Merging upstream version 126.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

27 files changed, 310 insertions, 47 deletions

diff --git a/testing/web-platform/tests/credential-management/digital-identity.https.html b/testing/web-platform/tests/credential-management/digital-identity.https.html
index 82630e2a5b..b2f36d21ee 100644
--- a/testing/web-platform/tests/credential-management/digital-identity.https.html
+++ b/testing/web-platform/tests/credential-management/digital-identity.https.html
@@ -1,14 +1,22 @@
 <!DOCTYPE html>
 <title>Digital Identity Credential tests.</title>
 <link rel="help" href="https://wicg.github.io/digital-identities/">
+<script src="/common/get-host-info.sub.js"></script>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/resources/testdriver.js"></script>
 <script src="/resources/testdriver-vendor.js"></script>
 
 <body>
+<script type="module">
+import { buildValidNavigatorIdentityRequest } from './support/digital-identity-helper.js';
+
+// This regex removes the filename from the path so that we just get
+// the directory.
+const host = get_host_info();
+const basePath = window.location.pathname.replace(/\/[^\/]*$/, '/');
+const remoteBaseURL = host.HTTPS_REMOTE_ORIGIN + basePath;
 
-<script>
 // Builds valid digital identity request for navigator.credentials.get() API.
 function buildValidNavigatorCredentialsRequest() {
   return {
@@ -34,28 +42,13 @@ function buildValidNavigatorCredentialsRequest() {
   };
 }
 
-// Builds valid digital identity request for navigator.identity.get() API.
-function buildValidNavigatorIdentityRequest() {
-  return {
-      digital: {
-        providers: [{
-          protocol: "protocol",
-          selector: {
-            format: ['mdoc'],
-            doctype: 'org.iso.18013.5.1.mDL',
-            fields: [
-              'org.iso.18013.5.1.family_name',
-              'org.iso.18013.5.1.portrait',
-            ]
-          },
-          params: {
-            nonce: '1234',
-            readerPublicKey: 'test_reader_public_key',
-            extraParamAsNeededByDigitalCredentials: true,
-          },
-        }],
-      },
-  };
+async function createIframeAndWaitForMessage(test, iframeUrl) {
+    const messageWatcher = new EventWatcher(test, window, "message");
+    var iframe = document.createElement("iframe");
+    iframe.src = iframeUrl;
+    document.body.appendChild(iframe);
+    const message = await messageWatcher.wait_for("message");
+    return message.data;
 }
 
 // Requires browser to have mode where OS-presented digital-identity-prompt is
@@ -96,7 +89,7 @@ promise_test(async t => {
 promise_test(async t => {
   let request = buildValidNavigatorIdentityRequest();
   let credential = await navigator.identity.get(request);
-  assert_equals("protocol", credential.protocol);
+  assert_equals("urn:openid.net:oid4vp", credential.protocol);
   assert_equals("fake_test_token", credential.data);
 }, "navigator.identity.get() API works in toplevel frame.");
 
