Reland "Migrate PolicyContentScriptXHR test to different test suite."

This reverts commit 4f725946.

Reason for reland: I think that the reverted CL cannot be responsible for the observed build error as explained here: https://chromium-review.googlesource.com/c/chromium/src/+/2125472/2#message-57912860a46d2c55efc389357cd193cc1068a76f

Original change's description:
> Revert "Migrate PolicyContentScriptXHR test to different test suite."
> 
> This reverts commit b7c2f359.
> 
> Reason for revert: This CL caused an issue in  Linux ChromiumOS Full 
> https://ci.chromium.org/p/chromium/builders/ci/Linux%20ChromiumOS%20Full/159520?
> 
> Original change's description:
> > Migrate PolicyContentScriptXHR test to different test suite.
> > 
> > This CL migrates BackgroundXhrWebstoreTest.PolicyContentScriptXHR to the
> > CrossOriginReadBlockingExtensionAllowlistingTest test suite (into new
> > tests, called ContentScriptVsHostBlockedByPolicy_NoSniffXml and
> > ContentScriptVsHostBlockedByPolicy_AllowedTextResource).
> > 
> > This way the tests covers the following setup aspects:
> > - CorbAllowlistAlsoAppliesToOorCors feature is enabled or disabled
> > - Extension is allowlisted or not
> > - OOR-CORS vs InBlinkCors
> > 
> > After this CL the old test can be deleted.  Note that the old test
> > always tested with:
> > - CorbAllowlistAlsoAppliesToOorCors disabled
> > - Non-allowlisted extension
> > - The default OOR-CORS state (enabled by default since r728462)
> > 
> > Bug: 1061567
> > Change-Id: Ic76ac9e48510953fd130141776e66b1fde11c404
> > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2107431
> > Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
> > Reviewed-by: Karan Bhatia <karandeepb@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#754013}
> 
> TBR=lukasza@chromium.org,karandeepb@chromium.org
> 
> Change-Id: Idbd14b4e66190a533669159402389b738546bee6
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: 1061567
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2125472
> Reviewed-by: Juanmi Huertas <juanmihd@chromium.org>
> Commit-Queue: Juanmi Huertas <juanmihd@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#754249}

TBR=lukasza@chromium.org,karandeepb@chromium.org,juanmihd@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: 1061567
Change-Id: I645636564e64256161251c1b187d13586ef3d625
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2127628Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#754555}

chrome/browser/extensions/background_xhr_browsertest.cc

@@ -9,7 +9,6 @@
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
-#include "base/test/scoped_feature_list.h"
 #include "chrome/browser/extensions/extension_apitest.h"
 #include "chrome/browser/extensions/extension_browsertest.h"
 #include "chrome/browser/extensions/extension_with_management_policy_apitest.h"
@@ -35,7 +34,6 @@
 #include "net/ssl/client_cert_store.h"
 #include "net/ssl/ssl_server_config.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
-#include "services/network/public/cpp/features.h"
 #include "url/gurl.h"
 
 namespace extensions {
@@ -107,18 +105,7 @@ IN_PROC_BROWSER_TEST_F(BackgroundXhrTest, HttpAuth) {
 
 class BackgroundXhrWebstoreTest : public ExtensionApiTestWithManagementPolicy {
  public:
-  BackgroundXhrWebstoreTest() {
-    // TODO(lukasza): https://crbug.com/1061567: Migrate tests related to
-    // cross-origin requests from content scripts into the
-    // CrossOriginReadBlockingExtensionTest suite (which already covers test
-    // matrix of various enabled/disabled features).
-    //
-    // Affected tests:
-    // - BackgroundXhrWebstoreTest.PolicyContentScriptXHR
-    scoped_feature_list_.InitAndDisableFeature(
-        network::features::kCorbAllowlistAlsoAppliesToOorCors);
-  }
-
+  BackgroundXhrWebstoreTest() = default;
   ~BackgroundXhrWebstoreTest() override = default;
 
   void SetUpCommandLine(base::CommandLine* command_line) override {
@@ -182,8 +169,6 @@ class BackgroundXhrWebstoreTest : public ExtensionApiTestWithManagementPolicy {
   }
 
  private:
-  base::test::ScopedFeatureList scoped_feature_list_;
-
   DISALLOW_COPY_AND_ASSIGN(BackgroundXhrWebstoreTest);
 };
 
