| <!DOCTYPE HTML> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="/resources/get-host-info.js?pipe=sub"></script> |
| <script> |
| if (window.testRunner) |
| testRunner.setBlockThirdPartyCookies(false); |
| |
| const host_info = get_host_info(); |
| |
| document.cookie = "TestCookie=same"; |
| |
| const ANOTHER_REMOTE_ORIGIN = 'http://127.0.0.1:8080'; |
| |
| const SET_COOKIE_PATH = '/security/resources/set-cookie.php'; |
| |
| const set_cookie_promise = Promise.all([ |
| fetch( |
| host_info['HTTP_REMOTE_ORIGIN'] + SET_COOKIE_PATH + '?name=TestCookie&value=cross', |
| {mode: 'no-cors', credentials: 'include'}), |
| fetch( |
| ANOTHER_REMOTE_ORIGIN + SET_COOKIE_PATH + '?name=TestCookie&value=cross', |
| {mode: 'no-cors', credentials: 'include'}) |
| ]); |
| |
| let count = 0; |
| |
| function load_image(url, crossOriginAttribute, expectLoad, expectCookie) { |
| return new Promise((resolve, reject) => { |
| set_cookie_promise.then(() => { |
| const img = new Image(); |
| |
| img.onload = () => { |
| if (expectLoad) { |
| resolve(); |
| } else { |
| reject('Image loaded unexpectedly'); |
| } |
| }; |
| |
| img.onerror = () => { |
| if (expectLoad) { |
| reject('Image not loaded unexpectedly'); |
| } else { |
| resolve(); |
| } |
| }; |
| |
| img.crossOrigin = crossOriginAttribute; |
| |
| const destination_params = new URLSearchParams(); |
| destination_params.append('count', count); |
| ++count; |
| if (expectCookie) { |
| destination_params.append('Cookie', expectCookie); |
| } |
| |
| const params = new URLSearchParams(); |
| params.append('mode', 'use-credentials'); |
| params.append('url', url + '?' + destination_params.toString()); |
| |
| img.src = host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/cors-redirect.php?' + params.toString(); |
| |
| document.body.appendChild(img); |
| }); |
| }); |
| } |
| |
| promise_test(() => { |
| return load_image( |
| host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe.png', |
| 'anonymous', |
| false, |
| undefined); |
| }, 'From a remote origin to the same remote origin. crossOrigin set to anonymous. Response includes no CORS header. Fails due to CORS check.'); |
| |
| promise_test(() => { |
| return load_image( |
| host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe.png', |
| 'use-credentials', |
| false, |
| undefined); |
| }, 'From a remote origin to the same remote origin. crossOrigin set to use-credentials. Response includes no CORS header. Fails due to CORS check.'); |
| |
| promise_test(() => { |
| return load_image( |
| host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe-allow-star.php', |
| 'anonymous', |
| true, |
| 'NotSet'); |
| }, 'From a remote origin to the same remote origin. crossOrigin set to anonymous. Response includes wildcard Access-Control-Allow-Origin.'); |
| |
| promise_test(() => { |
| return load_image( |
| host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe-allow-star.php', |
| 'use-credentials', |
| false, |
| undefined); |
| }, 'From a remote origin to the same remote origin. crossOrigin set to use-credentials. Response includes wildcard Access-Control-Allow-Origin. Fails due to absence of Access-Control-Allow-Credentials.'); |
| |
| promise_test(() => { |
| return load_image( |
| host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe-allow-credentials.php', |
| 'use-credentials', |
| true, |
| 'cross'); |
| }, 'From a remote origin to the same remote origin. crossOrigin set to use-credentials. Response includes Access-Control-Allow-Credentials.'); |
| |
| // Origin is set to null on remote to another remote redirect. |
| |
| promise_test(() => { |
| return load_image( |
| ANOTHER_REMOTE_ORIGIN + '/security/resources/abe-allow-star.php', |
| 'anonymous', |
| true, |
| 'NotSet'); |
| }, 'From a remote origin to another remote origin. crossOrigin set to anonymous. Response includes wildcard Access-Control-Allow-Origin.'); |
| |
| promise_test(() => { |
| return load_image( |
| ANOTHER_REMOTE_ORIGIN + '/security/resources/abe-allow-star.php', |
| 'use-credentials', |
| false, |
| undefined); |
| }, 'From a remote origin to another remote origin. crossOrigin set to use-credentials. Response includes wildcard Access-Control-Allow-Origin. Fails due to absence of Access-Control-Allow-Credentials.'); |
| |
| promise_test(() => { |
| return load_image( |
| ANOTHER_REMOTE_ORIGIN + '/security/resources/abe-allow-credentials.php', |
| 'use-credentials', |
| false, |
| undefined); |
| }, 'From a remote origin to another remote origin. crossOrigin set to use-credentials. Response includes Access-Control-Allow-Credentials. Fails due to allowed origin mismatch.'); |
| |
| // Origin is set to null on remote to another redirect even if the destination is the same origin as this document. |
| |
| promise_test(() => { |
| return load_image( |
| host_info['HTTP_ORIGIN'] + '/security/resources/abe-allow-star.php', |
| 'anonymous', |
| true, |
| 'NotSet'); |
| }, 'From a remote origin to the origin of this document. crossOrigin set to anonymous. Response includes wildcard Access-Control-Allow-Origin.'); |
| |
| promise_test(() => { |
| return load_image( |
| host_info['HTTP_ORIGIN'] + '/security/resources/abe-allow-star.php', |
| 'use-credentials', |
| false, |
| undefined); |
| }, 'From a remote origin to the origin of this document. crossOrigin set to use-credentials. Response includes wildcard Access-Control-Allow-Origin. Fails due to absence of Access-Control-Allow-Credentials.'); |
| |
| promise_test(() => { |
| return load_image( |
| host_info['HTTP_ORIGIN'] + '/security/resources/abe-allow-credentials.php', |
| 'use-credentials', |
| false, |
| undefined); |
| }, 'From a remote origin to the origin of this document. crossOrigin set to use-credentials. Response includes Access-Control-Allow-Credentials. Fails due to allowed origin mismatch.'); |
| </script> |