diff --git a/fetch/cross-origin-resource-policy/resources/image.py b/fetch/cross-origin-resource-policy/resources/image.py index ba6198135a2aad..ad9295cf682874 100644 --- a/fetch/cross-origin-resource-policy/resources/image.py +++ b/fetch/cross-origin-resource-policy/resources/image.py @@ -18,4 +18,3 @@ def main(request, response): response.writer.end_headers() response.writer.write(body) - diff --git a/fetch/cross-origin-resource-policy/scheme-restriction.any.js b/fetch/cross-origin-resource-policy/scheme-restriction.any.js new file mode 100644 index 00000000000000..192572e28421b3 --- /dev/null +++ b/fetch/cross-origin-resource-policy/scheme-restriction.any.js @@ -0,0 +1,7 @@ +// META: script=/common/get-host-info.sub.js + +promise_test(t => { + return promise_rejects(t, + new TypeError(), + fetch(get_host_info().HTTPS_REMOTE_ORIGIN + "/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-site", { mode: "no-cors" })); +}, "Cross-Origin-Resource-Policy: same-site blocks retrieving HTTPS from HTTP"); diff --git a/fetch/cross-origin-resource-policy/scheme-restriction.https.window.js b/fetch/cross-origin-resource-policy/scheme-restriction.https.window.js new file mode 100644 index 00000000000000..4c7457187419e0 --- /dev/null +++ b/fetch/cross-origin-resource-policy/scheme-restriction.https.window.js @@ -0,0 +1,13 @@ +// META: script=/common/get-host-info.sub.js + +promise_test(t => { + const img = new Image(); + img.src = get_host_info().HTTP_REMOTE_ORIGIN + "/fetch/cross-origin-resource-policy/resources/image.py?corp=same-site"; + return new Promise((resolve, reject) => { + img.onload = resolve; + img.onerror = reject; + document.body.appendChild(img); + }).finally(() => { + img.remove(); + }); +}, "Cross-Origin-Resource-Policy does not block Mixed Content ");