Adding upstream version 125.0.1.upstream/125.0.1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

16 files changed, 511 insertions, 19 deletions

diff --git a/testing/web-platform/tests/credential-management/digital-identity.https.html b/testing/web-platform/tests/credential-management/digital-identity.https.html
new file mode 100644
index 0000000000..82630e2a5b
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/digital-identity.https.html
@@ -0,0 +1,125 @@
+<!DOCTYPE html>
+<title>Digital Identity Credential tests.</title>
+<link rel="help" href="https://wicg.github.io/digital-identities/">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+
+<body>
+
+<script>
+// Builds valid digital identity request for navigator.credentials.get() API.
+function buildValidNavigatorCredentialsRequest() {
+  return {
+      identity: {
+        providers: [{
+          holder: {
+            selector: {
+              format: ['mdoc'],
+              doctype: 'org.iso.18013.5.1.mDL',
+              fields: [
+                'org.iso.18013.5.1.family_name',
+                'org.iso.18013.5.1.portrait',
+              ]
+            },
+            params: {
+              nonce: '1234',
+              readerPublicKey: 'test_reader_public_key',
+              extraParamAsNeededByDigitalCredentials: true,
+            },
+          },
+        }],
+      },
+  };
+}
+
+// Builds valid digital identity request for navigator.identity.get() API.
+function buildValidNavigatorIdentityRequest() {
+  return {
+      digital: {
+        providers: [{
+          protocol: "protocol",
+          selector: {
+            format: ['mdoc'],
+            doctype: 'org.iso.18013.5.1.mDL',
+            fields: [
+              'org.iso.18013.5.1.family_name',
+              'org.iso.18013.5.1.portrait',
+            ]
+          },
+          params: {
+            nonce: '1234',
+            readerPublicKey: 'test_reader_public_key',
+            extraParamAsNeededByDigitalCredentials: true,
+          },
+        }],
+      },
+  };
+}
+
+// Requires browser to have mode where OS-presented digital-identity-prompt is
+// bypassed in favour of returning "fake_test_token" directly.
+promise_test(async t => {
+  const {token} = await navigator.credentials.get(buildValidNavigatorCredentialsRequest());
+  assert_equals("fake_test_token", token);
+}, "navigator.credentials.get() API works in toplevel frame.");
+
+promise_test(async t => {
+  let request = buildValidNavigatorCredentialsRequest();
+  request.identity.providers = undefined;
+
+  await promise_rejects_js(t, TypeError, navigator.credentials.get(request));
+}, "navigator.credentials.get() API fails if IdentityCredentialRequestOptions::providers is not specified.");
+
+promise_test(async t => {
+  let request = buildValidNavigatorCredentialsRequest();
+  request.identity.providers = [];
+
+  await promise_rejects_js(t, TypeError, navigator.credentials.get(request));
+}, "navigator.credentials.get() API fails if there are no providers.");
+
+promise_test(async t => {
+  let request = buildValidNavigatorCredentialsRequest();
+  let providerCopy = structuredClone(request.identity.providers[0]);
+  request.identity.providers.push(providerCopy);
+  await promise_rejects_js(t, TypeError, navigator.credentials.get(request));
+}, "navigator.credentials.get() API fails if there is more than one provider.");
+
+promise_test(async t => {
+  let request = buildValidNavigatorCredentialsRequest();
+  request.identity.providers[0].holder = undefined;
+
+  await promise_rejects_js(t, TypeError, navigator.credentials.get(request));
+}, "navigator.credentials.get() API fails if IdentityProviderConfig::holder is not specified.");
+
+promise_test(async t => {
+  let request = buildValidNavigatorIdentityRequest();
+  let credential = await navigator.identity.get(request);
+  assert_equals("protocol", credential.protocol);
+  assert_equals("fake_test_token", credential.data);
+}, "navigator.identity.get() API works in toplevel frame.");
+
+promise_test(async t => {
+  let request = buildValidNavigatorIdentityRequest();
+  request.digital.providers = undefined;
+
+  await promise_rejects_js(t, TypeError, navigator.identity.get(request));
+}, "navigator.identity.get() API fails if DigitalCredentialRequestOptions::providers is not specified.");
+
+promise_test(async t => {
+  let request = buildValidNavigatorIdentityRequest();