@@ -253,67 +238,6 @@ IN_PROC_BROWSER_TEST_F(BackgroundXhrWebstoreTest, PolicyBlockedXHR) {
               ::testing::HasSubstr("<head><title>OK</title></head>"));
 }
 
-// Verify that policy blocklists apply to XHRs done from injected scripts.
-IN_PROC_BROWSER_TEST_F(BackgroundXhrWebstoreTest, PolicyContentScriptXHR) {
-  TestExtensionDir test_dir;
-  test_dir.WriteManifest(R"(
-    {
-      "name": "XHR Content Script Test",
-      "manifest_version": 2,
-      "version": "0.1",
-      "permissions": ["<all_urls>", "tabs"],
-      "background": {"scripts": ["background.js"]}
-    })");
-
-  constexpr char kBackgroundScript[] =
-      R"(function executeFetch(url) {
-           chrome.tabs.executeScript({code: `
-             fetch("${url}")
-             .then(response => response.text())
-             .then(text => domAutomationController.send(text))
-             .catch(err => domAutomationController.send('ERROR: ' + err));
-           `});
-         }
-      )";
-  test_dir.WriteFile(FILE_PATH_LITERAL("background.js"), kBackgroundScript);
-
-  const Extension* extension = LoadExtension(test_dir.UnpackedPath());
-  ASSERT_TRUE(extension);
-
-  // Navigate to a foo.com page.
-  content::WebContents* web_contents =
-      browser()->tab_strip_model()->GetActiveWebContents();
-  GURL page_url(embedded_test_server()->GetURL("foo.com", "/title1.html"));
-  ui_test_utils::NavigateToURL(browser(), page_url);
-  EXPECT_EQ(page_url, web_contents->GetMainFrame()->GetLastCommittedURL());
-
-  // Using "/non-corb.octet-stream" resource (instead of "/simple.html" as in
-  // most other tests here) because XHRs/fetches from content scripts are
-  // subject to CORB (which is already covered by
-  // CrossOriginReadBlockingExtensionTest) and we want to focus the test below
-  // on policy behavior (which should be independent from whether or not CORB
-  // blocks the response).
-  GURL example_url =
-      embedded_test_server()->GetURL("example.com", "/non-corb.octet-stream");
-  GURL public_example_url = embedded_test_server()->GetURL(
-      "public.example.com", "/non-corb.octet-stream");
-
-  // Sanity Check: Should be able to fetch cross origin.
-  EXPECT_EQ("octet-stream-body", ExecuteFetch(extension, example_url));
-  EXPECT_EQ("octet-stream-body", ExecuteFetch(extension, public_example_url));
-
-  {
-    ExtensionManagementPolicyUpdater pref(&policy_provider_);
-    pref.AddPolicyBlockedHost("*", "*://*.example.com");
-    pref.AddPolicyAllowedHost("*", "*://public.example.com");
-  }
-
-  // Policies apply to XHR from a content script.
-  EXPECT_EQ("ERROR: TypeError: Failed to fetch",
-            ExecuteFetch(extension, example_url));
-  EXPECT_EQ("octet-stream-body", ExecuteFetch(extension, public_example_url));
-}
-
 // Make sure the blocklist and allowlist update for both Default and Individual
 // scope policies. Testing with all host permissions granted (<all_urls>).
 IN_PROC_BROWSER_TEST_F(BackgroundXhrWebstoreTest, PolicyUpdateXHR) {

chrome/browser/extensions/corb_and_cors_extension_browsertest.cc

@@ -17,6 +17,7 @@
 #include "chrome/browser/extensions/api/tabs/tabs_api.h"
 #include "chrome/browser/extensions/extension_browsertest.h"
 #include "chrome/browser/extensions/extension_function_test_utils.h"
+#include "chrome/browser/extensions/extension_management_test_util.h"
 #include "chrome/browser/extensions/extension_service.h"
 #include "chrome/browser/extensions/extension_tab_util.h"
 #include "chrome/browser/extensions/tab_helper.h"
@@ -26,6 +27,8 @@
 #include "chrome/browser/ui/browser_navigator_params.h"
 #include "chrome/browser/ui/tabs/tab_strip_model.h"
 #include "chrome/test/base/ui_test_utils.h"
+#include "components/policy/core/browser/browser_policy_connector.h"
+#include "components/policy/core/common/mock_configuration_policy_provider.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/common/network_service_util.h"
@@ -163,6 +166,14 @@ class CorbAndCorsExtensionBrowserTest
                                                        disabled_features);
   }
 