@@ -109,6 +102,12 @@ promise_test(async t => {
 
 promise_test(async t => {
   let request = buildValidNavigatorIdentityRequest();
+  request.digital.providers = [];
+  await promise_rejects_js(t, TypeError, navigator.identity.get(request));
+}, "navigator.identity.get() API fails if there are no providers.");
+
+promise_test(async t => {
+  let request = buildValidNavigatorIdentityRequest();
   let providerCopy = structuredClone(request.digital.providers[0]);
   request.digital.providers.push(providerCopy);
   await promise_rejects_js(t, TypeError, navigator.identity.get(request));
@@ -122,4 +121,18 @@ promise_test(async t=> {
   abortController.abort();
   await promise_rejects_dom(t, "AbortError", requestPromise);
 }, "navigator.identity.get() promise is rejected when the page aborts the request.");
+
+promise_test(async t=> {
+  const message = await createIframeAndWaitForMessage(
+      t, basePath + "support/digital-identity-iframe.html");
+  assert_equals(message.result, "Pass");
+  assert_equals(message.data, "fake_test_token");
+}, "navigator.identity.get() succeeds in same-origin iframe");
+
+promise_test(async t=> {
+  const message = await createIframeAndWaitForMessage(
+      t, remoteBaseURL + "support/digital-identity-iframe.html");
+  assert_equals(message.result, "Fail");
+  assert_equals(message.errorType, "NotAllowedError");
+}, "navigator.identity.get() fails in cross-origin iframe");
 </script>
diff --git a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-disallowed.https.html b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-disallowed.https.html
new file mode 100644
index 0000000000..fcda3a3dd5
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-disallowed.https.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<title>Federated Credential Management API network request tests.</title>
+<link rel="help" href="https://fedidcg.github.io/FedCM">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+
+<body>
+
+<script type="module">
+import {fedcm_test,
+        request_options_with_mediation_required,
+        select_manifest,
+        fedcm_get_and_select_first_account} from '../support/fedcm-helper.sub.js';
+
+fedcm_test(async t => {
+  // First, do a regular fedcm request so we that we can be considered
+  // a returning user below.
+  let options = request_options_with_mediation_required();
+  await fedcm_get_and_select_first_account(t, options);
+
+  // Now do a silent mediation request.
+  options = request_options_with_mediation_required('manifest_with_continue_on.json');
+  options.mediation = 'silent';
+  await select_manifest(t, options);
+  const cred_promise = fedcm_get_and_select_first_account(t, options);
+  return promise_rejects_dom(t, 'NetworkError', cred_promise);
+}, "continue_on with mediation:silent should fail");
+
+</script>
diff --git a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-with-account.https.html b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-with-account.https.html
new file mode 100644
index 0000000000..5bd8ef34fe
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on-with-account.https.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<title>Federated Credential Management API network request tests.</title>
+<link rel="help" href="https://fedidcg.github.io/FedCM">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+
+<body>
+
+<script type="module">
+import {fedcm_test,
+        request_options_with_mediation_required,
+        select_manifest,
+        fedcm_get_and_select_first_account} from '../support/fedcm-helper.sub.js';
+
+fedcm_test(async t => {
+  const options = request_options_with_mediation_required('manifest_with_continue_on.json');
+  options.identity.providers[0].nonce = "accountId=jane_doe";
+  await select_manifest(t, options);
+  const cred = await fedcm_get_and_select_first_account(t, options);
+  // This indicates the account that was selected in the dialog,
+  // not the account that was specified in IdentityProvider.resolve,
+  // hence we get 1234 instead of jane_doe.
+  assert_equals(cred.token, "account=1234");
+
+  // Now, jane_doe should be considered a returning user. Make sure
+  // auto reauthentication works. We have to use optional instead of
+  // silent so that we can open the continue_on popup.
+  options.mediation = "optional";
+  return test_driver.bless('initiate FedCM request', async function() {
+    let cred2 = await navigator.credentials.get(options);
+    assert_equals(cred2.token, "account=jane_doe");
+  });
+}, "continue_on and IdentityProvider.resolve work correctly.");
+
+</script>
diff --git a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on.https.html b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on.https.html
index 3ce1f51e37..c7da5384af 100644
--- a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-continue-on.https.html
@@ -18,7 +18,7 @@ fedcm_test(async t => {
   const options = request_options_with_mediation_required('manifest_with_continue_on.json');
   await select_manifest(t, options);
   const cred = await fedcm_get_and_select_first_account(t, options);
-  assert_equals(cred.token, "resolved token");
+  assert_equals(cred.token, "account=1234");
 }, "continue_on and IdentityProvider.resolve work correctly.");
 
 </script>
diff --git a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-userinfo-after-resolve.https.html b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-userinfo-after-resolve.https.html
index ef53ed4ffc..0521f4a2ab 100644
--- a/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-userinfo-after-resolve.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-authz/fedcm-userinfo-after-resolve.https.html
@@ -29,7 +29,7 @@ fedcm_test(async t => {
   const options = alt_request_options_with_mediation_required('manifest_with_continue_on.json');
   await select_manifest(t, options);
   const cred = await fedcm_get_and_select_first_account(t, options);
-  assert_equals(cred.token, "resolved token");
+  assert_equals(cred.token, "account=1234");
 
   const iframe_in_idp_scope = `${alt_manifest_origin}/\
 credential-management/support/fedcm/userinfo-iframe.html`;
diff --git a/testing/web-platform/tests/credential-management/fedcm-context.https.html b/testing/web-platform/tests/credential-management/fedcm-context.https.html
index bc1f96eafa..7b3e1032af 100644
--- a/testing/web-platform/tests/credential-management/fedcm-context.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-context.https.html
@@ -16,32 +16,32 @@ import {request_options_with_mediation_required,
 