+  let providerCopy = structuredClone(request.digital.providers[0]);
+  request.digital.providers.push(providerCopy);
+  await promise_rejects_js(t, TypeError, navigator.identity.get(request));
+}, "navigator.identity.get() API fails if there is more than one provider.");
+
+promise_test(async t=> {
+  let abortController = new AbortController();
+  let request = buildValidNavigatorIdentityRequest();
+  request.signal = abortController.signal;
+  let requestPromise = navigator.identity.get(request);
+  abortController.abort();
+  await promise_rejects_dom(t, "AbortError", requestPromise);
+}, "navigator.identity.get() promise is rejected when the page aborts the request.");
+</script>
diff --git a/testing/web-platform/tests/credential-management/fedcm-button-and-other-account/fedcm-button-mode-basics.tentative.https.html b/testing/web-platform/tests/credential-management/fedcm-button-and-other-account/fedcm-button-mode-basics.tentative.https.html
new file mode 100644
index 0000000000..a71e262135
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/fedcm-button-and-other-account/fedcm-button-mode-basics.tentative.https.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<title>Federated Credential Management API Button Mode basic tests.</title>
+<link rel="help" href="https://fedidcg.github.io/FedCM">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+
+<script type="module">
+import {request_options_with_mediation_required,
+        fedcm_test,
+        select_manifest,
+        fedcm_get_and_select_first_account} from '../support/fedcm-helper.sub.js';
+
+fedcm_test(async t => {
+  let test_options = request_options_with_mediation_required();
+  test_options.identity.mode = "button";
+  await select_manifest(t, test_options);
+
+  let result = navigator.credentials.get(test_options);
+  return promise_rejects_dom(t, 'NetworkError', result);
+}, "Test that the button mode without user activation will fail.");
+
+fedcm_test(async t => {
+  let test_options = request_options_with_mediation_required("manifest_with_rp_mode.json");
+  test_options.identity.mode = "button";
+
+  return test_driver.bless('initiate FedCM request', async function() {
+      let cred = await fedcm_get_and_select_first_account(t, test_options);
+      assert_equals(cred.token, "mode=button");
+  });
+}, "Test that the button mode succeeds with user activation.");
+
+</script>
diff --git a/testing/web-platform/tests/credential-management/fedcm-button-and-other-account/fedcm-button-mode-priority.tentative.https.html b/testing/web-platform/tests/credential-management/fedcm-button-and-other-account/fedcm-button-mode-priority.tentative.https.html
new file mode 100644
index 0000000000..b71e84db47
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/fedcm-button-and-other-account/fedcm-button-mode-priority.tentative.https.html
@@ -0,0 +1,73 @@
+<!DOCTYPE html>
+<title>Federated Credential Management API Button Mode priority tests.</title>
+<link rel="help" href="https://fedidcg.github.io/FedCM">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+
+<script type="module">
+import {request_options_with_mediation_required,
+        fedcm_test,
+        fedcm_get_and_select_first_account} from '../support/fedcm-helper.sub.js';
+
+fedcm_test(async t => {
+  let widget_test_options = request_options_with_mediation_required();
+  let button_test_options = request_options_with_mediation_required("manifest_with_rp_mode.json");
+  button_test_options.identity.mode = "button";
+
+  return test_driver.bless('initiate FedCM request', async function() {
+      let first_cred = await fedcm_get_and_select_first_account(t, button_test_options);
+      assert_equals(first_cred.token, "mode=button");
+      let second_cred = await fedcm_get_and_select_first_account(t, widget_test_options);
+      assert_equals(second_cred.token, "token");
+  });
+}, "Test that the widget mode can succeed after the button mode.");
+
+fedcm_test(async t => {
+   let widget_test_options = request_options_with_mediation_required("manifest_with_rp_mode.json");
+   let button_test_options = request_options_with_mediation_required("manifest_with_rp_mode.json");
+   button_test_options.identity.mode = "button";
+
+   let first_cred = navigator.credentials.get(widget_test_options);
+   let rej = promise_rejects_dom(t, 'NetworkError', first_cred);
+
