Bug 1527560 [wpt PR 15348] - Implement `Sec-Fetch-Mode`, a=testonly
authorMike West <mkwst@chromium.org>
Tue, 05 Mar 2019 11:11:53 +0000
changeset 525414 f61a049759af467cdad157d0827d0b9f30178ee7
parent 525413 9bb616490c7c600f6d29e82360447f4d8b6a8867
child 525415 ba63a52c10157ccfeec051a6aef6c21c1b87babb
push id2032
push userffxbld-merge
push dateMon, 13 May 2019 09:36:57 +0000
treeherdermozilla-release@455c1065dcbe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1527560, 15348, 843478, 1466362, 631651
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1527560 [wpt PR 15348] - Implement `Sec-Fetch-Mode`, a=testonly Automatic update from web-platform-tests Implement `Sec-Fetch-Mode` This patch implements `Sec-Fetch-Mode`, which adds the current CORS mode to outgoing, secure requests, as defined in https://mikewest.github.io/sec-metadata/#sec-fetch-mode-header. Bug: 843478 Change-Id: I811bfa86bdac1600b8abdd275d9526f6408e62e2 Reviewed-on: https://chromium-review.googlesource.com/c/1466362 Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#631651} -- wpt-commits: 86bfe06b7260f552913b3274c30377ce7e9968b8 wpt-pr: 15348
testing/web-platform/tests/fetch/sec-metadata/embed.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/fetch.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/font.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/iframe.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/iframe.tentative.sub.html
testing/web-platform/tests/fetch/sec-metadata/img.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/object.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/redirect/cross-site-redirect.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/redirect/multiple-redirect-cross-site.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/redirect/multiple-redirect-same-site.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/redirect/same-origin-redirect.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/redirect/same-site-redirect.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/report.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/resources/helper.js
testing/web-platform/tests/fetch/sec-metadata/script.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/script.tentative.sub.html
testing/web-platform/tests/fetch/sec-metadata/serviceworker.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/sharedworker.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/style.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/track.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/window-open.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/worker.tentative.https.sub.html
testing/web-platform/tests/fetch/sec-metadata/xslt.tentative.https.sub.html
--- a/testing/web-platform/tests/fetch/sec-metadata/embed.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/embed.tentative.https.sub.html
@@ -8,17 +8,17 @@
 <script>
   promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "embed-same-origin";
 
       let e = document.createElement('embed');
       e.src = "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"embed", "site":"same-origin", "user":"?F"};
+        let expected = {"dest":"embed", "site":"same-origin", "user":"?F", "mode":"no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
 
       document.body.appendChild(e);
@@ -27,17 +27,17 @@
 
   promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "embed-same-site";
 
       let e = document.createElement('embed');
       e.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"embed", "site":"same-site", "user":"?F"};
+        let expected = {"dest":"embed", "site":"same-site", "user":"?F", "mode":"no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
 
       document.body.appendChild(e);
@@ -46,17 +46,17 @@
 
   promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "embed-cross-site";
 
       let e = document.createElement('embed');
       e.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"embed", "site":"cross-site", "user":"?F"};
+        let expected = {"dest":"embed", "site":"cross-site", "user":"?F", "mode":"no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
 
       document.body.appendChild(e);
--- a/testing/web-platform/tests/fetch/sec-metadata/fetch.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/fetch.tentative.https.sub.html
@@ -1,41 +1,85 @@
 <!DOCTYPE html>
 <script src=/resources/testharness.js></script>
 <script src=/resources/testharnessreport.js></script>
 <script src=/fetch/sec-metadata/resources/helper.js></script>
 <script>
+  // Site
   promise_test(t => {
     return fetch("https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-json.py")
         .then(r => r.json())
         .then(j => {
           assert_header_equals(j, {
             "dest": "empty",
             "site": "same-origin",
-            "user":"?F"
+            "user": "?F",
+            "mode": "cors",
           });
         });
   }, "Same-origin fetch");
 
   promise_test(t => {
     return fetch("https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-json.py")
         .then(r => r.json())
         .then(j => {
           assert_header_equals(j, {
             "dest": "empty",
             "site": "same-site",
-            "user":"?F"
+            "user": "?F",
+            "mode": "cors",
           });
         });
   }, "Same-site fetch");
 
