Codebase Browser
chromium
Go to App

chromium/third_party/blink/web_tests/http/tests/security/img-redirect-to-crossorigin-credentials.https.html 

<!DOCTYPE HTML>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/resources/get-host-info.js?pipe=sub"></script>
<script>
if (window.testRunner)
  testRunner.setBlockThirdPartyCookies(false);

const host_info = get_host_info();

document.cookie = 'TestCookie=same';

const set_cookie_promise = fetch(
    host_info['HTTPS_REMOTE_ORIGIN'] + '/security/resources/set-cookie.php?name=TestCookie&value=cross&SameSiteNone',
    {mode: 'no-cors', credentials: 'include'});

let count = 0;

function load_image(url, crossOriginAttribute, expectLoad, expectCookie) {
  return new Promise((resolve, reject) => {
    set_cookie_promise.then(() => {
      const img = new Image();

      img.onload = () => {
        if (expectLoad) {
          resolve();
        } else {
          reject('Image loaded unexpectedly');
        }
      };

      img.onerror = () => {
        if (expectLoad) {
          reject('Image not loaded unexpectedly');
        } else {
          resolve();
        }
      };

      img.crossOrigin = crossOriginAttribute;

      const destination_params = new URLSearchParams();
      destination_params.append('count', count);
      ++count;
      if (expectCookie) {
        destination_params.append('Cookie', expectCookie);
      }

      const params = new URLSearchParams();
      params.append('url', url + (url.indexOf('?') == -1 ? '?' : '&') + destination_params.toString());

      img.src = '/resources/redirect.php?' + params.toString();

      document.body.appendChild(img);
    });
  });
}

promise_test(() => {
  return load_image(
      host_info['HTTPS_ORIGIN'] + '/security/resources/abe-cookie-check.php',
      'anonymous',
      true,
      'same');
}, 'Same origin destination. crossOrigin set to anonymous');

promise_test(() => {
  return load_image(
      host_info['HTTPS_ORIGIN'] + '/security/resources/abe-cookie-check.php',
      'use-credentials',
      true,
      'same');
}, 'Same origin destination. crossOrigin set to use-credentials');

promise_test(() => {
  return load_image(
      host_info['HTTPS_REMOTE_ORIGIN'] + '/security/resources/abe-allow-star.php',
      'anonymous',
      true,
      'NotSet');
}, 'Cross origin destination. crossOrigin set to anonymous. Response includes wildcard Access-Control-Allow-Origin.');

promise_test(() => {
  return load_image(
      host_info['HTTPS_REMOTE_ORIGIN'] + '/security/resources/abe-allow-star.php',
      'use-credentials',
      false,
      undefined);
}, 'Cross origin destination. crossOrigin set to use-credentials. Response includes wildcard Access-Control-Allow-Origin. Fails due to absence of Access-Control-Allow-Credentials.');

promise_test(() => {
  return load_image(
      host_info['HTTPS_REMOTE_ORIGIN'] + '/security/resources/abe-allow-credentials.php?Secure',
      'use-credentials',
      true,
      'cross');
}, 'Cross origin destination. crossOrigin set to use-credentials. Response includes Access-Control-Allow-Credentials.');
</script>