From d01bdea19df21e0c09942685e0046082fabff5bf Mon Sep 17 00:00:00 2001
From: Marco Castelluccio <mcastelluccio@mozilla.com>
Date: Thu, 3 Oct 2019 04:33:14 +0000
Subject: [PATCH] Bug 1464525 [wpt PR 11171] - Cross-Origin-Resource-Policy
 tests, a=testonly

Automatic update from web-platform-testsFetch: Cross-Origin-Resource-Policy tests

For https://github.com/whatwg/fetch/pull/733.

WebKit export of https://bugs.webkit.org/show_bug.cgi?id=185840.

--

wpt-commits: 53f7340307c1c0fa4ab96e79d88c69a7870030f4
wpt-pr: 11171

UltraBlame original commit: 2d3d375085ab145c32c6a3de5589739a3a5ceaf0
---
 testing/web-platform/meta/MANIFEST.json       | 115 +++++++++++++++++-
 .../tests/common/get-host-info.sub.js         |   2 +
 .../fetch-in-iframe.html                      |  67 ++++++++++
 .../cross-origin-resource-policy/fetch.html   |  83 +++++++++++++
 .../iframe-loads.html                         |  46 +++++++
 .../image-loads.html                          |  53 ++++++++
 .../resources/green.png                       | Bin 0 -> 87 bytes
 .../resources/hello.py                        |   6 +
 .../resources/iframe.py                       |   5 +
 .../resources/iframeFetch.html                |  19 +++
 .../resources/image.py                        |  21 ++++
 .../resources/redirect.py                     |   6 +
 .../resources/script.py                       |   6 +
 .../script-loads.html                         |  51 ++++++++
 14 files changed, 479 insertions(+), 1 deletion(-)
 create mode 100644 testing/web-platform/tests/fetch/cross-origin-resource-policy/fetch-in-iframe.html
 create mode 100644 testing/web-platform/tests/fetch/cross-origin-resource-policy/fetch.html
 create mode 100644 testing/web-platform/tests/fetch/cross-origin-resource-policy/iframe-loads.html
 create mode 100644 testing/web-platform/tests/fetch/cross-origin-resource-policy/image-loads.html
 create mode 100644 testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/green.png
 create mode 100644 testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/hello.py
 create mode 100644 testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/iframe.py
 create mode 100644 testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/iframeFetch.html
 create mode 100644 testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/image.py
 create mode 100644 testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/redirect.py
 create mode 100644 testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/script.py
 create mode 100644 testing/web-platform/tests/fetch/cross-origin-resource-policy/script-loads.html

diff --git a/testing/web-platform/meta/MANIFEST.json b/testing/web-platform/meta/MANIFEST.json
index f580b5892778d..b87755c1964c0 100644
--- a/testing/web-platform/meta/MANIFEST.json
+++ b/testing/web-platform/meta/MANIFEST.json
@@ -274865,6 +274865,41 @@
      {}
     ]
    ],
+   "fetch/cross-origin-resource-policy/resources/green.png": [
+    [
+     {}
+    ]
+   ],
+   "fetch/cross-origin-resource-policy/resources/hello.py": [
+    [
+     {}
+    ]
+   ],
+   "fetch/cross-origin-resource-policy/resources/iframe.py": [
+    [
+     {}
+    ]
+   ],
+   "fetch/cross-origin-resource-policy/resources/iframeFetch.html": [
+    [
+     {}
+    ]
+   ],
+   "fetch/cross-origin-resource-policy/resources/image.py": [
+    [
+     {}
+    ]
+   ],
+   "fetch/cross-origin-resource-policy/resources/redirect.py": [
+    [
+     {}
+    ]
+   ],
+   "fetch/cross-origin-resource-policy/resources/script.py": [
+    [
+     {}
+    ]
+   ],
    "fetch/data-urls/README.md": [
     [
      {}
@@ -338884,6 +338919,36 @@
      {}
     ]
    ],
+   "fetch/cross-origin-resource-policy/fetch-in-iframe.html": [
+    [
+     "/fetch/cross-origin-resource-policy/fetch-in-iframe.html",
+     {}
+    ]
+   ],
+   "fetch/cross-origin-resource-policy/fetch.html": [
+    [
+     "/fetch/cross-origin-resource-policy/fetch.html",
+     {}
+    ]
+   ],
+   "fetch/cross-origin-resource-policy/iframe-loads.html": [
+    [
+     "/fetch/cross-origin-resource-policy/iframe-loads.html",
+     {}
+    ]
+   ],
+   "fetch/cross-origin-resource-policy/image-loads.html": [
+    [
+     "/fetch/cross-origin-resource-policy/image-loads.html",
+     {}
+    ]
+   ],
+   "fetch/cross-origin-resource-policy/script-loads.html": [
+    [