   promise_test(t => {
     return fetch("https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-json.py")
         .then(r => r.json())
         .then(j => {
           assert_header_equals(j, {
             "dest": "empty",
             "site": "cross-site",
-            "user":"?F"
+            "user": "?F",
+            "mode": "cors",
           });
         });
   }, "Cross-site fetch");
+
+  // Mode
+  promise_test(t => {
+    return fetch("https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-json.py", {mode: "same-origin"})
+        .then(r => r.json())
+        .then(j => {
+          assert_header_equals(j, {
+            "dest": "empty",
+            "site": "same-origin",
+            "user": "?F",
+            "mode": "same-origin",
+          });
+        });
+  }, "Same-origin mode");
+
+  promise_test(t => {
+    return fetch("https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-json.py", {mode: "cors"})
+        .then(r => r.json())
+        .then(j => {
+          assert_header_equals(j, {
+            "dest": "empty",
+            "site": "same-origin",
+            "user": "?F",
+            "mode": "cors",
+          });
+        });
+  }, "CORS mode");
+
+  promise_test(t => {
+    return fetch("https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-json.py", {mode: "no-cors"})
+        .then(r => r.json())
+        .then(j => {
+          assert_header_equals(j, {
+            "dest": "empty",
+            "site": "same-origin",
+            "user": "?F",
+            "mode": "no-cors",
+          });
+        });
+  }, "no-CORS mode");
 </script>
--- a/testing/web-platform/tests/fetch/sec-metadata/font.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/font.tentative.https.sub.html
@@ -41,41 +41,41 @@
     }
   </style>
 </body>
 <script>
   document.fonts.ready.then(function () {
     promise_test(t => {
       return new Promise((resolve, reject) => {
         let key = "font-same-origin";
-        let expected = {"dest":"font", "site":"same-origin", "user":"?F"};
+        let expected = {"dest":"font", "site":"same-origin", "user":"?F", "mode": "cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
         });
     }, "Same-Origin font");
 
     promise_test(t => {
       return new Promise((resolve, reject) => {
         let key = "font-same-site";
-        let expected = {"dest":"font", "site":"same-site", "user":"?F"};
+        let expected = {"dest":"font", "site":"same-site", "user":"?F", "mode": "cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
         });
     }, "Same-Site font");
 
     promise_test(t => {
       return new Promise((resolve, reject) => {
         let key = "font-cross-site";
-        let expected = {"dest":"font", "site":"cross-site", "user":"?F"};
+        let expected = {"dest":"font", "site":"cross-site", "user":"?F", "mode": "cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
         });
     }, "Cross-Site font");
 
--- a/testing/web-platform/tests/fetch/sec-metadata/iframe.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/iframe.tentative.https.sub.html
@@ -9,17 +9,18 @@
     i.src = "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py";
     window.addEventListener('message', t.step_func(e => {
       if (e.source != i.contentWindow)
         return;
 
       assert_header_equals(e.data, {
         "dest": "nested-document",
         "site": "same-origin",
-        "user":"?F"
+        "user": "?F",
+        "mode": "navigate"
       });
       t.done();
     }));
 
     document.body.appendChild(i);
   }, "Same-origin iframe");
 
   async_test(t => {
@@ -27,17 +28,18 @@
     i.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py";
     window.addEventListener('message', t.step_func(e => {
       if (e.source != i.contentWindow)
         return;
 
       assert_header_equals(e.data, {
         "dest": "nested-document",
         "site": "same-site",
-        "user": "?F"
+        "user": "?F",
+        "mode": "navigate"
       });
       t.done();
     }));
 
     document.body.appendChild(i);
   }, "Same-site iframe");
 
   async_test(t => {
@@ -45,16 +47,17 @@
     i.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py";
     window.addEventListener('message', t.step_func(e => {
       if (e.source != i.contentWindow)
         return;
 
       assert_header_equals(e.data, {
         "dest": "nested-document",
         "site": "cross-site",
-        "user": "?F"
+        "user": "?F",
+        "mode": "navigate"
       });
       t.done();
     }));
 
     document.body.appendChild(i);
   }, "Cross-site iframe");
 </script>
--- a/testing/web-platform/tests/fetch/sec-metadata/iframe.tentative.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/iframe.tentative.sub.html
@@ -9,17 +9,18 @@
     i.src = "http://{{host}}:{{ports[http][0]}}/fetch/sec-metadata/resources/post-to-owner.py";
     window.addEventListener('message', t.step_func(e => {
       if (e.source != i.contentWindow)
         return;
 