 fedcm_test(async t => {
   let p = navigator.credentials.get(request_options_with_mediation_required());
-  const title = await fedcm_get_title_promise(t);
-  assert_true(title.toLowerCase().includes('sign in'));
+  const result = await fedcm_get_title_promise(t);
+  assert_true(result.title.toLowerCase().includes('sign in'));
   window.test_driver.select_fedcm_account(0);
   return p;
 }, "FedCM call defaults to 'signin' context.");
 
 fedcm_test(async t => {
   let p = navigator.credentials.get(request_options_with_context("manifest.py", "signup"));
-  const title = await fedcm_get_title_promise(t);
-  assert_true(title.toLowerCase().includes('sign up'));
+  const result = await fedcm_get_title_promise(t);
+  assert_true(result.title.toLowerCase().includes('sign up'));
   window.test_driver.select_fedcm_account(0);
   return p;
 }, "FedCM with 'signup' context.");
 
 fedcm_test(async t => {
   let p = navigator.credentials.get(request_options_with_context("manifest.py", "use"));
-  const title = await fedcm_get_title_promise(t);
-  assert_true(title.toLowerCase().includes('use'));
+  const result = await fedcm_get_title_promise(t);
+  assert_true(result.title.toLowerCase().includes('use'));
   window.test_driver.select_fedcm_account(0);
   return p;
 }, "FedCM with 'use' context.");
 
 fedcm_test(async t => {
   let p = navigator.credentials.get(request_options_with_context("manifest.py", "continue"));
-  const title = await fedcm_get_title_promise(t);
-  assert_true(title.toLowerCase().includes('continue'));
+  const result = await fedcm_get_title_promise(t);
+  assert_true(result.title.toLowerCase().includes('continue'));
   window.test_driver.select_fedcm_account(0);
   return p;
 }, "FedCM with 'continue' context.");
diff --git a/testing/web-platform/tests/credential-management/fedcm-csp.https.html b/testing/web-platform/tests/credential-management/fedcm-csp.https.html
index 5925741438..c9a2456e4d 100644
--- a/testing/web-platform/tests/credential-management/fedcm-csp.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-csp.https.html
@@ -3,6 +3,8 @@
 <link rel="help" href="https://fedidcg.github.io/FedCM">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
 
 <body>
 
diff --git a/testing/web-platform/tests/credential-management/fedcm-domainhint.https.html b/testing/web-platform/tests/credential-management/fedcm-domainhint.https.html
index 3e07491d48..20b4569a05 100644
--- a/testing/web-platform/tests/credential-management/fedcm-domainhint.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-domainhint.https.html
@@ -22,7 +22,7 @@ fedcm_test(async t => {
 
   let options = request_options_with_domain_hint('manifest.py',
     'nomatch');
-  const cred = fedcm_get_and_select_first_account(t, options);
+  const cred = navigator.credentials.get(options);
   // We expect a mismatch dialog.
   const type = await fedcm_get_dialog_type_promise(t);
   assert_equals(type, 'ConfirmIdpLogin');
diff --git a/testing/web-platform/tests/credential-management/fedcm-endpoint-redirects.https.html b/testing/web-platform/tests/credential-management/fedcm-endpoint-redirects.https.html
index cff5036f39..36a4de7900 100644
--- a/testing/web-platform/tests/credential-management/fedcm-endpoint-redirects.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-endpoint-redirects.https.html
@@ -20,7 +20,7 @@ fedcm_test(async t => {
   let test_options = request_options_with_mediation_required("manifest_redirect_accounts.json");
   await select_manifest(t, test_options);
 
-  const cred = fedcm_get_and_select_first_account(t, test_options);
+  const cred = navigator.credentials.get(test_options);
   // We expect a mismatch dialog.
   const type = await fedcm_get_dialog_type_promise(t);
   assert_equals(type, 'ConfirmIdpLogin');
diff --git a/testing/web-platform/tests/credential-management/fedcm-iframe.https.html b/testing/web-platform/tests/credential-management/fedcm-iframe.https.html
index dc0c17dea6..6a9bec677c 100644
--- a/testing/web-platform/tests/credential-management/fedcm-iframe.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-iframe.https.html
@@ -2,6 +2,8 @@
 <link rel="help" href="https://wicg.github.io/FedCM">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
 <script src="/common/get-host-info.sub.js"></script>
 <div id=log>
 <script type="module">
diff --git a/testing/web-platform/tests/credential-management/fedcm-loginhint.https.html b/testing/web-platform/tests/credential-management/fedcm-loginhint.https.html
index edae955a76..fe35007a87 100644
--- a/testing/web-platform/tests/credential-management/fedcm-loginhint.https.html
+++ b/testing/web-platform/tests/credential-management/fedcm-loginhint.https.html
@@ -19,7 +19,7 @@ fedcm_test(async t => {
   await mark_signed_in();
 