+     "/fetch/cross-origin-resource-policy/script-loads.html",
+     {}
+    ]
+   ],
    "fetch/data-urls/base64.any.js": [
     [
      "/fetch/data-urls/base64.any.html",
@@ -418318,7 +418383,7 @@
    "support"
   ],
   "common/get-host-info.sub.js": [
-   "4175d0fff3555e25a646b0673a082fefdc113fe0",
+   "1eae4a7e29b73d60b9832ef5d8c808f6fd10db5c",
    "support"
   ],
   "common/get-host-info.sub.js.headers": [
@@ -569125,6 +569190,54 @@
    "465d933f4e52ef4e5a4bd0de40873410195843cd",
    "testharness"
   ],
+  "fetch/cross-origin-resource-policy/fetch-in-iframe.html": [
+   "4d836bed1e90a2d14b1651c0f3229b3f3d0b6b91",
+   "testharness"
+  ],
+  "fetch/cross-origin-resource-policy/fetch.html": [
+   "6a881615d9df0750b640298725be56e60cd5804c",
+   "testharness"
+  ],
+  "fetch/cross-origin-resource-policy/iframe-loads.html": [
+   "8429fdb1695fc73c853dc37bf29544b8139d5396",
+   "testharness"
+  ],
+  "fetch/cross-origin-resource-policy/image-loads.html": [
+   "6e81ede4b474b2516ec735d4d8f99694b4124773",
+   "testharness"
+  ],
+  "fetch/cross-origin-resource-policy/resources/green.png": [
+   "ef91d21307a12b2cfaf33a90dffe16aa1cba42c9",
+   "support"
+  ],
+  "fetch/cross-origin-resource-policy/resources/hello.py": [
+   "0d8e30350c97fd6a040b14348929cf7e87e0e406",
+   "support"
+  ],
+  "fetch/cross-origin-resource-policy/resources/iframe.py": [
+   "d8f4af86d37d2f257b4166a1f7d3001d55eeda69",
+   "support"
+  ],
+  "fetch/cross-origin-resource-policy/resources/iframeFetch.html": [
+   "d66a9c958288a97469e8cfa75eba973e9f35e190",
+   "support"
+  ],
+  "fetch/cross-origin-resource-policy/resources/image.py": [
+   "72f4bbf045fbb61623246d44b763bd06024c0f63",
+   "support"
+  ],
+  "fetch/cross-origin-resource-policy/resources/redirect.py": [
+   "eb237d6f61e042db8454efad97a7ca58ea90eba9",
+   "support"
+  ],
+  "fetch/cross-origin-resource-policy/resources/script.py": [
+   "330a0ae1420b41e63bd639fa24f75e64e4528bcc",
+   "support"
+  ],
+  "fetch/cross-origin-resource-policy/script-loads.html": [
+   "cd28267293f2d20ee78d6b946fe6b8793edf1bae",
+   "testharness"
+  ],
   "fetch/data-urls/README.md": [
    "868cb170fa0c5626008fef77e37dee16e76b10d5",
    "support"
diff --git a/testing/web-platform/tests/common/get-host-info.sub.js b/testing/web-platform/tests/common/get-host-info.sub.js
index 58ef01c345f75..48ac19cbd08f5 100644
--- a/testing/web-platform/tests/common/get-host-info.sub.js
+++ b/testing/web-platform/tests/common/get-host-info.sub.js
@@ -6,6 +6,7 @@ function get_host_info() {
   var ORIGINAL_HOST = '{{host}}';
   var REMOTE_HOST = (ORIGINAL_HOST === 'localhost') ? '127.0.0.1' : ('www1.' + ORIGINAL_HOST);
   var OTHER_HOST = '{{domains[www2]}}';
+  var NOTSAMESITE_HOST = (ORIGINAL_HOST === 'localhost') ? '127.0.0.1' : ('not-' + ORIGINAL_HOST);
 
   return {
     HTTP_PORT: HTTP_PORT,
@@ -19,6 +20,7 @@ function get_host_info() {
     HTTPS_ORIGIN_WITH_CREDS: 'https://foo:bar@' + ORIGINAL_HOST + ':' + HTTPS_PORT,
     HTTP_ORIGIN_WITH_DIFFERENT_PORT: 'http://' + ORIGINAL_HOST + ':' + HTTP_PORT2,
     HTTP_REMOTE_ORIGIN: 'http://' + REMOTE_HOST + ':' + HTTP_PORT,
+    HTTP_NOTSAMESITE_ORIGIN: 'http://' + NOTSAMESITE_HOST + ':' + HTTP_PORT,
     HTTP_REMOTE_ORIGIN_WITH_DIFFERENT_PORT: 'http://' + REMOTE_HOST + ':' + HTTP_PORT2,
     HTTPS_REMOTE_ORIGIN: 'https://' + REMOTE_HOST + ':' + HTTPS_PORT,
     HTTPS_REMOTE_ORIGIN_WITH_CREDS: 'https://foo:bar@' + REMOTE_HOST + ':' + HTTPS_PORT,
diff --git a/testing/web-platform/tests/fetch/cross-origin-resource-policy/fetch-in-iframe.html b/testing/web-platform/tests/fetch/cross-origin-resource-policy/fetch-in-iframe.html
new file mode 100644
index 0000000000000..cc6a3a81bcf4c
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cross-origin-resource-policy/fetch-in-iframe.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+</head>
+<body>
+    <script>
+const host = get_host_info();
+const remoteBaseURL = host.HTTP_REMOTE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+const notSameSiteBaseURL = host.HTTP_NOTSAMESITE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+const localBaseURL = host.HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+
+function with_iframe(url)
+{
+  return new Promise(function(resolve) {
+      var frame = document.createElement('iframe');
+      frame.src = url;
+      frame.onload = function() { resolve(frame); };