       assert_header_equals(e.data, {
         "dest": "",
         "site": "",
-        "user": ""
+        "user": "",
+        "mode": "",
       });
       t.done();
     }));
 
     document.body.appendChild(i);
   }, "Non-secure same-origin iframe => No headers");
 
   async_test(t => {
@@ -27,17 +28,18 @@
     i.src = "http://{{hosts[][www]}}:{{ports[http][0]}}/fetch/sec-metadata/resources/post-to-owner.py";
     window.addEventListener('message', t.step_func(e => {
       if (e.source != i.contentWindow)
         return;
 
       assert_header_equals(e.data, {
         "dest": "",
         "site": "",
-        "user": ""
+        "user": "",
+        "mode": "",
       });
       t.done();
     }));
 
     document.body.appendChild(i);
   }, "Non-secure same-site iframe => No headers");
 
   async_test(t => {
@@ -45,16 +47,17 @@
     i.src = "http://{{hosts[alt][www]}}:{{ports[http][0]}}/fetch/sec-metadata/resources/post-to-owner.py";
     window.addEventListener('message', t.step_func(e => {
       if (e.source != i.contentWindow)
         return;
 
       assert_header_equals(e.data, {
         "dest": "",
         "site": "",
-        "user": ""
+        "user": "",
+        "mode": "",
       });
       t.done();
     }));
 
     document.body.appendChild(i);
   }, "Non-secure cross-site iframe => No headers.");
 </script>
--- a/testing/web-platform/tests/fetch/sec-metadata/img.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/img.tentative.https.sub.html
@@ -16,17 +16,18 @@
         "dest": headers["sec-fetch-dest"],
         "mode": headers["sec-fetch-mode"],
         "site": headers["sec-fetch-site"],
         "user": headers["sec-fetch-user"]
         };
         assert_header_equals(got, {
           "dest": "image",
           "site": "same-origin",
-          "user": "?F"
+          "user": "?F",
+          "mode": "cors", // Because `loadImageInWindow` tacks on `crossorigin`
         });
       }),
       [],
       window);
   }, "Same-origin image");
 
   async_test(t => {
     loadImageInWindow(
@@ -37,17 +38,18 @@
         "dest": headers["sec-fetch-dest"],
         "mode": headers["sec-fetch-mode"],
         "site": headers["sec-fetch-site"],
         "user": headers["sec-fetch-user"]
         };
         assert_header_equals(got, {
           "dest": "image",
           "site": "same-site",
-          "user": "?F"
+          "user": "?F",
+          "mode": "cors", // Because `loadImageInWindow` tacks on `crossorigin`
         });
       }),
       [],
       window);
   }, "Same-site image");
 
   async_test(t => {
     loadImageInWindow(
@@ -58,15 +60,16 @@
         "dest": headers["sec-fetch-dest"],
         "mode": headers["sec-fetch-mode"],
         "site": headers["sec-fetch-site"],
         "user": headers["sec-fetch-user"]
         };
         assert_header_equals(got, {
           "dest": "image",
           "site": "cross-site",
-          "user": "?F"
+          "user": "?F",
+          "mode": "cors", // Because `loadImageInWindow` tacks on `crossorigin`
         });
       }),
       [],
       window);
   }, "Cross-site image");
 </script>
--- a/testing/web-platform/tests/fetch/sec-metadata/object.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/object.tentative.https.sub.html
@@ -8,17 +8,17 @@
 <script>
   promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "object-same-origin";
 
       let e = document.createElement('object');
       e.data = "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"object", "site":"same-origin", "user":"?F"};
+        let expected = {"dest":"object", "site":"same-origin", "user":"?F", "mode":"no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
 
       document.body.appendChild(e);
@@ -27,17 +27,17 @@
 
   promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "object-same-site";
 
       let e = document.createElement('object');
       e.data = "https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"object", "site":"same-site", "user":"?F"};
+        let expected = {"dest":"object", "site":"same-site", "user":"?F", "mode":"no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
 
       document.body.appendChild(e);
@@ -46,17 +46,17 @@
 
   promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "object-cross-site";
 
       let e = document.createElement('object');
       e.data = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"object", "site":"cross-site", "user":"?F"};
+        let expected = {"dest":"object", "site":"cross-site", "user":"?F", "mode":"no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
 