+  void SetUpInProcessBrowserTestFixture() override {
+    EXPECT_CALL(policy_provider_, IsInitializationComplete(testing::_))
+        .WillRepeatedly(testing::Return(true));
+    policy_provider_.SetAutoRefresh();
+    policy::BrowserPolicyConnector::SetPolicyProviderForTesting(
+        &policy_provider_);
+  }
+
   bool IsExtensionAllowlisted() {
     return (GetParam() & TestParam::kAllowlisted) != 0;
   }
@@ -326,13 +337,14 @@ class CorbAndCorsExtensionBrowserTest
   // This verification helper might not work for non-CORB-eligible resources
   // like MIME types not covered by CORB (e.g. application/octet-stream) or
   // same-origin responses.
-  void VerifyFetchFromContentScript(const base::HistogramTester& histograms,
-                                    const std::string& actual_fetch_result,
-                                    const std::string& expected_fetch_result) {
+  void VerifyCorbEligibleFetchFromContentScript(
+      const base::HistogramTester& histograms,
+      const std::string& actual_fetch_result,
+      const std::string& expected_fetch_result) {
     SubprocessMetricsProvider::MergeHistogramDeltasForTesting();
 
-    // VerifyFetchFromContentScript is only called for Content Types covered by
-    // CORB and therefore these requests carry no risk for
+    // VerifyCorbEligibleFetchFromContentScript is only called for Content Types
+    // covered by CORB and therefore these requests carry no risk for
     // CorbAllowlistAlsoAppliesToOorCors - verify that we didn't log the UMA.
     VerifyPassiveUmaForAllowlistForCors(histograms, base::nullopt);
 
@@ -361,6 +373,30 @@ class CorbAndCorsExtensionBrowserTest
     }
   }
 
+  void VerifyNonCorbElligibleFetchFromContentScript(
+      const base::HistogramTester& histograms,
+      const std::string& actual_fetch_result,
+      const std::string& expected_fetch_result_prefix) {
+    // Verify that CORB sniffing allowed the response.
+    VerifyFetchFromContentScriptWasAllowedByCorb(histograms,
+                                                 true /* expecting_sniffing */);
+
+    if (ShouldAllowlistAlsoApplyToOorCors() &&
+        AreContentScriptFetchesExpectedToBeBlocked()) {
+      // Verify that the response body was blocked by CORS.
+      EXPECT_EQ(kCorsErrorWhenFetching, actual_fetch_result);
+    } else {
+      // Verify that the response body was not blocked by either CORB nor CORS.
+      EXPECT_THAT(actual_fetch_result,
+                  ::testing::StartsWith(expected_fetch_result_prefix));
+    }
+
+    // This is the kind of response (i.e., cross-origin fetch of a non-CORB
+    // type) that could be affected by the planned
+    // CorbAllowlistAlsoAppliesToOorCors feature.
+    VerifyPassiveUmaForAllowlistForCors(histograms, true);
+  }
+
   content::WebContents* active_web_contents() {
     return browser()->tab_strip_model()->GetActiveWebContents();
   }
@@ -487,6 +523,9 @@ class CorbAndCorsExtensionBrowserTest
         browser()->profile(), extension_->id(), background_script);
   }
 
+ protected:
+  policy::MockConfigurationPolicyProvider policy_provider_;
+
  private:
   void AllowlistExtensionIfNeeded(const Extension& extension) {
     // Sanity check that the field trial param (which has to be registered via
@@ -616,9 +655,10 @@ IN_PROC_BROWSER_TEST_P(CorbAndCorsExtensionBrowserTest,
     std::string fetch_result = PopString(&message_queue);
 
     // Verify whether the fetch worked or not (expectations differ depending on
-    // various factors - see the body of VerifyFetchFromContentScript).
-    VerifyFetchFromContentScript(histograms, fetch_result,
-                                 "nosniff.xml - body\n");
+    // various factors - see the body of
+    // VerifyCorbEligibleFetchFromContentScript).
+    VerifyCorbEligibleFetchFromContentScript(histograms, fetch_result,
+                                             "nosniff.xml - body\n");
   }
 