+   return test_driver.bless('initiate FedCM request', async function() {
+       let second_cred = await fedcm_get_and_select_first_account(t, button_test_options);
+       assert_equals(second_cred.token, "mode=button");
+       await rej;
+   });
+ }, "Test that the button mode can replace widget mode.");
+
+fedcm_test(async t => {
+  let button_test_options = request_options_with_mediation_required("manifest_with_rp_mode.json");
+  button_test_options.identity.mode = "button";
+
+  return test_driver.bless('initiate FedCM request', async function() {
+      let first_cred = fedcm_get_and_select_first_account(t, button_test_options);
+      let second_cred = navigator.credentials.get(button_test_options);
+      let rej = promise_rejects_dom(t, 'NotAllowedError', second_cred);
+
+      let cred = await first_cred;
+      assert_equals(cred.token, "mode=button");
+      await rej;
+  });
+}, "Test that the button mode cannot replace button mode.");
+
+fedcm_test(async t => {
+  let widget_test_options = request_options_with_mediation_required("manifest_with_rp_mode.json");
+  let button_test_options = request_options_with_mediation_required("manifest_with_rp_mode.json");
+  button_test_options.identity.mode = "button";
+
+  return test_driver.bless('initiate FedCM request', async function() {
+      let first_cred = fedcm_get_and_select_first_account(t, button_test_options);
+      let second_cred = navigator.credentials.get(widget_test_options);
+      let rej = promise_rejects_dom(t, 'NotAllowedError', second_cred);
+
+      let cred = await first_cred;
+      assert_equals(cred.token, "mode=button");
+      await rej;
+  });
+}, "Test that the widget mode cannot replace button mode.");
+
+</script>
diff --git a/testing/web-platform/tests/credential-management/fedcm-button-and-other-account/fedcm-use-other-account-button-flow.tentative.https.html b/testing/web-platform/tests/credential-management/fedcm-button-and-other-account/fedcm-use-other-account-button-flow.tentative.https.html
new file mode 100644
index 0000000000..996523af84
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/fedcm-button-and-other-account/fedcm-use-other-account-button-flow.tentative.https.html
@@ -0,0 +1,84 @@
+<!DOCTYPE html>
+<title>Federated Credential Management API Use Another Account API tests.</title>
+<link rel="help" href="https://fedidcg.github.io/FedCM">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+
+<script type="module">
+import {request_options_with_mediation_required,
+        fedcm_test,
+        fedcm_get_dialog_type_promise,
+        manifest_origin,
+        open_and_wait_for_popup,
+        select_manifest} from '../support/fedcm-helper.sub.js';
+
+const url_path = '/credential-management/support/fedcm/'
+const url_prefix = manifest_origin + url_path;
+
+async function set_accounts_cookie(value) {
+  await open_and_wait_for_popup(manifest_origin, url_path + 'set_accounts_cookie.py?' + value);
+}
+
+fedcm_test(async t => {
+  await set_accounts_cookie("1");
+
+  let test_options =
+    request_options_with_mediation_required("manifest_with_variable_accounts.json");
+  test_options.identity.mode = "button";
+  await select_manifest(t, test_options);
+
+  // Trigger FedCM and wait for the initial dialog.
+  let cred_promise = null;
+  await test_driver.bless('initiate FedCM request', async function() {
+    cred_promise = navigator.credentials.get(test_options);
+  });
+
+  let type = await fedcm_get_dialog_type_promise(t);
+  assert_equals(type, "AccountChooser");
+
+  // Tell the account endpoint to now return 2 accounts and click use other account.
+  await set_accounts_cookie("2");
+  await window.test_driver.click_fedcm_dialog_button("ConfirmIdpLoginContinue");
+
+  // Wait for the account chooser to appear again.
+  type = await fedcm_get_dialog_type_promise(t);
+  assert_equals(type, "AccountChooser");
+
+  await window.test_driver.select_fedcm_account(1);
+  const cred = await cred_promise;
+  assert_equals(cred.token, "account_id=jane_doe");
+}, 'Test that the "Use Other Account" button works correctly.');
+
+
+fedcm_test(async t => {
+  await set_accounts_cookie("1");
+
+  let test_options =
+    request_options_with_mediation_required("manifest_with_variable_accounts.json");
+  test_options.identity.mode = "button";
+  await select_manifest(t, test_options);
+
+  // Trigger FedCM and wait for the initial dialog.