   let options = request_options_with_login_hint('manifest.py', 'nomatch');
-  const cred = fedcm_get_and_select_first_account(t, options);
+  const cred = navigator.credentials.get(options);
   // We expect a mismatch dialog.
   const type = await fedcm_get_dialog_type_promise(t);
   assert_equals(type, 'ConfirmIdpLogin');
diff --git a/testing/web-platform/tests/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html b/testing/web-platform/tests/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html
new file mode 100644
index 0000000000..77ecdaff9f
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<title>Federated Credential Management API SameSite=None tests.</title>
+<link rel="help" href="https://fedidcg.github.io/FedCM">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+
+<body>
+
+<script type="module">
+import {fedcm_test,
+        alt_request_options_with_mediation_required,
+        select_manifest,
+        fedcm_get_and_select_first_account} from '../support/fedcm-helper.sub.js';
+
+fedcm_test(async t => {
+  const options = alt_request_options_with_mediation_required('manifest_check_same_site_strict.json');
+  await select_manifest(t, options);
+  const cred = await fedcm_get_and_select_first_account(t, options);
+  assert_equals(cred.token, "token");
+  assert_equals(cred.isAutoSelected, false);
+}, "FedCM requests should be considered cross-origin and therefore not send SameSite=Strict cookies.");
+
+</script>
diff --git a/testing/web-platform/tests/credential-management/support/digital-identity-helper.js b/testing/web-platform/tests/credential-management/support/digital-identity-helper.js
new file mode 100644
index 0000000000..2020d6cda7
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/digital-identity-helper.js
@@ -0,0 +1,19 @@
+// Builds valid digital identity request for navigator.identity.get() API.
+export function buildValidNavigatorIdentityRequest() {
+  return {
+      digital: {
+        providers: [{
+          protocol: "urn:openid.net:oid4vp",
+          request: JSON.stringify({
+            // Based on https://github.com/openid/OpenID4VP/issues/125
+            client_id: "client.example.org",
+            client_id_scheme: "web-origin",
+            nonce: "n-0S6_WzA2Mj",
+            presentation_definition: {
+              // Presentation Exchange request, omitted for brevity
+            }
+          }),
+        }],
+      },
+  };
+}
diff --git a/testing/web-platform/tests/credential-management/support/digital-identity-iframe.html b/testing/web-platform/tests/credential-management/support/digital-identity-iframe.html
new file mode 100644
index 0000000000..8e193ff09f
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/digital-identity-iframe.html
@@ -0,0 +1,27 @@
+<!doctype html>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<script type="module">
+import { buildValidNavigatorIdentityRequest } from './digital-identity-helper.js';
+
+// Loading digital-identity-iframe.html in the test will make a digital credential call on load, and
+// trigger a postMessage upon completion.
+//
+// message {
+//   string result: "Pass" | "Fail"
+//   string data: credential.token
+//   string errorType: error.data
+// }
+
+window.onload = async () => {
+  try {
+    let request = buildValidNavigatorIdentityRequest();
+    let credential = await navigator.identity.get(request);
+
+    window.top.postMessage({result: "Pass", data: credential.data}, '*');
+  } catch (error) {
+    window.top.postMessage({result: "Fail", errorType: error.name}, '*');
+  }
+};
+
+</script>
diff --git a/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js b/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js
index 765b3cc48a..f0031fa531 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js
+++ b/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js
@@ -8,7 +8,9 @@ export function open_and_wait_for_popup(origin, path) {
 
