third_party/blink/web_tests/http/tests/security/script-crossorigin-loads-correctly-credentials-2.html - chromium/src - Git at Google

 <body>
 <p>This test passes if the inserted script fails to load due to CORS.</p>
 <pre></pre>
 <script>
 var result = 'PASS';
 </script>
 <!-- Non-CORS enabled script load, supplying credentials.
      Will execute as per-normal. -->
 <script src="http://localhost:8000/security/resources/cors-script.php?cors=false&credentials=true&value=FAIL"></script>
 <script>
 if (window.testRunner) {
     testRunner.dumpAsText();
     testRunner.waitUntilDone();
 }

 // Reset the 'result' set by above external script.
 result = 'PASS';

 function finish() {
     document.querySelector("pre").innerHTML = result;
     if (window.testRunner)
         testRunner.notifyDone();
 }

 // Create new script of same cross-origin script as above,
 // but this time loaded following CORS.
 //
 // The response is missing a Access-Control-Access-Origin: header,
 // hence the CORS check must fail & error reported.
 var script = document.createElement("script");
 script.crossOrigin = "use-credentials";
 script.src = "http://localhost:8000/security/resources/cors-script.php?cors=false&credentials=true&value=FAIL";

 script.onload = function() {
     result += " (loaded)";
     finish();
 }

 script.onerror = function() {
     result = "PASS (expected error reported)";
     finish();
 }
 document.body.appendChild(script);
 </script>
	<body>
	<p>This test passes if the inserted script fails to load due to CORS.</p>
	<pre></pre>
	<script>
	var result = 'PASS';
	</script>
	<!-- Non-CORS enabled script load, supplying credentials.
	Will execute as per-normal. -->
	<script src="http://localhost:8000/security/resources/cors-script.php?cors=false&credentials=true&value=FAIL"></script>
	<script>
	if (window.testRunner) {
	testRunner.dumpAsText();
	testRunner.waitUntilDone();
	}

	// Reset the 'result' set by above external script.
	result = 'PASS';

	function finish() {
	document.querySelector("pre").innerHTML = result;
	if (window.testRunner)
	testRunner.notifyDone();
	}

	// Create new script of same cross-origin script as above,
	// but this time loaded following CORS.
	//
	// The response is missing a Access-Control-Access-Origin: header,
	// hence the CORS check must fail & error reported.
	var script = document.createElement("script");
	script.crossOrigin = "use-credentials";
	script.src = "http://localhost:8000/security/resources/cors-script.php?cors=false&credentials=true&value=FAIL";

	script.onload = function() {
	result += " (loaded)";
	finish();
	}

	script.onerror = function() {
	result = "PASS (expected error reported)";
	finish();
	}
	document.body.appendChild(script);
	</script>