+  let cred_promise = null;
+  await test_driver.bless('initiate FedCM request', async function() {
+    cred_promise = navigator.credentials.get(test_options);
+  });
+
+  let type = await fedcm_get_dialog_type_promise(t);
+  assert_equals(type, "AccountChooser");
+
+  // Click use other account but without changing the account returned.
+  await window.test_driver.click_fedcm_dialog_button("ConfirmIdpLoginContinue");
+
+  // Wait for the account chooser to appear again.
+  type = await fedcm_get_dialog_type_promise(t);
+  assert_equals(type, "AccountChooser");
+
+  await window.test_driver.select_fedcm_account(0);
+  const cred = await cred_promise;
+  assert_equals(cred.token, "account_id=1234");
+}, 'Test that the "Use Other Account" button works correctly when accounts do not change.');
+
+</script>
diff --git a/testing/web-platform/tests/credential-management/fedcm-button-and-other-account/fedcm-use-other-account.tentative.https.html b/testing/web-platform/tests/credential-management/fedcm-button-and-other-account/fedcm-use-other-account.tentative.https.html
new file mode 100644
index 0000000000..2022bbc0f7
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/fedcm-button-and-other-account/fedcm-use-other-account.tentative.https.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<title>Federated Credential Management API Use Another Account API tests.</title>
+<link rel="help" href="https://fedidcg.github.io/FedCM">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+
+<script type="module">
+import {request_options_with_mediation_required,
+        fedcm_test,
+        fedcm_get_dialog_type_promise,
+        manifest_origin,
+        open_and_wait_for_popup,
+        select_manifest} from '../support/fedcm-helper.sub.js';
+
+const url_path = '/credential-management/support/fedcm/'
+const url_prefix = manifest_origin + url_path;
+
+async function set_accounts_cookie(value) {
+  await open_and_wait_for_popup(manifest_origin, url_path + 'set_accounts_cookie.py?' + value);
+}
+
+fedcm_test(async t => {
+  await set_accounts_cookie("1");
+
+  let test_options =
+    request_options_with_mediation_required("manifest_with_variable_accounts.json");
+  await select_manifest(t, test_options);
+
+  // Trigger FedCM and wait for the initial dialog.
+  const cred_promise = navigator.credentials.get(test_options);
+  let type = await fedcm_get_dialog_type_promise(t);
+  assert_equals(type, "AccountChooser");
+
+  // Tell the account endpoint to now return 2 accounts and click use other account.
+  await set_accounts_cookie("2");
+  await window.test_driver.click_fedcm_dialog_button("ConfirmIdpLoginContinue");
+
+  // Wait for the account chooser to appear again.
+  type = await fedcm_get_dialog_type_promise(t);
+  assert_equals(type, "AccountChooser");
+
+  await window.test_driver.select_fedcm_account(1);
+  const cred = await cred_promise;
+  assert_equals(cred.token, "account_id=jane_doe");
+}, 'Test that the "Use Other Account" button works correctly.');
+
+</script>
diff --git a/testing/web-platform/tests/credential-management/fedcm-identity-assertion-nocors.https.html b/testing/web-platform/tests/credential-management/fedcm-identity-assertion-nocors.https.html
new file mode 100644
index 0000000000..612387b4a0
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/fedcm-identity-assertion-nocors.https.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<title>Federated Credential Management API test with no CORS identity assertion.</title>
+<link rel="help" href="https://fedidcg.github.io/FedCM">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+
+<script type="module">
+import {request_options_with_mediation_required,
+        fedcm_test,
+        select_manifest,
+        mark_signed_in,
+        fedcm_get_dialog_type_promise,
+        fedcm_get_and_select_first_account} from './support/fedcm-helper.sub.js';
+
+fedcm_test(async t => {
+  await mark_signed_in();
+  let test_options = request_options_with_mediation_required("manifest-token-nocors.json");
+  await select_manifest(t, test_options);
+  try {
+    const cred = await fedcm_get_and_select_first_account(t, test_options);
+    assert_unreached("An IdentityCredentialError exception should be thrown.");
+  } catch (e) {
+    assert_true(e instanceof DOMException);
+    assert_equals(e.name, "IdentityCredentialError");
+  }
+}, 'Test that promise is rejected if identity assertion does not use CORS');
+</script>
diff --git a/testing/web-platform/tests/credential-management/fedcm-login-status-unknown.https.html b/testing/web-platform/tests/credential-management/fedcm-login-status-unknown.https.html
new file mode 100644
index 0000000000..d542524c88
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/fedcm-login-status-unknown.https.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>FedCM IDP sign-in status API tests for unknown state</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+
+<script type="module">
+  import {request_options_with_mediation_required,
+          fedcm_test,
+          select_manifest,
+          fedcm_get_and_select_first_account} from './support/fedcm-helper.sub.js';
+
+  // TODO(crbug.com/1494119): move the test under fedcm-login-status.