     // We rely on the popup page to send us a message when done.
     const popup_message_handler = (event) => {
-      if (event.origin == origin) {
+      // We use new URL() to ensure the two origins are normalized the same
+      // way (especially so that default ports are handled identically).
+      if (new URL(event.origin).toString() == new URL(origin).toString()) {
         popup_window.close();
         window.removeEventListener('message', popup_message_handler);
         resolve();
@@ -22,7 +24,7 @@ export function open_and_wait_for_popup(origin, path) {
 // Set the identity provider cookie.
 export function set_fedcm_cookie(host) {
   if (host == undefined) {
-    document.cookie = 'cookie=1; SameSite=Strict; Path=/credential-management/support; Secure';
+    document.cookie = 'cookie=1; SameSite=None; Path=/credential-management/support; Secure';
     return Promise.resolve();
   } else {
     return open_and_wait_for_popup(host, '/credential-management/support/set_cookie');
@@ -102,6 +104,15 @@ credential-management/support/fedcm/${manifest_filename}`;
 // Test wrapper which does FedCM-specific setup.
 export function fedcm_test(test_func, test_name) {
   promise_test(async t => {
+    // Ensure we start from a clean slate.
+    await test_driver.delete_all_cookies();
+    // Turn off delays that are not useful in tests.
+    try {
+      await test_driver.set_fedcm_delay_enabled(false);
+    } catch (e) {
+      // Failure is not critical; it just might slow down tests.
+    }
+
     await set_fedcm_cookie();
     await set_alt_fedcm_cookie();
     await test_func(t);
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/accounts_check_same_site_strict.py b/testing/web-platform/tests/credential-management/support/fedcm/accounts_check_same_site_strict.py
new file mode 100644
index 0000000000..a6f385feac
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/fedcm/accounts_check_same_site_strict.py
@@ -0,0 +1,28 @@
+import importlib
+error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
+
+def main(request, response):
+  request_error = error_checker.accountsCheck(request)
+  if (request_error):
+    return request_error
+  if request.cookies.get(b"same_site_strict") == b"1":
+    return (546, [], "Should not send SameSite=Strict cookies")
+  if request.headers.get(b"Sec-Fetch-Site") != b"cross-site":
+    return (538, [], "Wrong Sec-Fetch-Site header")
+
+  response.headers.set(b"Content-Type", b"application/json")
+
+  return """
+{
+ "accounts": [{
+   "id": "1234",
+   "given_name": "John",
+   "name": "John Doe",
+   "email": "john_doe@idp.example",
+   "picture": "https://idp.example/profile/123",
+   "approved_clients": ["123", "456", "789"],
+   "login_hints": ["john_doe"],
+   "domain_hints": ["idp.example", "example"]
+  }]
+}
+"""
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/accounts_no_approved_clients.py b/testing/web-platform/tests/credential-management/support/fedcm/accounts_no_approved_clients.py
new file mode 100644
index 0000000000..faea06edc3
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/fedcm/accounts_no_approved_clients.py
@@ -0,0 +1,30 @@
+import importlib
+error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
+
+def main(request, response):
+  request_error = error_checker.accountsCheck(request)
+  if (request_error):
+    return request_error
+
+  response.headers.set(b"Content-Type", b"application/json")
+
+  return """
+{
+ "accounts": [{
+   "id": "1234",
+   "given_name": "John",
+   "name": "John Doe",
+   "email": "john_doe@idp.example",
+   "picture": "https://idp.example/profile/123",
+   "login_hints": ["john_doe"],
+   "domain_hints": ["idp.example", "example"]
+  },
+  {
+   "id": "jane_doe",
+   "given_name": "Jane",
+   "name": "Jane Doe",
+   "email": "jane_doe@idp.example",
+   "picture": "https://idp.example/profile/5678"
+  }]
+}
+"""
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/continue_on.py b/testing/web-platform/tests/credential-management/support/fedcm/continue_on.py
index 42b4f3f8fd..1b4831b51d 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/continue_on.py
+++ b/testing/web-platform/tests/credential-management/support/fedcm/continue_on.py
@@ -8,5 +8,7 @@ def main(request, response):
 
   response.headers.set(b"Content-Type", b"application/json")
 
-  return "{\"continue_on\": \"resolve.html\"}"
+  account = request.POST.get(b"account_id").decode("utf-8")
+  nonce = request.POST.get(b"nonce").decode("utf-8")
+  return "{\"continue_on\": \"resolve.html?selected=%s&%s\"}" % (account, nonce)
 
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/manifest_check_same_site_strict.json b/testing/web-platform/tests/credential-management/support/fedcm/manifest_check_same_site_strict.json
new file mode 100644
index 0000000000..d730415983
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/fedcm/manifest_check_same_site_strict.json
@@ -0,0 +1,7 @@
+{
+  "accounts_endpoint": "accounts_check_same_site_strict.py",
+  "client_metadata_endpoint": "client_metadata.py",
+  "id_assertion_endpoint": "token_check_same_site_strict.py",
+  "login_url": "login.html"
+}
+
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json b/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json
index 3f5a954b87..d7673c7e1b 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json
+++ b/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json
@@ -1,5 +1,5 @@
 {
-  "accounts_endpoint": "accounts.py",
+  "accounts_endpoint": "accounts_no_approved_clients.py",
   "client_metadata_endpoint": "client_metadata.py",
   "id_assertion_endpoint": "continue_on.py",
   "disconnect_endpoint": "disconnect.py",
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py b/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py
index b774496d5d..6c610e6e20 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py
+++ b/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py
@@ -17,8 +17,6 @@ def commonUncredentialedRequestCheck(request):
 def commonCredentialedRequestCheck(request):
   if request.cookies.get(b"cookie") != b"1":
     return (537, [], "Missing cookie")
-  if request.headers.get(b"Sec-Fetch-Site") != b"none":
-    return (538, [], "Wrong Sec-Fetch-Site header")
 