   // Test case #2: Declarative script injected after a renderer-initiated
@@ -640,9 +680,10 @@ IN_PROC_BROWSER_TEST_P(CorbAndCorsExtensionBrowserTest,
     std::string fetch_result = PopString(&message_queue);
 
     // Verify whether the fetch worked or not (expectations differ depending on
-    // various factors - see the body of VerifyFetchFromContentScript).
-    VerifyFetchFromContentScript(histograms, fetch_result,
-                                 "nosniff.xml - body\n");
+    // various factors - see the body of
+    // VerifyCorbEligibleFetchFromContentScript).
+    VerifyCorbEligibleFetchFromContentScript(histograms, fetch_result,
+                                             "nosniff.xml - body\n");
   }
 }
 
@@ -672,9 +713,10 @@ IN_PROC_BROWSER_TEST_P(CorbAndCorsExtensionBrowserTest,
       FetchViaContentScript(cross_site_resource, active_web_contents());
 
   // Verify whether the fetch worked or not (expectations differ depending on
-  // various factors - see the body of VerifyFetchFromContentScript).
-  VerifyFetchFromContentScript(histograms, fetch_result,
-                               "nosniff.xml - body\n");
+  // various factors - see the body of
+  // VerifyCorbEligibleFetchFromContentScript).
+  VerifyCorbEligibleFetchFromContentScript(histograms, fetch_result,
+                                           "nosniff.xml - body\n");
 }
 
 // Tests that extension permission to bypass CORS is revoked after the extension
@@ -740,8 +782,8 @@ IN_PROC_BROWSER_TEST_P(CorbAndCorsExtensionBrowserTest,
     content::ExecuteScriptAsync(active_web_contents(), kFetchInitiatingScript);
     std::string fetch_result = PopString(&queue);
 
-    VerifyFetchFromContentScript(histograms, fetch_result,
-                                 "nosniff.xml - body\n");
+    VerifyCorbEligibleFetchFromContentScript(histograms, fetch_result,
+                                             "nosniff.xml - body\n");
   }
 
   // Unload the extension and try fetching again.  The content script should
@@ -772,6 +814,111 @@ IN_PROC_BROWSER_TEST_P(CorbAndCorsExtensionBrowserTest,
   }
 }
 