+      document.body.appendChild(frame);
+    });
+}
+
+function loadIFrameAndFetch(iframeURL, fetchURL, expectedFetchResult, title)
+{
+    promise_test(async () => {
+        const frame = await with_iframe(iframeURL);
+        let receiveMessage;
+        const promise = new Promise((resolve, reject) => {
+            receiveMessage = (event) => {
+                if (event.data !== expectedFetchResult) {
+                    reject("Received unexpected message " + event.data);
+                    return;
+                }
+                resolve();
+            }
+            window.addEventListener("message", receiveMessage, false);
+        });
+        frame.contentWindow.postMessage(fetchURL, "*");
+        return promise.finally(() => {
+            frame.remove();
+            window.removeEventListener("message", receiveMessage, false);
+        });
+    }, title);
+}
+
+// This above data URL should be equivalent to resources/iframeFetch.html
+var dataIFrameURL = "data:text/html;base64,PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDxzY3JpcHQ+CiAgICAgICAgZnVuY3Rpb24gcHJvY2Vzc01lc3NhZ2UoZXZlbnQpCiAgICAgICAgewogICAgICAgICAgICBmZXRjaChldmVudC5kYXRhLCB7IG1vZGU6ICJuby1jb3JzIiB9KS50aGVuKCgpID0+IHsKICAgICAgICAgICAgICAgIHBhcmVudC5wb3N0TWVzc2FnZSgib2siLCAiKiIpOwogICAgICAgICAgICB9LCAoKSA9PiB7CiAgICAgICAgICAgICAgICBwYXJlbnQucG9zdE1lc3NhZ2UoImtvIiwgIioiKTsKICAgICAgICAgICAgfSk7CiAgICAgICAgfQogICAgICAgIHdpbmRvdy5hZGRFdmVudExpc3RlbmVyKCJtZXNzYWdlIiwgcHJvY2Vzc01lc3NhZ2UsIGZhbHNlKTsKICAgIDwvc2NyaXB0Pgo8L2hlYWQ+Cjxib2R5PgogICAgPGgzPlRoZSBpZnJhbWUgbWFraW5nIGEgc2FtZSBvcmlnaW4gZmV0Y2ggY2FsbC48L2gzPgo8L2JvZHk+CjwvaHRtbD4K";
+
+loadIFrameAndFetch(dataIFrameURL, localBaseURL + "resources/hello.py?corp=same-origin", "ko",
+    "Cross-origin fetch in a data: iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
+
+loadIFrameAndFetch(dataIFrameURL, localBaseURL + "resources/hello.py?corp=same-site", "ko",
+    "Cross-origin fetch in a data: iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+
+loadIFrameAndFetch(remoteBaseURL + "resources/iframeFetch.html", localBaseURL + "resources/hello.py?corp=same-origin", "ko",
+    "Cross-origin fetch in a cross origin iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
+
+loadIFrameAndFetch(notSameSiteBaseURL + "resources/iframeFetch.html", localBaseURL + "resources/hello.py?corp=same-site", "ko",
+    "Cross-origin fetch in a cross origin iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+
+loadIFrameAndFetch(remoteBaseURL + "resources/iframeFetch.html", remoteBaseURL + "resources/hello.py?corp=same-origin", "ok",
+    "Same-origin fetch in a cross origin iframe load succeeds if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/fetch/cross-origin-resource-policy/fetch.html b/testing/web-platform/tests/fetch/cross-origin-resource-policy/fetch.html
new file mode 100644
index 0000000000000..7cf8d60050aa7
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cross-origin-resource-policy/fetch.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+</head>
+<body>
+    <script>
+const host = get_host_info();
+const localBaseURL = host.HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+const sameSiteBaseURL = "http://" + host.ORIGINAL_HOST + ":" + host.HTTP_PORT2 + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+const notSameSiteBaseURL = host.HTTP_NOTSAMESITE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+const httpsBaseURL = host.HTTPS_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+
+promise_test(async () => {
+    const response = await fetch("./resources/hello.py?corp=same-origin");
+    assert_equals(await response.text(), "hello");
+}, "Same-origin fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
+
+promise_test(async () => {
+    const response = await fetch("./resources/hello.py?corp=same-site");
+    assert_equals(await response.text(), "hello");
+}, "Same-origin fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+
+promise_test(async (test) => {
+    const response = await fetch(notSameSiteBaseURL + "resources/hello.py?corp=same-origin");
+    assert_equals(await response.text(), "hello");
+}, "Cross-origin cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
+
+promise_test(async (test) => {
+    const response = await fetch(notSameSiteBaseURL + "resources/hello.py?corp=same-site");
