2 files changed, 19 insertions, 0 deletions

diff --git a/testing/web-platform/tests/credential-management/fedcm-csp.https.html b/testing/web-platform/tests/credential-management/fedcm-csp.https.html
new file mode 100644
index 0000000000..59c97e8c38
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/fedcm-csp.https.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<title>Federated Credential Management API network request tests.</title>
+<link rel="help" href="https://fedidcg.github.io/FedCM">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<body>
+
+<script type="module">
+import {default_request_options, fedcm_test, set_fedcm_cookie} from './support/fedcm-helper.sub.js';
+
+fedcm_test(async t => {
+  const cred = navigator.credentials.get(default_request_options());
+  return promise_rejects_dom(t, "NetworkError", cred);
+}, "Provider configURL should honor Content-Security-Policy.");
+
+</script>
diff --git a/testing/web-platform/tests/credential-management/fedcm-csp.https.html.sub.headers b/testing/web-platform/tests/credential-management/fedcm-csp.https.html.sub.headers
new file mode 100644
index 0000000000..c1e6fd6c4c
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/fedcm-csp.https.html.sub.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Embedder-Policy: credentialless
+Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self'