. Response includes wildcard Access-Control-Allow-Origin.');

	promise_test(() => {
	return load_image(
	ANOTHER_REMOTE_ORIGIN + '/security/resources/abe-allow-star.php',
	'use-credentials',
	false,
	undefined);
	}, 'From a remote origin to another remote origin. crossOrigin set to use-credentials. Response includes wildcard Access-Control-Allow-Origin. Fails due to absence of Access-Control-Allow-Credentials.');

	promise_test(() => {
	return load_image(
	ANOTHER_REMOTE_ORIGIN + '/security/resources/abe-allow-credentials.php',
	'use-credentials',
	false,
	undefined);
	}, 'From a remote origin to another remote origin. crossOrigin set to use-credentials. Response includes Access-Control-Allow-Credentials. Fails due to allowed origin mismatch.');

	// Origin is set to null on remote to another redirect even if the destination is the same origin as this document.

	promise_test(() => {
	return load_image(
	host_info['HTTP_ORIGIN'] + '/security/resources/abe-allow-star.php',
	'anonymous',
	true,
	'NotSet');
	}, 'From a remote origin to the origin of this document. crossOrigin set to anonymous. Response includes wildcard Access-Control-Allow-Origin.');

	promise_test(() => {
	return load_image(
	host_info['HTTP_ORIGIN'] + '/security/resources/abe-allow-star.php',
	'use-credentials',
	false,
	undefined);
	}, 'From a remote origin to the origin of this document. crossOrigin set to use-credentials. Response includes wildcard Access-Control-Allow-Origin. Fails due to absence of Access-Control-Allow-Credentials.');

	promise_test(() => {
	return load_image(
	host_info['HTTP_ORIGIN'] + '/security/resources/abe-allow-credentials.php',
	'use-credentials',
	false,
	undefined);
	}, 'From a remote origin to the origin of this document. crossOrigin set to use-credentials. Response includes Access-Control-Allow-Credentials. Fails due to allowed origin mismatch.');
	</script>