       document.body.appendChild(e);
--- a/testing/web-platform/tests/fetch/sec-metadata/redirect/cross-site-redirect.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/redirect/cross-site-redirect.tentative.https.sub.html
@@ -7,17 +7,17 @@
 <body></body>
 <script>
 promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "redirect-cross-site-same-origin";
 
       let e = document.createElement('img');
       e.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"cross-site", "user":"?F"};
+      let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
       e.onerror = e => {
@@ -33,17 +33,17 @@ promise_test(t => {
   }, "Cross-Site -> Same-Origin redirect");
 
   promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "redirect-cross-site-same-site";
 
       let e = document.createElement('img');
       e.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"cross-site", "user":"?F"};
+      let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
       e.onerror = e => {
@@ -59,17 +59,17 @@ promise_test(t => {
   }, "Cross-Site -> Same-Site redirect");
 
   promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "redirect-cross-site-cross-site";
 
       let e = document.createElement('img');
       e.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"cross-site", "user":"?F"};
+      let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
       e.onerror = e => {
--- a/testing/web-platform/tests/fetch/sec-metadata/redirect/multiple-redirect-cross-site.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/redirect/multiple-redirect-cross-site.tentative.https.sub.html
@@ -9,17 +9,17 @@
 promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "redirect-multiple-cross-site";
 
       let e = document.createElement('img');
       e.src = "https://{{host}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=" +// same-origin
       "https://{{hosts[alt][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=" +// cross-site
       "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;// same-origin
-      let expected = {"dest":"image", "site":"cross-site", "user":"?F"};
+      let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
 
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
--- a/testing/web-platform/tests/fetch/sec-metadata/redirect/multiple-redirect-same-site.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/redirect/multiple-redirect-same-site.tentative.https.sub.html
@@ -9,17 +9,17 @@
 promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "redirect-multiple-same-site";
 
       let e = document.createElement('img');
       e.src = "https://{{host}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=" +// same-origin
       "https://{{hosts[][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=" +// same-site
       "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;// same-origin
-      let expected = {"dest":"image", "site":"same-site", "user":"?F"};
+      let expected = {"dest":"image", "site":"same-site", "user":"?F", "mode": "no-cors"};
 
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
--- a/testing/web-platform/tests/fetch/sec-metadata/redirect/same-origin-redirect.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/redirect/same-origin-redirect.tentative.https.sub.html
@@ -7,17 +7,17 @@
 <body></body>
 <script>
 promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "redirect-same-origin-same-origin";
 
       let e = document.createElement('img');
       e.src = "/xhr/resources/redirect.py?location=https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"same-origin", "user":"?F"};
+      let expected = {"dest":"image", "site":"same-origin", "user":"?F", "mode": "no-cors"};
 
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
@@ -34,17 +34,17 @@ promise_test(t => {
   }, "Same-Origin -> Same-Origin redirect");
 
 promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "redirect-same-origin-same-site";
 
       let e = document.createElement('img');
       e.src = "/xhr/resources/redirect.py?location=https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"same-site", "user":"?F"};
+      let expected = {"dest":"image", "site":"same-site", "user":"?F", "mode": "no-cors"};
 
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
@@ -61,17 +61,17 @@ promise_test(t => {
   }, "Same-Origin -> Same-Site redirect");
 
 promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "redirect-same-origin-cross-site";
 
       let e = document.createElement('img');
       e.src = "/xhr/resources/redirect.py?location=https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"cross-site", "user":"?F"};
+      let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
 
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
--- a/testing/web-platform/tests/fetch/sec-metadata/redirect/same-site-redirect.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/redirect/same-site-redirect.tentative.https.sub.html
@@ -7,17 +7,17 @@
 <body></body>
 <script>
 promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "redirect-same-site-same-origin";
 
       let e = document.createElement('img');
       e.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"same-site", "user":"?F"};
+      let expected = {"dest":"image", "site":"same-site", "user":"?F", "mode": "no-cors"};
 
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
@@ -34,17 +34,17 @@ promise_test(t => {
   }, "Same-Site -> Same-Origin redirect");
 
 promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "redirect-same-site-same-site";
 
       let e = document.createElement('img');
       e.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"same-site", "user":"?F"};
+      let expected = {"dest":"image", "site":"same-site", "user":"?F", "mode": "no-cors"};
 
