chromium/src/third_party/blink/web_tests/external/wpt/fetch/metadata/redirect/multiple-redirect-https-downgrade-upgrade.sub.html

<!DOCTYPE html>
<html>
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src=/fetch/metadata/resources/helper.js></script>
<script src=/fetch/metadata/resources/redirectTestHelper.sub.js></script>
<script src=/common/security-features/resources/common.sub.js></script>
<script src=/common/utils.js></script>
<style>
  @font-face {
    font-family: myDowngradeUpgradeFont;
    src: url(https://{{host}}:{{ports[https][0]}}/fetch/api/resources/redirect.py?location=http%3A%2F%2F{{host}}%3A{{ports[http][0]}}%2Ffetch%2Fapi%2Fresources%2Fredirect.py%3Flocation%3Dhttps%253A%252F%252F{{host}}%253A{{ports[https][0]}}%252Ffetch%252Fmetadata%252Fresources%252Frecord-header.py%253Ffile%253Dfont-https-downgrade-upgrade{{$id:uuid()}});
  }
  #fontTest {
    font-family: myDowngradeUpgradeFont;
  }
</style>
<body>
<div id="fontTest">Downgraded then upgraded font</div>
<script>
  let nonce = "{{$id}}";
  let expected = {"site": "cross-site", "user": "", "mode": "cors", "dest": "font"};

  // Validate various scenarios handle a request that redirects from https => http => https
  // correctly and avoids disclosure of any Sec- headers.
  RunCommonRedirectTests("Https downgrade-upgrade", MultipleRedirectTo, expected);

  document.fonts.ready.then(function () {
    promise_test(t => {
      return new Promise((resolve, reject) => {
        let key = "font-https-downgrade-upgrade{{$id}}";
        return validate_expectations(key, expected, "Https downgrade-upgrade font => No headers")
            .then(_ => resolve())
            .catch(e => reject(e));
      });
    }, "Https downgrade-upgrade font => No headers");
  });

  promise_test(() => {
    return requestViaImage(secureRedirectURL + encodeURIComponent(
        insecureRedirectURL + encodeURIComponent(
        "https://{{host}}:{{ports[https][0]}}/common/security-features/subresource/image.py")))
        .then(result => {
          headers = result.headers;
          got = {
            "mode": headers["sec-fetch-mode"],
            "site": headers["sec-fetch-site"],
            "user": headers["sec-fetch-user"],
            "dest": headers["sec-fetch-dest"]
          };
          assert_header_equals(got, {
            // Note that we're using `undefined` here, as opposed to "" elsewhere because of the way
            // that `image.py` encodes data.
            "site": "cross-site",
            "user": undefined,
            "mode": "cors",
            "dest": "image"
          }, "Https downgrade-upgrade image => No headers");
        });
  }, "Https downgrade-upgrade image => No headers");
</script>
<script
    src="https://{{host}}:{{ports[https][0]}}/fetch/api/resources/redirect.py?location=http%3A%2F%2F{{host}}%3A{{ports[http][0]}}%2Ffetch%2Fapi%2Fresources%2Fredirect.py%3Flocation%3Dhttps%253A%252F%252F{{host}}%253A{{ports[https][0]}}%252Ffetch%252Fmetadata%252Fresources%252Fecho-as-script.py"></script>
<script>
  test(t => {
    t.add_cleanup(_ => {
      header = null;
    });
    assert_header_equals(header, {"site": "cross-site", "user": "", "mode": "no-cors", "dest": "script"},
        "Https downgrade-upgrade script => No headers");
  }, "Https downgrade-upgrade script => No headers");
</script>
</body>