| Index: third_party/WebKit/LayoutTests/http/tests/security/referrerPolicyHeader/referrer-policy-header-on-cross-origin-redirect-response.https.html
|
| diff --git a/third_party/WebKit/LayoutTests/http/tests/security/referrerPolicyHeader/referrer-policy-header-on-cross-origin-redirect-response.https.html b/third_party/WebKit/LayoutTests/http/tests/security/referrerPolicyHeader/referrer-policy-header-on-cross-origin-redirect-response.https.html
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..7694619f6b2acbf0a1c636944ffb335451ee8193
|
| --- /dev/null
|
| +++ b/third_party/WebKit/LayoutTests/http/tests/security/referrerPolicyHeader/referrer-policy-header-on-cross-origin-redirect-response.https.html
|
| @@ -0,0 +1,49 @@
|
| +<!DOCTYPE html>
|
| +<head>
|
| + <script src="/resources/testharness.js"></script>
|
| + <script src="/resources/testharnessreport.js"></script>
|
| + <script src="/resources/get-host-info.js"></script>
|
| + <meta name="referrer" content="unsafe-url">
|
| +</head>
|
| +<body>
|
| +</body>
|
| +<script>
|
| + if (window.testRunner)
|
| + testRunner.overridePreference("WebKitAllowRunningInsecureContent", true);
|
| +
|
| + // Tests that when a CORS-enabled redirect response includes a
|
| + // Referrer-Policy header, that Referrer Policy is applied to the request
|
| + // when following the redirect.
|
| + async_test(function () {
|
| + var test = this;
|
| +
|
| + // Initially the request will have a referrer policy of unsafe-url (from the document).
|
| + //
|
| + // The first leg of the request is to AUTHENTICATED_ORIGIN and
|
| + // returns a redirect response, to AUTHENTICATED_ORIGIN, with a
|
| + // Referrer-Policy of no-referrer-when-downgrade.
|
| + //
|
| + // The second leg of the request hits AUTHENTICATED_ORIGIN again and
|
| + // this time receives a redirect to UNAUTHENTICATED_ORIGIN (with no
|
| + // Referrer-Policy in the response).
|
| + //
|
| + // When following this final redirect, the Referrer-Policy received
|
| + // in the first redirect should still be on the request, so the
|
| + // referrer should be stripped.
|
| +
|
| + var final_url = encodeURIComponent(get_host_info().UNAUTHENTICATED_ORIGIN + "/security/referrerPolicyHeader/resources/referrer-and-host.php");
|
| + var intermediate_url = encodeURIComponent(get_host_info().AUTHENTICATED_ORIGIN + "/security/referrerPolicyHeader/resources/redirect-to.php?location=" + final_url);
|
| + var initial_url = get_host_info().AUTHENTICATED_ORIGIN + "/security/referrerPolicyHeader/resources/redirect-to.php?referrerpolicy=no-referrer-when-downgrade&location=" + intermediate_url;
|
| +
|
| + fetch(initial_url).then(test.step_func(function (response) {
|
| + response.json().then(test.step_func(function (result) {
|
| + // Sanity check that the request ended up on the expected URL.
|
| + assert_equals("http://" + result.host, get_host_info().UNAUTHENTICATED_ORIGIN);
|
| + // The referrer should have been stripped because the |initial_url| response contained a Referrer-Policy header of 'no-referrer-when-downgrade'.
|
| + assert_equals("", result.referrer);
|
| + test.done();
|
| + }));
|
| + }));
|
| + });
|
| +</script>
|
| +</html>
|
|
|
Chromium Code Reviews
Issue 2393633006:
Send net's ReferrerPolicy back to Blink while following redirects (Closed)