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
@@ -61,17 +61,17 @@ promise_test(t => {
   }, "Same-Site -> Same-Site redirect");
 
 promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "redirect-same-site-cross-site";
 
       let e = document.createElement('img');
       e.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/xhr/resources/redirect.py?location=https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
-      let expected = {"dest":"image", "site":"cross-site", "user":"?F"};
+      let expected = {"dest":"image", "site":"cross-site", "user":"?F", "mode": "no-cors"};
 
       e.onload = e => {
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
--- a/testing/web-platform/tests/fetch/sec-metadata/report.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/report.tentative.https.sub.html
@@ -17,15 +17,15 @@
     }, name + " report");
   }
 
   test(_ => {
     let counter = 0;
     document.addEventListener("securitypolicyviolation", (e) => {
       counter++;
       if (counter == 3) {
-        generate_test({"dest":"report", "site":"same-origin", "user":"?F"}, "same-origin");
-        generate_test({"dest":"report", "site":"same-site", "user":"?F"}, "same-site");
-        generate_test({"dest":"report", "site":"cross-site", "user":"?F"}, "cross-site");
+        generate_test({"dest":"report", "site":"same-origin", "user":"?F", "mode": "no-cors"}, "same-origin");
+        generate_test({"dest":"report", "site":"same-site", "user":"?F", "mode": "no-cors"}, "same-site");
+        generate_test({"dest":"report", "site":"cross-site", "user":"?F", "mode": "no-cors"}, "cross-site");
       }
     });
   }, "Initialization.");
 </script>
--- a/testing/web-platform/tests/fetch/sec-metadata/resources/helper.js
+++ b/testing/web-platform/tests/fetch/sec-metadata/resources/helper.js
@@ -1,11 +1,10 @@
 function assert_header_equals(value, expected) {
   if (typeof(value) === "string"){
     assert_not_equals(value, "No header has been recorded");
     value = JSON.parse(value);
   }
   assert_equals(value.dest, expected.dest, "dest");
-  // Mode is commented out as no test cases have been filled out yet
-  // assert_equals(value.mode, expected.mode, "mode");
+  assert_equals(value.mode, expected.mode, "mode");
   assert_equals(value.site, expected.site, "site");
   assert_equals(value.user, expected.user, "user");
 }
--- a/testing/web-platform/tests/fetch/sec-metadata/script.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/script.tentative.https.sub.html
@@ -7,40 +7,58 @@
 <script src="https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-script.py"></script>
 <script>
   test(t => {
     t.add_cleanup(_ => { header = null; });
 
     assert_header_equals(header, {
       "dest": "script",
       "site": "same-origin",
-      "user":"?F"
+      "user": "?F",
+      "mode": "no-cors",
     });
   }, "Same-origin script");
 </script>
 
 <!-- Same-site script -->
 <script src="https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-script.py"></script>
 <script>
   test(t => {
     t.add_cleanup(_ => { header = null; });
 
     assert_header_equals(header, {
       "dest": "script",
       "site": "same-site",
-      "user":"?F"
+      "user": "?F",
+      "mode": "no-cors",
     });
   }, "Same-site script");
 </script>
 
 <!-- Cross-site script -->
 <script src="https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-script.py"></script>
 <script>
   test(t => {
     t.add_cleanup(_ => { header = null; });
 
     assert_header_equals(header, {
       "dest": "script",
       "site": "cross-site",
-      "user":"?F"
+      "user": "?F",
+      "mode": "no-cors",
     });
   }, "Cross-site script");
 </script>
+
+<!-- Same-origin script, CORS mode -->
+<script src="https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-script.py" crossorigin="anonymous"></script>
+<script>
+  test(t => {
+    t.add_cleanup(_ => { header = null; });
+
+    assert_header_equals(header, {
+      "dest": "script",
+      "site": "same-origin",
+      "user": "?F",
+      "mode": "cors",
+    });
+  }, "Same-origin CORS script");
+</script>
--- a/testing/web-platform/tests/fetch/sec-metadata/script.tentative.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/script.tentative.sub.html
@@ -7,40 +7,43 @@
 <script src="http://{{host}}:{{ports[http][0]}}/fetch/sec-metadata/resources/echo-as-script.py"></script>
 <script>
   test(t => {
     t.add_cleanup(_ => { header = null; });
 
     assert_header_equals(header, {
       "dest": "",
       "site": "",
-      "user": ""
+      "user": "",
+      "mode": "",
     });
   }, "Non-secure same-origin script => No headers");
 </script>
 