 def commonPostCheck(request):
   if not request.headers.get(b"Origin"):
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/resolve.html b/testing/web-platform/tests/credential-management/support/fedcm/resolve.html
index 87f5112cfd..dbdc28c324 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/resolve.html
+++ b/testing/web-platform/tests/credential-management/support/fedcm/resolve.html
@@ -1,7 +1,16 @@
 <!DOCTYPE html>
 <script>
 async function doResolve() {
-  IdentityProvider.resolve("resolved token");
+  let params = new URLSearchParams(document.location.search);
+  let options = {};
+  if (params.get("accountId")) {
+    options.accountId = params.get("accountId");
+  }
+  let token = "resolved token";
+  if (params.get("selected")) {
+    token = "account=" + params.get("selected");
+  }
+  IdentityProvider.resolve(token, options);
 }
 window.onload = doResolve;
 </script>
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py b/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py
index ab34992210..15adf11324 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py
+++ b/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py
@@ -15,6 +15,7 @@ def main(request, response):
 // If this page was opened as a popup, notify the opener.
 if (window.opener) {
   window.opener.postMessage("done_loading", "*");
+  window.close();
 }
 </script>
 Sent header value: {}".format(header_value)
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/token_check_same_site_strict.py b/testing/web-platform/tests/credential-management/support/fedcm/token_check_same_site_strict.py
new file mode 100644
index 0000000000..8a4b3a234b
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/fedcm/token_check_same_site_strict.py
@@ -0,0 +1,15 @@
+import importlib
+error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
+
+def main(request, response):
+  request_error = error_checker.tokenCheck(request)
+  if (request_error):
+    return request_error
+  if request.cookies.get(b"same_site_strict") == b"1":
+    return (546, [], "Should not send SameSite=Strict cookies")
+
+  response.headers.set(b"Content-Type", b"application/json")
+  response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+  response.headers.set(b"Access-Control-Allow-Credentials", "true")
+
+  return "{\"token\": \"token\"}"
diff --git a/testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html b/testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html
index 532db7047a..681fcd6787 100644
--- a/testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html
+++ b/testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html
@@ -3,13 +3,17 @@
 
 <fencedframe></fencedframe>
 <script>
-const url = new URL("mark_signedin", location.href);
-document.querySelector("fencedframe").config = new FencedFrameConfig(url);
-
 // If this page was opened as a popup, notify the opener when we are done loading.
 if (window.opener) {
   window.onload = function() {
     window.opener.postMessage("done_loading", "*");
   };
 }
+
+// This code is intentionally after the onload listener registration
+// because it can throw if FencedFrameConfig is not defined. In that
+// case, we still want to notify the opener to avoid a test timeout.
+const url = new URL("mark_signedin", location.href);
+document.querySelector("fencedframe").config = new FencedFrameConfig(url);
+
 </script>
diff --git a/testing/web-platform/tests/credential-management/support/set_cookie b/testing/web-platform/tests/credential-management/support/set_cookie
index 1080b366e4..2c3196058a 100644
--- a/testing/web-platform/tests/credential-management/support/set_cookie
+++ b/testing/web-platform/tests/credential-management/support/set_cookie
@@ -6,6 +6,7 @@
 // If this page was opened as a popup, notify the opener.
 if (window.opener) {
   window.opener.postMessage("done_loading", "*");
+  window.close();
 }
 </script>
 </body>
diff --git a/testing/web-platform/tests/credential-management/support/set_cookie.headers b/testing/web-platform/tests/credential-management/support/set_cookie.headers
index b19ff933a6..4226ff4c99 100644
--- a/testing/web-platform/tests/credential-management/support/set_cookie.headers
+++ b/testing/web-platform/tests/credential-management/support/set_cookie.headers
@@ -1,2 +1,3 @@
 Content-Type: text/html
 Set-Cookie: cookie=1; SameSite=None; Secure
+Set-Cookie: same_site_strict=1; SameSite=Strict; Secure