chromium/third_party/blink/web_tests/http/tests/security/img-crossorigin-redirect-credentials.https.html

<!DOCTYPE HTML>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/resources/get-host-info.js?pipe=sub"></script>
<script>
if (window.testRunner)
  testRunner.setBlockThirdPartyCookies(false);

const host_info = get_host_info();

document.cookie = "TestCookie=same";

const ANOTHER_REMOTE_ORIGIN = 'http://127.0.0.1:8080';

const SET_COOKIE_PATH = '/security/resources/set-cookie.php';

const set_cookie_promise = Promise.all([
  fetch(
      host_info['HTTPS_REMOTE_ORIGIN'] + SET_COOKIE_PATH + '?name=TestCookie&value=cross&SameSiteNone',
      {mode: 'no-cors', credentials: 'include'}),
  fetch(
      ANOTHER_REMOTE_ORIGIN + SET_COOKIE_PATH + '?name=TestCookie&value=cross&SameSiteNone',
      {mode: 'no-cors', credentials: 'include'})
]);

let count = 0;

function load_image(url, crossOriginAttribute, expectLoad, expectCookie) {
  return new Promise((resolve, reject) => {
    set_cookie_promise.then(() => {
      const img = new Image();

      img.onload = () => {
        if (expectLoad) {
          resolve();
        } else {
          reject('Image loaded unexpectedly');
        }
      };

      img.onerror = () => {
        if (expectLoad) {
          reject('Image not loaded unexpectedly');
        } else {
          resolve();
        }
      };

      img.crossOrigin = crossOriginAttribute;

      const destination_params = new URLSearchParams();
      destination_params.append('count', count);
      ++count;
      if (expectCookie) {
        destination_params.append('Cookie', expectCookie);
      }

      const params = new URLSearchParams();
      params.append('mode', 'use-credentials');
      params.append('url', url + (url.indexOf('?') == -1 ? '?' : '&') + destination_params.toString());

      img.src = host_info['HTTPS_REMOTE_ORIGIN'] + '/security/resources/cors-redirect.php?' + params.toString();

      document.body.appendChild(img);
    });
  });
}

promise_test(() => {
  return load_image(
      host_info['HTTPS_REMOTE_ORIGIN'] + '/security/resources/abe.png',
      'anonymous',
      false,
      undefined);
}, 'From a remote origin to the same remote origin. crossOrigin set to anonymous. Response includes no CORS header. Fails due to CORS check.');

promise_test(() => {
  return load_image(
      host_info['HTTPS_REMOTE_ORIGIN'] + '/security/resources/abe.png',
      'use-credentials',
      false,
      undefined);
}, 'From a remote origin to the same remote origin. crossOrigin set to use-credentials. Response includes no CORS header. Fails due to CORS check.');

promise_test(() => {
  return load_image(
      host_info['HTTPS_REMOTE_ORIGIN'] + '/security/resources/abe-allow-star.php',
      'anonymous',
      true,
      'NotSet');
}, 'From a remote origin to the same remote origin. crossOrigin set to anonymous. Response includes wildcard Access-Control-Allow-Origin.');

promise_test(() => {
  return load_image(
      host_info['HTTPS_REMOTE_ORIGIN'] + '/security/resources/abe-allow-star.php',
      'use-credentials',
      false,
      undefined);
}, 'From a remote origin to the same remote origin. crossOrigin set to use-credentials. Response includes wildcard Access-Control-Allow-Origin. Fails due to absence of Access-Control-Allow-Credentials.');

promise_test(() => {
  return load_image(
      host_info['HTTPS_REMOTE_ORIGIN'] + '/security/resources/abe-allow-credentials.php?Secure',
      'use-credentials',
      true,
      'cross');
}, 'From a remote origin to the same remote origin. crossOrigin set to use-credentials. Response includes Access-Control-Allow-Credentials.');

// Origin is set to null on remote to another remote redirect.

promise_test(() => {
  return load_image(
      ANOTHER_REMOTE_ORIGIN + '/security/resources/abe-allow-star.php',
      'anonymous',
      true,
      'NotSet');
}, 'From a remote origin to another remote origin. crossOrigin set to anonymous. Response includes wildcard Access-Control-Allow-Origin.');

promise_test(() => {
  return load_image(
      ANOTHER_REMOTE_ORIGIN + '/security/resources/abe-allow-star.php',
      'use-credentials',
      false,
      undefined);
}, 'From a remote origin to another remote origin. crossOrigin set to use-credentials. Response includes wildcard Access-Control-Allow-Origin. Fails due to absence of Access-Control-Allow-Credentials.');

promise_test(() => {
  return load_image(
      ANOTHER_REMOTE_ORIGIN + '/security/resources/abe-allow-credentials.php',
      'use-credentials',
      false,
      undefined);
}, 'From a remote origin to another remote origin. crossOrigin set to use-credentials. Response includes Access-Control-Allow-Credentials. Fails due to allowed origin mismatch.');

// Origin is set to null on remote to another redirect even if the destination is the same origin as this document.

promise_test(() => {
  return load_image(
      host_info['HTTPS_ORIGIN'] + '/security/resources/abe-allow-star.php',
      'anonymous',
      true,
      'NotSet');
}, 'From a remote origin to the origin of this document. crossOrigin set to anonymous. Response includes wildcard Access-Control-Allow-Origin.');

promise_test(() => {
  return load_image(
      host_info['HTTPS_ORIGIN'] + '/security/resources/abe-allow-star.php',
      'use-credentials',
      false,
      undefined);
}, 'From a remote origin to the origin of this document. crossOrigin set to use-credentials. Response includes wildcard Access-Control-Allow-Origin. Fails due to absence of Access-Control-Allow-Credentials.');

promise_test(() => {
  return load_image(
      host_info['HTTPS_ORIGIN'] + '/security/resources/abe-allow-credentials.php',
      'use-credentials',
      false,
      undefined);
}, 'From a remote origin to the origin of this document. crossOrigin set to use-credentials. Response includes Access-Control-Allow-Credentials. Fails due to allowed origin mismatch.');
</script>