 <!-- Same-site script -->
 <script src="http://{{hosts[][www]}}:{{ports[http][0]}}/fetch/sec-metadata/resources/echo-as-script.py"></script>
 <script>
   test(t => {
     t.add_cleanup(_ => { header = null; });
 
     assert_header_equals(header, {
       "dest": "",
       "site": "",
-      "user": ""
+      "user": "",
+      "mode": "",
     });
   }, "Non-secure same-site script => No headers");
 </script>
 
 <!-- Cross-site script -->
 <script src="http://{{hosts[alt][www]}}:{{ports[http][0]}}/fetch/sec-metadata/resources/echo-as-script.py"></script>
 <script>
   test(t => {
     t.add_cleanup(_ => { header = null; });
 
     assert_header_equals(header, {
       "dest": "",
       "site": "",
-      "user": ""
+      "user": "",
+      "mode": "",
     });
   }, "Non-secure cross-site script => No headers");
 </script>
--- a/testing/web-platform/tests/fetch/sec-metadata/serviceworker.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/serviceworker.tentative.https.sub.html
@@ -30,17 +30,17 @@
   </script>
 </body>
 
 <script>
   function test_same_origin(){
     promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "serviceworker-same-origin";
-      let expected = {"dest":"serviceworker", "site":"same-origin", "user":"?F"};
+      let expected = {"dest":"serviceworker", "site":"same-origin", "user":"?F", "mode": "same-origin"};
       fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
         .then(response => response.text())
         .then(text => assert_header_equals(text, expected))
         .then(_ => resolve())
         .catch(e => reject(e));
       })
     })
   }
--- a/testing/web-platform/tests/fetch/sec-metadata/sharedworker.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/sharedworker.tentative.https.sub.html
@@ -21,17 +21,17 @@
       }
       sharedWorker.port.postMessage("Ready");
     }
 
   function test_same_origin(){
     promise_test(t => {
       return new Promise((resolve, reject) => {
         let key = "sharedworker-same-origin";
-        let expected = {"dest":"sharedworker", "site":"same-origin", "user":"?F"};
+        let expected = {"dest":"sharedworker", "site":"same-origin", "user":"?F", "mode": "same-origin"};
 
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       })
     }, "Same-Origin sharedworker")
--- a/testing/web-platform/tests/fetch/sec-metadata/style.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/style.tentative.https.sub.html
@@ -9,17 +9,17 @@
   promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "style-same-origin";
 
       let e = document.createElement('link');
       e.rel = "stylesheet";
       e.href = "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"style", "site":"same-origin", "user":"?F"};
+        let expected = {"dest":"style", "site":"same-origin", "user":"?F", "mode": "no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
 
       document.body.appendChild(e);
@@ -29,17 +29,17 @@
   promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "style-same-site";
 
       let e = document.createElement('link');
       e.rel = "stylesheet";
       e.href = "https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"style", "site":"same-site", "user":"?F"};
+        let expected = {"dest":"style", "site":"same-site", "user":"?F", "mode": "no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
 
       document.body.appendChild(e);
@@ -49,22 +49,43 @@
   promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "style-cross-site";
 
       let e = document.createElement('link');
       e.rel = "stylesheet";
       e.href = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
       e.onload = e => {
-        let expected = {"dest":"style", "site":"cross-site", "user":"?F"};
+        let expected = {"dest":"style", "site":"cross-site", "user":"?F", "mode": "no-cors"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
 
       document.body.appendChild(e);
     })
   }, "Cross-Site style");
+
+  promise_test(t => {
+    return new Promise((resolve, reject) => {
+      let key = "style-same-origin";
+
+      let e = document.createElement('link');
+      e.rel = "stylesheet";
+      e.href = "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=" + key;
+      e.crossOrigin = "anonymous";
+      e.onload = e => {
+        let expected = {"dest":"style", "site":"same-origin", "user":"?F", "mode": "cors"};
+        fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
+          .then(response => response.text())
+          .then(text => assert_header_equals(text, expected))
+          .then(_ => resolve())
+          .catch(e => reject(e));
+      };
+
+      document.body.appendChild(e);
+    })
+  }, "Same-Origin, cors style");
 </script>
 </html>
 