+// Test that <all_urls> permission does not apply to hosts blocked by policy.
+IN_PROC_BROWSER_TEST_P(CorbAndCorsExtensionBrowserTest,
+                       ContentScriptVsHostBlockedByPolicy_NoSniffXml) {
+  ASSERT_TRUE(embedded_test_server()->Start());
+  ASSERT_TRUE(InstallExtensionWithPermissionToAllUrls());
+  {
+    ExtensionManagementPolicyUpdater pref(&policy_provider_);
+    pref.AddPolicyBlockedHost("*", "*://*.example.com");
+    pref.AddPolicyAllowedHost("*", "*://public.example.com");
+  }
+
+  // Navigate to a fetch-initiator.com page.
+  GURL page_url = GetTestPageUrl("fetch-initiator.com");
+  ui_test_utils::NavigateToURL(browser(), page_url);
+  ASSERT_EQ(page_url,
+            active_web_contents()->GetMainFrame()->GetLastCommittedURL());
+  ASSERT_EQ(url::Origin::Create(page_url),
+            active_web_contents()->GetMainFrame()->GetLastCommittedOrigin());
+
+  // Test fetch from a host allowed by the policy (and allowed by the extension
+  // permissions).
+  {
+    SCOPED_TRACE(::testing::Message() << "Allowed by policy");
+    base::HistogramTester histograms;
+    GURL cross_site_resource(
+        embedded_test_server()->GetURL("public.example.com", "/nosniff.xml"));
+    std::string fetch_result =
+        FetchViaContentScript(cross_site_resource, active_web_contents());
+
+    // Verify whether the fetch worked or not (expectations differ depending on
+    // various factors - see the body of
+    // VerifyCorbEligibleFetchFromContentScript).
+    VerifyCorbEligibleFetchFromContentScript(histograms, fetch_result,
+                                             "nosniff.xml - body\n");
+  }
+
+  // Test fetch from a host blocked by the policy (and allowed by the extension
+  // permissions).
+  {
+    SCOPED_TRACE(::testing::Message() << "Blocked by policy");
+    base::HistogramTester histograms;
+    GURL cross_site_resource(
+        embedded_test_server()->GetURL("example.com", "/nosniff.xml"));
+    std::string fetch_result =
+        FetchViaContentScript(cross_site_resource, active_web_contents());
+
+    // Verify that the fetch was blocked by CORS.
+    EXPECT_EQ(kCorsErrorWhenFetching, fetch_result);
+    VerifyFetchFromContentScriptWasBlockedByCorb(histograms);
+  }
+}
+
+// Test that <all_urls> permission does not apply to hosts blocked by policy.
+IN_PROC_BROWSER_TEST_P(CorbAndCorsExtensionBrowserTest,
+                       ContentScriptVsHostBlockedByPolicy_AllowedTextResource) {
+  ASSERT_TRUE(embedded_test_server()->Start());
+  ASSERT_TRUE(InstallExtensionWithPermissionToAllUrls());
+  {
+    ExtensionManagementPolicyUpdater pref(&policy_provider_);
+    pref.AddPolicyBlockedHost("*", "*://*.example.com");
+    pref.AddPolicyAllowedHost("*", "*://public.example.com");
+  }
+
+  // Navigate to a fetch-initiator.com page.
+  GURL page_url = GetTestPageUrl("fetch-initiator.com");
+  ui_test_utils::NavigateToURL(browser(), page_url);
+  ASSERT_EQ(page_url,
+            active_web_contents()->GetMainFrame()->GetLastCommittedURL());
+  ASSERT_EQ(url::Origin::Create(page_url),
+            active_web_contents()->GetMainFrame()->GetLastCommittedOrigin());
+
+  // Test fetch from a host allowed by the policy (and allowed by the extension
+  // permissions).
+  {
+    SCOPED_TRACE(::testing::Message() << "Allowed by policy");
+    base::HistogramTester histograms;
+    GURL cross_site_resource(embedded_test_server()->GetURL(
+        "public.example.com", "/save_page/text.txt"));
+    std::string fetch_result =
+        FetchViaContentScript(cross_site_resource, active_web_contents());
+
+    // Verify that the fetch was allowed by CORB.  CORS expectations differ
+    // depending on exact scenario.
+    VerifyNonCorbElligibleFetchFromContentScript(
+        histograms, fetch_result,
+        "text-object.txt: ae52dd09-9746-4b7e-86a6-6ada5e2680c2");
+  }
+
+  // Test fetch from a host blocked by the policy (and allowed by the extension
+  // permissions).
+  {
+    SCOPED_TRACE(::testing::Message() << "Blocked by policy");
+    base::HistogramTester histograms;
+    GURL cross_site_resource(
+        embedded_test_server()->GetURL("example.com", "/save_page/text.txt"));
+    std::string fetch_result =
+        FetchViaContentScript(cross_site_resource, active_web_contents());
+
+    // Verify that the fetch was blocked by CORS.
+    EXPECT_EQ(kCorsErrorWhenFetching, fetch_result);
+    VerifyFetchFromContentScriptWasAllowedByCorb(histograms,
+                                                 true /* expecting_sniffing */);
+  }
+}
+
 IN_PROC_BROWSER_TEST_P(CorbAndCorsExtensionBrowserTest,
                        FromProgrammaticContentScript_PermissionToAllUrls) {
   ASSERT_TRUE(embedded_test_server()->Start());
@@ -794,9 +941,10 @@ IN_PROC_BROWSER_TEST_P(CorbAndCorsExtensionBrowserTest,
       FetchViaContentScript(cross_site_resource, active_web_contents());
 
   // Verify whether the fetch worked or not (expectations differ depending on
-  // various factors - see the body of VerifyFetchFromContentScript).
-  VerifyFetchFromContentScript(histograms, fetch_result,
-                               "nosniff.xml - body\n");
+  // various factors - see the body of
+  // VerifyCorbEligibleFetchFromContentScript).
+  VerifyCorbEligibleFetchFromContentScript(histograms, fetch_result,
+                                           "nosniff.xml - body\n");
 }
 