+    assert_equals(await response.text(), "hello");
+}, "Cross-origin cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+
+promise_test((test) => {
+    const remoteURL = notSameSiteBaseURL + "resources/hello.py?corp=same-origin";
+    return promise_rejects(test, new TypeError, fetch(remoteURL, { mode : "no-cors" }));
+}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
+
+promise_test((test) => {
+    const remoteURL = notSameSiteBaseURL + "resources/hello.py?corp=same-site";
+    return promise_rejects(test, new TypeError, fetch(remoteURL, { mode: "no-cors" }));
+}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+
+promise_test((test) => {
+    const remoteURL = httpsBaseURL + "resources/hello.py?corp=same-site";
+    return fetch(remoteURL, { mode: "no-cors" });
+}, "Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+
+promise_test((test) => {
+    const remoteURL = httpsBaseURL + "resources/hello.py?corp=same-origin";
+    return promise_rejects(test, new TypeError, fetch(remoteURL, { mode : "no-cors" }));
+}, "Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
+
+promise_test(async (test) => {
+    const remoteSameSiteURL = sameSiteBaseURL + "resources/hello.py?corp=same-site";
+
+    await fetch(remoteSameSiteURL, { mode: "no-cors" });
+
+    return promise_rejects(test, new TypeError, fetch(sameSiteBaseURL + "resources/hello.py?corp=same-origin", { mode: "no-cors" }));
+}, "Valid cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+
+promise_test((test) => {
+    const finalURL = notSameSiteBaseURL + "resources/hello.py?corp=same-origin";
+    return promise_rejects(test, new TypeError, fetch("resources/redirect.py?redirectTo=" + encodeURIComponent(finalURL), { mode: "no-cors" }));
+}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header after a redirection.");
+
+promise_test((test) => {
+    const finalURL = localBaseURL + "resources/hello.py?corp=same-origin";
+    return fetch(notSameSiteBaseURL + "resources/redirect.py?redirectTo=" + encodeURIComponent(finalURL), { mode: "no-cors" });
+}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header after a cross-origin redirection.");
+
+promise_test(async (test) => {
+    const finalURL = localBaseURL + "resources/hello.py?corp=same-origin";
+
+    await fetch(finalURL, { mode: "no-cors" });
+
+    return promise_rejects(test, new TypeError, fetch(notSameSiteBaseURL + "resources/redirect.py?corp=same-origin&redirectTo=" + encodeURIComponent(finalURL), { mode: "no-cors" }));
+}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' redirect response header.");
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/fetch/cross-origin-resource-policy/iframe-loads.html b/testing/web-platform/tests/fetch/cross-origin-resource-policy/iframe-loads.html
new file mode 100644
index 0000000000000..63902c302b7ce
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cross-origin-resource-policy/iframe-loads.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+</head>
+<body>
+    <script>
+const host = get_host_info();
+const remoteBaseURL = host.HTTP_REMOTE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+const localBaseURL = host.HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+
+function with_iframe(url) {
+  return new Promise(function(resolve) {
+      var frame = document.createElement('iframe');
+      frame.src = url;
+      frame.onload = function() { resolve(frame); };
+      document.body.appendChild(frame);
+    });
+}
+
+promise_test(async() => {
+    const url = remoteBaseURL + "resources/iframe.py?corp=same-origin";
+
+    await new Promise((resolve, reject) => {
+        return fetch(url, { mode: "no-cors" }).then(reject, resolve);
+    });
+
+    const iframe = await with_iframe(url);
+    return new Promise((resolve, reject) => {
+        window.addEventListener("message", (event) => {
+            if (event.data !== "pong") {
+                reject(event.data);
+                return;
+            }
+            resolve();
+        }, false);
+        iframe.contentWindow.postMessage("ping", "*");
+    }).finally(() => {
+        iframe.remove();
+    });
+}, "Load an iframe that has Cross-Origin-Resource-Policy header");
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/fetch/cross-origin-resource-policy/image-loads.html b/testing/web-platform/tests/fetch/cross-origin-resource-policy/image-loads.html
