Codebase Browser
chromium
Go to App

chromium/third_party/blink/web_tests/http/tests/security/referrerPolicyHeader/referrer-policy-header-on-cross-origin-redirect-response.https.html 

<!DOCTYPE html>
<head>
  <script src="/resources/testharness.js"></script>
  <script src="/resources/testharnessreport.js"></script>
  <script src="/resources/get-host-info.js"></script>
  <meta name="referrer" content="unsafe-url">
</head>
<body>
</body>
<script>
  if (window.testRunner)
    testRunner.overridePreference("WebKitAllowRunningInsecureContent", true);

  // Tests that when a CORS-enabled redirect response includes a
  // Referrer-Policy header, that Referrer Policy is applied to the request
  // when following the redirect.
  async_test(function () {
    var test = this;

    // Initially the request will have a referrer policy of unsafe-url (from the document).
    //
    // The first leg of the request is to AUTHENTICATED_ORIGIN and
    // returns a redirect response, to AUTHENTICATED_ORIGIN, with a
    // Referrer-Policy of no-referrer-when-downgrade.
    //
    // The second leg of the request hits AUTHENTICATED_ORIGIN again and
    // this time receives a redirect to UNAUTHENTICATED_ORIGIN (with no
    // Referrer-Policy in the response).
    //
    // When following this final redirect, the Referrer-Policy received
    // in the first redirect should still be on the request, so the
    // referrer should be stripped.

    var final_url = encodeURIComponent(get_host_info().UNAUTHENTICATED_ORIGIN + "/security/referrerPolicyHeader/resources/referrer-and-host.php");
    var intermediate_url = encodeURIComponent(get_host_info().AUTHENTICATED_ORIGIN + "/security/referrerPolicyHeader/resources/redirect-to.php?location=" + final_url);
    var initial_url = get_host_info().AUTHENTICATED_ORIGIN + "/security/referrerPolicyHeader/resources/redirect-to.php?referrerpolicy=no-referrer-when-downgrade&location=" + intermediate_url;

    fetch(initial_url).then(test.step_func(function (response) {
      response.json().then(test.step_func(function (result) {
        // Sanity check that the request ended up on the expected URL.
        assert_equals("http://" + result.host, get_host_info().UNAUTHENTICATED_ORIGIN);
        // The referrer should have been stripped because the |initial_url| response contained a Referrer-Policy header of 'no-referrer-when-downgrade'.
        assert_equals("", result.referrer);
        test.done();
      }));
    }));
  });
</script>
</html>