 // Coverage of *.subdomain.com extension permissions for CORB-eligible fetches
@@ -827,9 +975,10 @@ IN_PROC_BROWSER_TEST_P(CorbAndCorsExtensionBrowserTest,
         FetchViaContentScript(allowed_url, active_web_contents());
 
     // Verify whether the fetch worked or not (expectations differ depending on
-    // various factors - see the body of VerifyFetchFromContentScript).
-    VerifyFetchFromContentScript(histograms, fetch_result,
-                                 "nosniff.xml - body\n");
+    // various factors - see the body of
+    // VerifyCorbEligibleFetchFromContentScript).
+    VerifyCorbEligibleFetchFromContentScript(histograms, fetch_result,
+                                             "nosniff.xml - body\n");
   }
 }
 
@@ -862,9 +1011,10 @@ IN_PROC_BROWSER_TEST_P(CorbAndCorsExtensionBrowserTest,
       FetchViaContentScript(redirecting_url, active_web_contents());
 
   // Verify whether the fetch worked or not (expectations differ depending on
-  // various factors - see the body of VerifyFetchFromContentScript).
-  VerifyFetchFromContentScript(histograms, fetch_result,
-                               "nosniff.xml - body\n");
+  // various factors - see the body of
+  // VerifyCorbEligibleFetchFromContentScript).
+  VerifyCorbEligibleFetchFromContentScript(histograms, fetch_result,
+                                           "nosniff.xml - body\n");
 }
 
 // Test that verifies CORS-allowed fetches work for targets that are not
@@ -986,28 +1136,11 @@ IN_PROC_BROWSER_TEST_P(CorbAndCorsExtensionBrowserTest,
   std::string fetch_result =
       FetchViaContentScript(cross_site_resource, active_web_contents());
 
-  // Verify that CORB sniffing allowed the response.
-  VerifyFetchFromContentScriptWasAllowedByCorb(histograms,
-                                               true /* expecting_sniffing */);
-
-  if (ShouldAllowlistAlsoApplyToOorCors() &&
-      AreContentScriptFetchesExpectedToBeBlocked()) {
-    // Verify that the response body was blocked by CORS.
-    EXPECT_EQ(kCorsErrorWhenFetching, fetch_result);
-  } else {
-    // Verify that the response body was not blocked by either CORB nor CORS.
-    //
-    // StartsWith (rather than equality) is used in the verification step to
-    // account for \n VS \r\n difference on Windows.
-    EXPECT_THAT(fetch_result,
-                ::testing::StartsWith(
-                    "text-object.txt: ae52dd09-9746-4b7e-86a6-6ada5e2680c2"));
-  }
-
-  // This is the kind of response (i.e., cross-origin fetch of a non-CORB type)
-  // that could be affected by the planned CorbAllowlistAlsoAppliesToOorCors
-  // feature.
-  VerifyPassiveUmaForAllowlistForCors(histograms, true);
+  // Verify that the fetch was allowed by CORB.  CORS expectations differ
+  // depending on exact scenario.
+  VerifyNonCorbElligibleFetchFromContentScript(
+      histograms, fetch_result,
+      "text-object.txt: ae52dd09-9746-4b7e-86a6-6ada5e2680c2");
 }
 
 // Coverage of *.subdomain.com extension permissions for non-CORB eligible
@@ -1041,27 +1174,9 @@ IN_PROC_BROWSER_TEST_P(
         FetchViaContentScript(allowed_url, active_web_contents());
 
     // Verify that CORB sniffing allowed the response.
-    VerifyFetchFromContentScriptWasAllowedByCorb(histograms,
-                                                 true /* expecting_sniffing */);
-
-    if (ShouldAllowlistAlsoApplyToOorCors() &&
-        AreContentScriptFetchesExpectedToBeBlocked()) {
-      // Verify that the response body was blocked by CORS.
-      EXPECT_EQ(kCorsErrorWhenFetching, fetch_result);
-    } else {
-      // Verify that the response body was not blocked by either CORB nor CORS.
-      //
-      // StartsWith (rather than equality) is used in the verification step to
-      // account for \n VS \r\n difference on Windows.
-      EXPECT_THAT(fetch_result,
-                  ::testing::StartsWith(
-                      "text-object.txt: ae52dd09-9746-4b7e-86a6-6ada5e2680c2"));
-    }
-
-    // This is the kind of response (i.e., cross-origin fetch of a non-CORB
-    // type) that could be affected by the planned
-    // CorbAllowlistAlsoAppliesToOorCors feature.
-    VerifyPassiveUmaForAllowlistForCors(histograms, true);
+    VerifyNonCorbElligibleFetchFromContentScript(
+        histograms, fetch_result,
+        "text-object.txt: ae52dd09-9746-4b7e-86a6-6ada5e2680c2");
   }
 }
 