--- a/testing/web-platform/tests/fetch/sec-metadata/track.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/track.tentative.https.sub.html
@@ -24,34 +24,44 @@
   }
 
   promise_test(t => {
     return new Promise((resolve, reject) => {
       let video = createVideoElement();
       let el = createTrack();
       el.src = "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=track-same-origin";
       el.onload = t.step_func(_ => {
-        expected = {"dest":"track", "site":"same-origin", "user":"?F"};
+        expected = {
+          "dest": "track",
+          "site": "same-origin",
+          "user": "?F",
+          "mode": "cors" // Because the `video` element has `crossorigin`
+        };
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=track-same-origin")
             .then(response => response.text())
             .then(text => assert_header_equals(text, expected))
             .then(_ => resolve());
       });
       video.appendChild(el);
       document.body.appendChild(video);
     });
   }, "Same-Origin track");
 
   promise_test(t => {
     return new Promise((resolve, reject) => {
       let video = createVideoElement();
       let el = createTrack();
       el.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=track-same-site";
       el.onload = t.step_func(_ => {
-        expected = {"dest":"track", "site":"same-site", "user":"?F"};
+        expected = {
+          "dest": "track",
+          "site": "same-site",
+          "user": "?F",
+          "mode": "cors" // Because the `video` element has `crossorigin`
+        };
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=track-same-site")
             .then(response => response.text())
             .then(text => assert_header_equals(text, expected))
             .then(resolve)
             .catch(reject);
 
       });
       video.appendChild(el);
@@ -60,20 +70,51 @@
   }, "Same-Site track");
 
   promise_test(t => {
     return new Promise((resolve, reject) => {
       let video = createVideoElement();
       let el = createTrack();
       el.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=track-cross-site";
       el.onload = t.step_func(_ => {
-        expected = {"dest":"track", "site":"cross-site", "user":"?F"};
+        expected = {
+          "dest": "track",
+          "site": "cross-site",
+          "user": "?F",
+          "mode": "cors" // Because the `video` element has `crossorigin`
+        };
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=track-cross-site")
             .then(response => response.text())
             .then(text => assert_header_equals(text, expected))
             .then(resolve)
             .catch(reject);
       });
       video.appendChild(el);
       document.body.appendChild(video);
     });
   }, "Cross-Site track");
+
+  promise_test(t => {
+    return new Promise((resolve, reject) => {
+      let video = createVideoElement();
+
+      // Unset `crossorigin` to change the CORS mode:
+      video.crossOrigin = undefined;
+
+      let el = createTrack();
+      el.src = "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/record-header.py?file=track-same-origin";
+      el.onload = t.step_func(_ => {
+        expected = {
+          "dest":"track",
+          "site":"same-origin",
+          "user":"?F",
+          "mode": "same-origin"
+        };
+        fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=track-same-origin")
+            .then(response => response.text())
+            .then(text => assert_header_equals(text, expected))
+            .then(_ => resolve());
+      });
+      video.appendChild(el);
+      document.body.appendChild(video);
+    });
+  }, "Same-Origin, CORS track");
 </script>
--- a/testing/web-platform/tests/fetch/sec-metadata/window-open.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/window-open.tentative.https.sub.html
@@ -12,49 +12,52 @@
     t.add_cleanup(_ => w.close());
     window.addEventListener('message', t.step_func(e => {
       if (e.source != w)
         return;
 
       assert_header_equals(e.data, {
         "dest": "document",
         "site": "same-origin",
-        "user":"?F"
+        "user": "?F",
+        "mode": "navigate",
       });
       t.done();
     }));
   }, "Same-origin window, forced");
 
   async_test(t => {
     let w = window.open("https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py");
     t.add_cleanup(_ => w.close());
     window.addEventListener('message', t.step_func(e => {
       if (e.source != w)
         return;
 
       assert_header_equals(e.data, {
         "dest": "document",
         "site": "same-site",
-        "user":"?F"
+        "user": "?F",
+        "mode": "navigate",
       });
       t.done();
     }));
   }, "Same-site window, forced");
 
   async_test(t => {
     let w = window.open("https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py");
     t.add_cleanup(_ => w.close());
     window.addEventListener('message', t.step_func(e => {
       if (e.source != w)
         return;
 
       assert_header_equals(e.data, {
         "dest": "document",
         "site": "cross-site",
-        "user":"?F"
+        "user": "?F",
+        "mode": "navigate",
       });
       t.done();
     }));
   }, "Cross-site window, forced");
 
