Fetch: test Cross-Origin-Resource-Policy: same-site's scheme restriction

Supplements #11171.

For whatwg/fetch#733.

fetch/cross-origin-resource-policy/resources/hello.py

@@ -0,0 +1,6 @@
+def main(request, response):
+    headers = [("Cross-Origin-Resource-Policy", request.GET['corp'])]
+    if 'origin' in request.headers:
+        headers.append(('Access-Control-Allow-Origin', request.headers['origin']))
+
+    return 200, headers, "hello"

fetch/cross-origin-resource-policy/resources/image.py

@@ -0,0 +1,20 @@
+import os.path
+
+def main(request, response):
+    type = request.GET.first("type", None)
+
+    body = open(os.path.join(os.path.dirname(__file__), "green.png"), "rb").read()
+
+    response.add_required_headers = False
+    response.writer.write_status(200)
+
+    if 'corp' in request.GET:
+        response.writer.write_header("cross-origin-resource-policy", request.GET['corp'])
+    if 'acao' in request.GET:
+        response.writer.write_header("access-control-allow-origin", request.GET['acao'])
+    response.writer.write_header("content-length", len(body))
+    if(type != None):
+      response.writer.write_header("content-type", type)
+    response.writer.end_headers()
+
+    response.writer.write(body)

fetch/cross-origin-resource-policy/scheme-restriction.any.js

@@ -0,0 +1,7 @@
+// META: script=/common/get-host-info.sub.js
+
+promise_test(t => {
+  return promise_rejects(t,
+                         new TypeError(),
+                         fetch(get_host_info().HTTPS_REMOTE_ORIGIN + "/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-site", { mode: "no-cors" }));
+}, "Cross-Origin-Resource-Policy: same-site's scheme restriction");

fetch/cross-origin-resource-policy/scheme-restriction.https.window.js

@@ -0,0 +1,13 @@
+// META: script=/common/get-host-info.sub.js
+
+promise_test(t => {
+  const img = new Image();
+  img.src = get_host_info().HTTP_REMOTE_ORIGIN + "/fetch/cross-origin-resource-policy/resources/image.py?corp=same-site";
+  return new Promise((resolve, reject) => {
+    img.onload = resolve;
+    img.onerror = reject;
+    document.body.appendChild(img);
+  }).finally(() => {
+    img.remove();
+  });
+}, "Cross-Origin-Resource-Policy does not block Mixed Content <img>");