+  fedcm_test(async t => {
+    let test_options = request_options_with_mediation_required("manifest_with_no_accounts.json");
+    await select_manifest(t, test_options);
+
+    let request = navigator.credentials.get(test_options);
+    return promise_rejects_dom(t, 'NetworkError', request);
+  }, 'Test that promise is rejected silently when accounts fetch fails in unknown state');
+</script>
\ No newline at end of file
diff --git a/testing/web-platform/tests/credential-management/fedcm-pending-call-rejected.https.html b/testing/web-platform/tests/credential-management/fedcm-pending-call-rejected.https.html
index feb3f903d8..bb9f885a8a 100644
--- a/testing/web-platform/tests/credential-management/fedcm-pending-call-rejected.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-pending-call-rejected.https.html
@@ -19,7 +19,7 @@ fedcm_test(async t => {
   // We have to call promise_rejects_dom here, because if we call it after
   // the promise gets rejected, the unhandled rejection event handler is called
   // and fails the test even if we handle the rejection later.
-  const rej = promise_rejects_dom(t, 'AbortError', second);
+  const rej = promise_rejects_dom(t, 'NotAllowedError', second);
 
   const first_cred = await first;
   assert_equals(first_cred.token, "token");
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/manifest-token-nocors.json b/testing/web-platform/tests/credential-management/support/fedcm/manifest-token-nocors.json
new file mode 100644
index 0000000000..77ba1b4702
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/fedcm/manifest-token-nocors.json
@@ -0,0 +1,7 @@
+{
+  "accounts_endpoint": "accounts.py",
+  "client_metadata_endpoint": "client_metadata.py",
+  "id_assertion_endpoint": "token.py?nocors=1",
+  "disconnect_endpoint": "disconnect.py",
+  "login_url": "login.html"
+}
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_rp_mode.json b/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_rp_mode.json
new file mode 100644
index 0000000000..5692fd9190
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_rp_mode.json
@@ -0,0 +1,6 @@
+{
+  "accounts_endpoint": "two_accounts.py",
+  "client_metadata_endpoint": "client_metadata.py",
+  "id_assertion_endpoint": "token_with_rp_mode.py",
+  "login_url": "login.html"
+}
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_variable_accounts.json b/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_variable_accounts.json
index 10c2ddd55d..9e4af25004 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_variable_accounts.json
+++ b/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_variable_accounts.json
@@ -2,5 +2,13 @@
   "accounts_endpoint": "variable_accounts.py",
   "client_metadata_endpoint": "client_metadata.py",
   "id_assertion_endpoint": "token_with_account_id.py",
-  "login_url": "login.html"
+  "login_url": "login.html",
+  "modes": {
+    "button": {
+      "supports_use_other_account": true
+    },
+    "widget": {
+      "supports_use_other_account": true
+    }
+  }
 }
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py b/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py
index daf91aad8f..b774496d5d 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py
+++ b/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py
@@ -80,6 +80,8 @@ def tokenCheck(request):
     return (544, [], "Missing 'account_id' POST parameter")
   if not request.POST.get(b"disclosure_text_shown"):
     return (545, [], "Missing 'disclosure_text_shown' POST parameter")
+  if not request.headers.get(b"Origin"):
+    return (540, [], "Missing Origin")
 
 def revokeCheck(request):
   common_error = commonCheck(request, b"cors")
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py b/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py
new file mode 100644
index 0000000000..ab34992210
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py
@@ -0,0 +1,21 @@
+def main(request, response):
+  query_string = request.url_parts[3]
+  # We mark the cookie as HttpOnly so that this request
+  # can be made before login.html, which would overwrite
+  # the value to 1.