new file mode 100644
index 0000000000000..8a0458f107abd
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cross-origin-resource-policy/image-loads.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+</head>
+<body>
+    <div id="testDiv"></div>
+    <script>
+const host = get_host_info();
+const notSameSiteBaseURL = host.HTTP_NOTSAMESITE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+const ok = true;
+const ko = false;
+const noCors = false;
+
+function loadImage(url, shoudLoad, corsMode, title)
+{
+    promise_test(() => {
+        const img = new Image();
+        if (corsMode)
+            img.crossOrigin = corsMode;
+        img.src = url;
+        return new Promise((resolve, reject) => {
+            img.onload = shoudLoad ? resolve : reject;
+            img.onerror = shoudLoad ? reject : resolve;
+            testDiv.appendChild(img);
+        }).finally(() => {
+            testDiv.innerHTML = "";
+        });
+    }, title);
+}
+
+loadImage("./resources/image.py?corp=same-origin", ok, noCors,
+    "Same-origin image load with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
+
+loadImage("./resources/image.py?corp=same-site", ok, noCors,
+    "Same-origin image load with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+
+loadImage(notSameSiteBaseURL + "resources/image.py?corp=same-origin&acao=*", ok, "anonymous",
+    "Cross-origin cors image load with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
+
+loadImage(notSameSiteBaseURL + "resources/image.py?corp=same-site&acao=*", ok, "anonymous",
+    "Cross-origin cors image load with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+
+loadImage(notSameSiteBaseURL + "resources/image.py?corp=same-origin&acao=*", ko, noCors,
+    "Cross-origin no-cors image load with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
+
+loadImage(notSameSiteBaseURL + "resources/image.py?corp=same-site&acao=*", ko, noCors,
+    "Cross-origin no-cors image load with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+    </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/green.png b/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/green.png
new file mode 100644
index 0000000000000000000000000000000000000000..28a1faab37797ef39454aa1deac1b470712f7be4
GIT binary patch
literal 87
zcmeAS@N?(olHy`uVBq!ia0vp^DL`z*$P6SW{C@KnNHGWagt#*NXE2F7umZ^C_jGX#
j(GX2ekYHV$kio>jw1<IF`tIWiKq&@KS3j3^P6<r_F*+3V

literal 0
HcmV?d00001

diff --git a/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/hello.py b/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/hello.py
new file mode 100644
index 0000000000000..2b7cb6c6fc9fa
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/hello.py
@@ -0,0 +1,6 @@
+def main(request, response):
+    headers = [("Cross-Origin-Resource-Policy", request.GET['corp'])]
+    if 'origin' in request.headers:
+        headers.append(('Access-Control-Allow-Origin', request.headers['origin']))
+
+    return 200, headers, "hello"
diff --git a/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/iframe.py b/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/iframe.py
new file mode 100644
index 0000000000000..5872842c673ba
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/iframe.py
@@ -0,0 +1,5 @@
+def main(request, response):
+    headers = [("Content-Type", "text/html"),
+               ("Cross-Origin-Resource-Policy", request.GET['corp'])]
+    return 200, headers, "<body><h3>The iframe</h3><script>window.onmessage = () => { parent.postMessage('pong', '*'); }</script></body>"
+
diff --git a/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/iframeFetch.html b/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/iframeFetch.html
new file mode 100644
index 0000000000000..257185805d96d
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/iframeFetch.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script>
+        function processMessage(event)
+        {
+            fetch(event.data, { mode: "no-cors" }).then(() => {
+                parent.postMessage("ok", "*");
+            }, () => {
+                parent.postMessage("ko", "*");
+            });
+        }
+        window.addEventListener("message", processMessage, false);
+    </script>
+</head>
+<body>
+    <h3>The iframe making a same origin fetch call.</h3>