@@ -1090,22 +1205,8 @@ IN_PROC_BROWSER_TEST_P(CorbAndCorsExtensionBrowserTest,
       FetchViaContentScript(cross_site_resource, active_web_contents());
 
   // Verify that CORB sniffing allowed the response.
-  VerifyFetchFromContentScriptWasAllowedByCorb(histograms,
-                                               true /* expecting_sniffing */);
-
-  if (ShouldAllowlistAlsoApplyToOorCors() &&
-      AreContentScriptFetchesExpectedToBeBlocked()) {
-    // Verify that the response body was blocked by CORS.
-    EXPECT_EQ(kCorsErrorWhenFetching, fetch_result);
-  } else {
-    // Verify that the response body was not blocked by either CORB nor CORS.
-    EXPECT_THAT(fetch_result, ::testing::StartsWith("\xEF\xBF\xBDPNG"));
-  }
-
-  // This is the kind of response (i.e., cross-origin fetch that is not blocked
-  // by CORB due to sniffing) that could be affected by the planned
-  // CorbAllowlistAlsoAppliesToOorCors feature.
-  VerifyPassiveUmaForAllowlistForCors(histograms, true);
+  VerifyNonCorbElligibleFetchFromContentScript(histograms, fetch_result,
+                                               "\xEF\xBF\xBDPNG");
 }
 
 // Test that responses are blocked by CORB, but have empty response body are not
@@ -1132,9 +1233,10 @@ IN_PROC_BROWSER_TEST_P(CorbAndCorsExtensionBrowserTest,
       FetchViaContentScript(cross_site_resource, active_web_contents());
 
   // Verify whether the fetch worked or not (expectations differ depending on
-  // various factors - see the body of VerifyFetchFromContentScript).
-  VerifyFetchFromContentScript(histograms, fetch_result,
-                               "" /* expected_response_body */);
+  // various factors - see the body of
+  // VerifyCorbEligibleFetchFromContentScript).
+  VerifyCorbEligibleFetchFromContentScript(histograms, fetch_result,
+                                           "" /* expected_response_body */);
 }
 
 // Test that LogInitiatorSchemeBypassingDocumentBlocking exits early for
@@ -1457,9 +1559,10 @@ IN_PROC_BROWSER_TEST_P(CorbAndCorsExtensionBrowserTest,
         FetchViaContentScript(cross_site_resource, active_web_contents());
 
     // Verify whether the fetch worked or not (expectations differ depending on
-    // various factors - see the body of VerifyFetchFromContentScript).
-    VerifyFetchFromContentScript(histograms, fetch_result,
-                                 "nosniff.xml - body\n");
+    // various factors - see the body of
+    // VerifyCorbEligibleFetchFromContentScript).
+    VerifyCorbEligibleFetchFromContentScript(histograms, fetch_result,
+                                             "nosniff.xml - body\n");
   }
   // Using a different image, to bypass renderer-side caching.
   EXPECT_EQ("IMG LOADED",
@@ -1490,9 +1593,10 @@ IN_PROC_BROWSER_TEST_P(CorbAndCorsExtensionBrowserTest,
         FetchViaContentScript(cross_site_resource, active_web_contents());
 
     // Verify whether the fetch worked or not (expectations differ depending on
-    // various factors - see the body of VerifyFetchFromContentScript).
-    VerifyFetchFromContentScript(histograms, fetch_result,
-                                 "nosniff.xml - body\n");
+    // various factors - see the body of
+    // VerifyCorbEligibleFetchFromContentScript).
+    VerifyCorbEligibleFetchFromContentScript(histograms, fetch_result,
+                                             "nosniff.xml - body\n");
   }
   // Using a different image, to bypass renderer-side caching.
   EXPECT_EQ("IMG LOADED",