+  header_value = "accounts={}; SameSite=None; Secure; HttpOnly".format(query_string)
+  response.headers.set(b"Set-Cookie", header_value.encode("utf-8"))
+  response.headers.set(b"Content-Type", b"text/html")
+
+  return """
+<!DOCTYPE html>
+<script>
+// The important part of this page are the headers.
+
+// If this page was opened as a popup, notify the opener.
+if (window.opener) {
+  window.opener.postMessage("done_loading", "*");
+}
+</script>
+Sent header value: {}".format(header_value)
+"""
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/token.py b/testing/web-platform/tests/credential-management/support/fedcm/token.py
index b914eb2d96..7ec81c390a 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/token.py
+++ b/testing/web-platform/tests/credential-management/support/fedcm/token.py
@@ -7,5 +7,8 @@ def main(request, response):
     return request_error
 
   response.headers.set(b"Content-Type", b"application/json")
+  if b"nocors" not in request.GET:
+    response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+    response.headers.set(b"Access-Control-Allow-Credentials", "true")
 
   return "{\"token\": \"token\"}"
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/token_with_rp_mode.py b/testing/web-platform/tests/credential-management/support/fedcm/token_with_rp_mode.py
new file mode 100644
index 0000000000..515736416f
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/fedcm/token_with_rp_mode.py
@@ -0,0 +1,12 @@
+import importlib
+error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
+
+def main(request, response):
+  request_error = error_checker.tokenCheck(request)
+  if (request_error):
+    return request_error
+
+  response.headers.set(b"Content-Type", b"application/json")
+
+  rp_mode = request.POST.get(b"mode")
+  return "{\"token\": \"mode=" + rp_mode.decode("utf-8") + "\"}"
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/variable_accounts.py b/testing/web-platform/tests/credential-management/support/fedcm/variable_accounts.py
index c9db2c4528..fc4446acc4 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/variable_accounts.py
+++ b/testing/web-platform/tests/credential-management/support/fedcm/variable_accounts.py
@@ -1,25 +1,14 @@
 import importlib
 error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
 
-def main(request, response):
-  request_error = error_checker.accountsCheck(request)
-  if (request_error):
-    return request_error
-
-  response.headers.set(b"Content-Type", b"application/json")
-
-  if request.cookies.get(b"accounts") != b"1":
-    return """
-{
- "accounts": [
-  ]
-}
+result_json = """
+{{
+ "accounts": [{}]
+}}
 """
 
-
-  return """
+one_account = """
 {
- "accounts": [{
    "id": "1234",
    "given_name": "John",
    "name": "John Doe",
@@ -28,6 +17,33 @@ def main(request, response):
    "approved_clients": ["123", "456", "789"],
    "login_hints": ["john_doe"],
    "hosted_domains": ["idp.example", "example"]
-  }]
+  }
+"""
+
+
+two_accounts = one_account + """
+, {
+   "id": "jane_doe",
+   "given_name": "Jane",
+   "name": "Jane Doe",
+   "email": "jane_doe@idp.example",
+   "picture": "https://idp.example/profile/5678",
+   "approved_clients": ["123", "abc"]
 }
 """
+
+def main(request, response):
+  request_error = error_checker.accountsCheck(request)
+  if (request_error):
+    return request_error
+
+  response.headers.set(b"Content-Type", b"application/json")
+
+  if request.cookies.get(b"accounts") == b"1":
+    return result_json.format(one_account)
+  if request.cookies.get(b"accounts") == b"2":
+    return result_json.format(two_accounts)
+
+  return result_json.format("")
+
+