+</body>
+</html>
diff --git a/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/image.py b/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/image.py
new file mode 100644
index 0000000000000..ba6198135a2aa
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/image.py
@@ -0,0 +1,21 @@
+import os.path
+
+def main(request, response):
+    type = request.GET.first("type", None)
+
+    body = open(os.path.join(os.path.dirname(__file__), "green.png"), "rb").read()
+
+    response.add_required_headers = False
+    response.writer.write_status(200)
+
+    if 'corp' in request.GET:
+        response.writer.write_header("cross-origin-resource-policy", request.GET['corp'])
+    if 'acao' in request.GET:
+        response.writer.write_header("access-control-allow-origin", request.GET['acao'])
+    response.writer.write_header("content-length", len(body))
+    if(type != None):
+      response.writer.write_header("content-type", type)
+    response.writer.end_headers()
+
+    response.writer.write(body)
+
diff --git a/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/redirect.py b/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/redirect.py
new file mode 100644
index 0000000000000..73793b074272e
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/redirect.py
@@ -0,0 +1,6 @@
+def main(request, response):
+    headers = [("Location", request.GET['redirectTo'])]
+    if 'corp' in request.GET:
+        headers.append(('Cross-Origin-Resource-Policy', request.GET['corp']))
+
+    return 302, headers, ""
diff --git a/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/script.py b/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/script.py
new file mode 100644
index 0000000000000..c9bd6b9c9ee86
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cross-origin-resource-policy/resources/script.py
@@ -0,0 +1,6 @@
+def main(request, response):
+    headers = [("Cross-Origin-Resource-Policy", request.GET['corp'])]
+    if 'origin' in request.headers:
+        headers.append(('Access-Control-Allow-Origin', request.headers['origin']))
+
+    return 200, headers, ""
diff --git a/testing/web-platform/tests/fetch/cross-origin-resource-policy/script-loads.html b/testing/web-platform/tests/fetch/cross-origin-resource-policy/script-loads.html
new file mode 100644
index 0000000000000..5850e0109f18c
--- /dev/null
+++ b/testing/web-platform/tests/fetch/cross-origin-resource-policy/script-loads.html
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+</head>
+<body>
+    <div id="testDiv"></div>
+    <script>
+const host = get_host_info();
+const notSameSiteBaseURL = host.HTTP_NOTSAMESITE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+const ok = true;
+const ko = false;
+const noCors = false;
+
+function loadScript(url, shoudLoad, corsMode, title)
+{
+    promise_test(() => {
+        const script = document.createElement("script");
+        if (corsMode)
+            script.crossOrigin = corsMode;
+        script.src = url;
+        return new Promise((resolve, reject) => {
+            script.onload = shoudLoad ? resolve : reject;
+            script.onerror = shoudLoad ? reject : resolve;
+            testDiv.appendChild(script);
+        });
+    }, title);
+}
+
+loadScript("./resources/script.py?corp=same-origin", ok, noCors,
+    "Same-origin script load with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
+
+loadScript("./resources/script.py?corp=same-site", ok, noCors,
+    "Same-origin script load with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+
+loadScript(notSameSiteBaseURL + "resources/script.py?corp=same-origin&acao=*", ok, "anonymous",
+    "Cross-origin cors script load with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
+
+loadScript(notSameSiteBaseURL + "resources/script.py?corp=same-site&acao=*", ok, "anonymous",
+    "Cross-origin cors script load with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+
+loadScript(notSameSiteBaseURL + "resources/script.py?corp=same-origin&acao=*", ko, noCors,
+    "Cross-origin no-cors script load with a 'Cross-Origin-Resource-Policy: same-origin' response header.");
+
+loadScript(notSameSiteBaseURL + "resources/script.py?corp=same-site&acao=*", ko, noCors,
+    "Cross-origin no-cors script load with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+    </script>
+</body>
+</html>