2 files changed, 51 insertions, 0 deletions

diff --git a/dom/fetch/tests/browser.toml b/dom/fetch/tests/browser.toml
index e449f9572f..f0788db856 100644
--- a/dom/fetch/tests/browser.toml
+++ b/dom/fetch/tests/browser.toml
@@ -2,6 +2,11 @@
 
 ["browser_blobFromFile.js"]
 
+["browser_default_credentialless_fetch.js"]
+support-files = [
+  "store_header.sjs",
+]
+
 ["browser_origin_trial_coep_credentialless_cache.js"]
 support-files = [
   "open_credentialless_document.sjs",
diff --git a/dom/fetch/tests/browser_default_credentialless_fetch.js b/dom/fetch/tests/browser_default_credentialless_fetch.js
new file mode 100644
index 0000000000..1c7e820d5f
--- /dev/null
+++ b/dom/fetch/tests/browser_default_credentialless_fetch.js
@@ -0,0 +1,46 @@
+/* Any copyright is dedicated to the Public Domain.
+   https://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+const RESOURCE_URL =
+  getRootDirectory(gTestPath).replace(
+    "chrome://mochitests/content",
+    "https://example.com"
+  ) + "store_header.sjs";
+
+add_task(async function test_fetch_defaults_to_credentialless() {
+  // Ensure cookie is set up:
+  let expiry = Date.now() / 1000 + 24 * 60 * 60;
+  Services.cookies.add(
+    "example.com",
+    "/",
+    "foo",
+    "bar",
+    false,
+    false,
+    false,
+    expiry,
+    {},
+    Ci.nsICookie.SAMESITE_NONE,
+    Ci.nsICookie.SCHEME_HTTPS
+  );
+
+  // Explicitly send cookie header by using `same-origin` in the init dict, to
+  // ensure cookies are stored correctly and can be sent.
+  await fetch(RESOURCE_URL + "?checkheader", { credentials: "same-origin" });
+
+  Assert.equal(
+    await fetch(RESOURCE_URL + "?getstate").then(r => r.text()),
+    "hasCookie",
+    "Should have cookie when explicitly passing credentials info in 'checkheader' request."
+  );
+
+  // Check the default behaviour.
+  await fetch(RESOURCE_URL + "?checkheader");
+  Assert.equal(
+    await fetch(RESOURCE_URL + "?getstate").then(r => r.text()),
+    "noCookie",
+    "Should not have cookie in the default case (no explicit credentials mode) for chrome privileged requests."
+  );
+});