   // User-activated navigations:
   async_test(t => {
     let b = document.createElement('button');
@@ -63,17 +66,18 @@
       t.add_cleanup(_ => w.close());
       window.addEventListener('message', t.step_func(e => {
         if (e.source != w)
           return;
 
         assert_header_equals(e.data, {
           "dest": "document",
           "site": "same-origin",
-          "user": "?T"
+          "user": "?T",
+          "mode": "navigate",
         });
         t.done();
       }));
     });
     document.body.appendChild(b);
     test_driver.click(b);
   }, "Same-origin window, user-activated");
 
@@ -84,17 +88,18 @@
       t.add_cleanup(_ => w.close());
       window.addEventListener('message', t.step_func(e => {
         if (e.source != w)
           return;
 
         assert_header_equals(e.data, {
           "dest": "document",
           "site": "same-site",
-          "user": "?T"
+          "user": "?T",
+          "mode": "navigate",
         });
         t.done();
       }));
     });
     document.body.appendChild(b);
     test_driver.click(b);
   }, "Same-site window, user-activated");
 
@@ -105,17 +110,18 @@
       t.add_cleanup(_ => w.close());
       window.addEventListener('message', t.step_func(e => {
         if (e.source != w)
           return;
 
         assert_header_equals(e.data, {
           "dest": "document",
           "site": "cross-site",
-          "user": "?T"
+          "user": "?T",
+          "mode": "navigate",
         });
         t.done();
       }));
     });
     document.body.appendChild(b);
     test_driver.click(b);
   }, "Cross-site window, user-activated");
 </script>
--- a/testing/web-platform/tests/fetch/sec-metadata/worker.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/worker.tentative.https.sub.html
@@ -5,17 +5,17 @@
 <script src=/resources/testharnessreport.js></script>
 <script src=/fetch/sec-metadata/resources/helper.js></script>
 <script>
   promise_test(t => {
     return new Promise((resolve, reject) => {
       let key = "worker-same-origin";
       let w = new Worker("/fetch/sec-metadata/resources/record-header.py?file=" + key);
       w.onmessage = e => {
-        let expected = {"dest":"worker", "site":"same-origin", "user":"?F"};
+        let expected = {"dest":"worker", "site":"same-origin", "user":"?F", "mode": "same-origin"};
         fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=" + key)
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected))
           .then(_ => resolve())
           .catch(e => reject(e));
       };
     });
   }, "Same-Origin worker");
--- a/testing/web-platform/tests/fetch/sec-metadata/xslt.tentative.https.sub.html
+++ b/testing/web-platform/tests/fetch/sec-metadata/xslt.tentative.https.sub.html
@@ -7,31 +7,31 @@
 <script>
   // Open a window with XML document which loads resources via <?xml-stylesheet/> tag
   let w = window.open("resources/xslt-test.sub.xml");
   window.addEventListener('message', function(e) {
     if (e.source != w)
       return;
 
     promise_test(t => {
-      let expected = {"dest":"xslt", "site":"same-origin", "user":"?F"};
+      let expected = {"dest":"xslt", "site":"same-origin", "user":"?F", "mode": "same-origin"};
       return fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=xslt-same-origin")
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected));
     }, "Same-Origin xslt");
 
     promise_test(t => {
-      let expected = {"dest":"xslt", "site":"same-site", "user":"?F"};
+      let expected = {"dest":"xslt", "site":"same-site", "user":"?F", "mode": "no-cors"};
       return fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=xslt-same-site")
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected));
     }, "Same-site xslt");
 
     promise_test(t => {
-      let expected = {"dest":"xslt", "site":"cross-site", "user":"?F"};
+      let expected = {"dest":"xslt", "site":"cross-site", "user":"?F", "mode": "no-cors"};
       return fetch("/fetch/sec-metadata/resources/record-header.py?retrieve=true&file=xslt-cross-site")
           .then(response => response.text())
           .then(text => assert_header_equals(text, expected));
     }, "Cross-site xslt");
 
     w.close();
   });