report-cross-origin-no-cookies.sub.html (1463B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <title>Cookies are not sent on cross origin violation reports</title> 5 <meta name="timeout" content="long"> 6 <script src="/resources/testharness.js"></script> 7 <script src="/resources/testharnessreport.js"></script> 8 <!-- CSP headers 9 Content-Security-Policy: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri http://{{domains[www1]}}:{{ports[http][0]}}/reporting/resources/report.py?op=put&reportID=$id 10 --> 11 </head> 12 <body> 13 <script> 14 promise_test(function(test) { 15 const path = encodeURIComponent("{{domains[www1]}}:{{ports[http][0]}}/"); 16 return fetch( 17 "/cookies/resources/set-cookie.py?name=cspViolationReportCookie1&path=" + path, 18 {mode: 'no-cors', credentials: 'include'}) 19 .then(() => { 20 test.add_cleanup(() => { 21 return fetch("/cookies/resources/set.py?cspViolationReportCookie1=; path=" + path + "; expires=Thu, 01 Jan 1970 00:00:01 GMT"); 22 }); 23 24 // This image will generate a CSP violation report. 25 const img = new Image(); 26 img.onerror = test.step_func_done(); 27 img.onload = test.unreached_func("Should not have loaded the image"); 28 29 img.src = "../support/fail.png"; 30 document.body.appendChild(img); 31 }); 32 }, "Image should not load"); 33 </script> 34 <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27&noCookies=true'></script> 35 36 </body> 37 </html>